Malware Analysis Report

2025-01-22 18:41

Sample ID 240930-j1msqsyflf
Target 00517ee380c252f61e003a91c6dda87d_JaffaCakes118
SHA256 1682191efebbd5f83a9fdd30eb78597652f17ef104a16afd9ba0c12bd284d531
Tags
upx discovery gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1682191efebbd5f83a9fdd30eb78597652f17ef104a16afd9ba0c12bd284d531

Threat Level: Known bad

The file 00517ee380c252f61e003a91c6dda87d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx discovery gozi banker isfb trojan

Gozi

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-30 08:08

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-30 08:08

Reported

2024-09-30 08:10

Platform

win7-20240708-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 publisher.linkvertise.com udp
US 104.22.22.72:443 publisher.linkvertise.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 linkvertise.com udp
US 104.22.22.72:443 linkvertise.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:80 www.microsoft.com tcp

Files

memory/2360-0-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2360-1-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/2360-3-0x0000000000260000-0x0000000000372000-memory.dmp

\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe

MD5 ec8b98b7f4d9fb7ece239180de91720a
SHA1 949ffdafaeca1d13b1cd5a4d481832f984091aaf
SHA256 43a4e9435affabf405e406850256e0f8e270147978a4d7a97d0afe37e65905fe
SHA512 1fa2908b3c4e3be0f092946c78168ab5add8f88de535b68b0f3f294fd1d0f16baa425dd26efa044f0cf3305db1efc333a9207d74680222707ef64b44c1d48f53

memory/2396-17-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2396-18-0x0000000000260000-0x0000000000372000-memory.dmp

memory/2360-15-0x0000000003680000-0x0000000003AEA000-memory.dmp

memory/2360-14-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/2396-19-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/2396-41-0x0000000000400000-0x000000000086A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-30 08:08

Reported

2024-09-30 08:10

Platform

win10v2004-20240802-en

Max time kernel

95s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 publisher.linkvertise.com udp
US 104.22.23.72:443 publisher.linkvertise.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.23.22.104.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4340-0-0x0000000000400000-0x000000000086A000-memory.dmp

memory/4340-1-0x0000000001C60000-0x0000000001D72000-memory.dmp

memory/4340-2-0x0000000000400000-0x00000000005F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00517ee380c252f61e003a91c6dda87d_JaffaCakes118.exe

MD5 b8001d99c63065e4372fb7f763b1321c
SHA1 f80743a419c04801aae2c371961b5f91a73df7df
SHA256 904880b6749e020496a2db8a6c5779ea14f4307e932cf88e5445ff4b04ab0962
SHA512 9f45803d6f00c17cfbb549e1e64f307a6255b9f13980bfcd50932f941144f313ef4fbda8a9d4cf8edaef0fd48ae342d53abfc4483f1f6183f313c64239130ca2

memory/4340-13-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/1172-16-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/1172-15-0x0000000001CE0000-0x0000000001DF2000-memory.dmp

memory/1172-14-0x0000000000400000-0x000000000086A000-memory.dmp

memory/1172-28-0x0000000000400000-0x000000000086A000-memory.dmp