Malware Analysis Report

2025-01-22 18:42

Sample ID 240930-zd5m2atgqq
Target 032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118
SHA256 1f66f83d4e61379b5979811f38bd65f5d6f004f925581d708d64b9ad15e57dee
Tags
discovery upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f66f83d4e61379b5979811f38bd65f5d6f004f925581d708d64b9ad15e57dee

Threat Level: Known bad

The file 032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery upx isfb gozi

Gozi family

Executes dropped EXE

Deletes itself

Loads dropped DLL

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-30 20:37

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-30 20:37

Reported

2024-09-30 20:39

Platform

win7-20240903-en

Max time kernel

118s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 publisher.linkvertise.com udp
US 104.22.23.72:443 publisher.linkvertise.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 linkvertise.com udp
US 104.22.22.72:443 linkvertise.com tcp

Files

memory/2308-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2308-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2308-4-0x0000000000240000-0x0000000000373000-memory.dmp

\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe

MD5 4161ae097bbd8bb4b88027c5f8dddacb
SHA1 ceeede5c74d8194148bac56571c4ada7fd353d9f
SHA256 e40c15b06de499d1579c76e512b220c4d0701157e28b3aca62d778cc06885444
SHA512 43eba0c35bc04c5ddab54eee212221e1162169239ec08a3b6a84714af94d90fda902822602584001a3cfe6ef668f828dcf70ef90c4626786f11e4901bb00b13b

memory/2308-14-0x0000000004270000-0x000000000475F000-memory.dmp

memory/2308-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2076-29-0x00000000034C0000-0x00000000036EA000-memory.dmp

memory/2076-28-0x0000000000230000-0x0000000000363000-memory.dmp

memory/2076-27-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2076-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2076-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2076-45-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-30 20:37

Reported

2024-09-30 20:39

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 publisher.linkvertise.com udp
US 104.22.23.72:443 publisher.linkvertise.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.23.22.104.in-addr.arpa udp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/2164-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2164-1-0x0000000001CE0000-0x0000000001E13000-memory.dmp

memory/2164-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe

MD5 7f5952f403ad94bd56fae2448e7eaef5
SHA1 e627280f21e34c5813a309b107064b439b81e0eb
SHA256 42d3cd9d12ec235191fe2a0e19f3a7d6f6762a48a39244411e5076299552b3ff
SHA512 5b6d4f794b08a34f4af3081398751123d808f9318296f17da743f0421b3dd0469f24eff2f0d4cdf5235bf42bfab0a8267d24d2d4af187d041c91a2786dd8d988

memory/2164-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2304-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2304-14-0x0000000001A30000-0x0000000001B63000-memory.dmp

memory/2304-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2304-26-0x0000000004660000-0x000000000488A000-memory.dmp

memory/2304-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2304-33-0x0000000000400000-0x00000000008EF000-memory.dmp