Analysis Overview
SHA256
1682191efebbd5f83a9fdd30eb78597652f17ef104a16afd9ba0c12bd284d531
Threat Level: Known bad
The file 00517ee380c252f61e003a91c6dda87d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gozi
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-30 08:08
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-30 08:08
Reported
2024-09-30 08:10
Platform
win7-20240708-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2360 wrote to memory of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe |
| PID 2360 wrote to memory of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe |
| PID 2360 wrote to memory of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe |
| PID 2360 wrote to memory of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | publisher.linkvertise.com | udp |
| US | 104.22.22.72:443 | publisher.linkvertise.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | linkvertise.com | udp |
| US | 104.22.22.72:443 | linkvertise.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 2.17.5.133:80 | www.microsoft.com | tcp |
Files
memory/2360-0-0x0000000000400000-0x000000000086A000-memory.dmp
memory/2360-1-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/2360-3-0x0000000000260000-0x0000000000372000-memory.dmp
\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe
| MD5 | ec8b98b7f4d9fb7ece239180de91720a |
| SHA1 | 949ffdafaeca1d13b1cd5a4d481832f984091aaf |
| SHA256 | 43a4e9435affabf405e406850256e0f8e270147978a4d7a97d0afe37e65905fe |
| SHA512 | 1fa2908b3c4e3be0f092946c78168ab5add8f88de535b68b0f3f294fd1d0f16baa425dd26efa044f0cf3305db1efc333a9207d74680222707ef64b44c1d48f53 |
memory/2396-17-0x0000000000400000-0x000000000086A000-memory.dmp
memory/2396-18-0x0000000000260000-0x0000000000372000-memory.dmp
memory/2360-15-0x0000000003680000-0x0000000003AEA000-memory.dmp
memory/2360-14-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/2396-19-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/2396-41-0x0000000000400000-0x000000000086A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-30 08:08
Reported
2024-09-30 08:10
Platform
win10v2004-20240802-en
Max time kernel
95s
Max time network
136s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4340 wrote to memory of 1172 | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe |
| PID 4340 wrote to memory of 1172 | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe |
| PID 4340 wrote to memory of 1172 | N/A | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | publisher.linkvertise.com | udp |
| US | 104.22.23.72:443 | publisher.linkvertise.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.23.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4340-0-0x0000000000400000-0x000000000086A000-memory.dmp
memory/4340-1-0x0000000001C60000-0x0000000001D72000-memory.dmp
memory/4340-2-0x0000000000400000-0x00000000005F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe
| MD5 | b8001d99c63065e4372fb7f763b1321c |
| SHA1 | f80743a419c04801aae2c371961b5f91a73df7df |
| SHA256 | 904880b6749e020496a2db8a6c5779ea14f4307e932cf88e5445ff4b04ab0962 |
| SHA512 | 9f45803d6f00c17cfbb549e1e64f307a6255b9f13980bfcd50932f941144f313ef4fbda8a9d4cf8edaef0fd48ae342d53abfc4483f1f6183f313c64239130ca2 |
memory/4340-13-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/1172-16-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/1172-15-0x0000000001CE0000-0x0000000001DF2000-memory.dmp
memory/1172-14-0x0000000000400000-0x000000000086A000-memory.dmp
memory/1172-28-0x0000000000400000-0x000000000086A000-memory.dmp