Overview

overview

10

Static

static

10

ee6a0423ca...18.exe

windows7-x64

10

ee6a0423ca...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 21:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee6a0423ca9a7940c286a470d2db0a43_JaffaCakes118.exe

  • Size

    120KB

  • MD5

    ee6a0423ca9a7940c286a470d2db0a43

  • SHA1

    5e9e110597d77b2e40e9e4b8a253eb5fb20a085d

  • SHA256

    14d150a2ea315ad6ebe5b0f6cf2093d474636c3ed7af97f5f322f56194077bf9

  • SHA512

    b71979e80ba0efc858712e2b5cf17568b5b57d7a6dc34435eedb344eaee1194fb01e7647fe6679c4c7e4c45096c3d3a3c19ba9476ecfd7fa5b93e522dab9b1ca

  • SSDEEP

    3072:Z9mQrWSB/WM+dCB+IF1G6sT11I0E9TAUQ+iU2r2:Z9USBOMNBNF1cxy0E9TAUQ+iU2r2

Score
10/10
gootkit308bankerbotnetdiscoverytrojan

Malware Config

Extracted

Family

gootkit

Botnet

308

C2

waabitii.com

buyyou.org

pep.hheadz4life.com

trktrk.org

fields.mobi
Attributes
  • vendor_id

    308

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

    trojanbankerbotnetgootkit
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee6a0423ca9a7940c286a470d2db0a43_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ee6a0423ca9a7940c286a470d2db0a43_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Windows\SysWOW64\mstsc.exe
      C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\ee6a0423ca9a7940c286a470d2db0a43_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240616500.bat" "C:\Users\Admin\AppData\Local\Temp\ee6a0423ca9a7940c286a470d2db0a43_JaffaCakes118.exe""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2928
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\ee6a0423ca9a7940c286a470d2db0a43_JaffaCakes118.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240616500.bat
    Filesize

    76B

    MD5

    d7421dbe53eeffddd43493ded63d1716

    SHA1

    c67cff4fdf133586da5e904699baaa990e12a1f3

    SHA256

    26ae587a3d64bb3489e26210c780f3795b9f47bd96c19a48e8177b23ef472e7e

    SHA512

    b1aa9289e2acb1c329c24e3a4fb4333e64a6827c6a0c484e249a2d6f6f650830e2334f8eed4b21fd4b02b6529c030d15900600f5055c43893785a8cbea1d926d

    Download Submit

  • memory/4548-0-0x0000000000AC0000-0x0000000000AE0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4548-4-0x0000000000AC0000-0x0000000000AE0000-memory.dmp

    Filesize

    128KB

    Download