Analysis Overview
SHA256
1f66f83d4e61379b5979811f38bd65f5d6f004f925581d708d64b9ad15e57dee
Threat Level: Known bad
The file 032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gozi family
Executes dropped EXE
Deletes itself
Loads dropped DLL
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-30 20:37
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-30 20:37
Reported
2024-09-30 20:39
Platform
win7-20240903-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2308 wrote to memory of 2076 | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe |
| PID 2308 wrote to memory of 2076 | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe |
| PID 2308 wrote to memory of 2076 | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe |
| PID 2308 wrote to memory of 2076 | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | publisher.linkvertise.com | udp |
| US | 104.22.23.72:443 | publisher.linkvertise.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | linkvertise.com | udp |
| US | 104.22.22.72:443 | linkvertise.com | tcp |
Files
memory/2308-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2308-1-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2308-4-0x0000000000240000-0x0000000000373000-memory.dmp
\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe
| MD5 | 4161ae097bbd8bb4b88027c5f8dddacb |
| SHA1 | ceeede5c74d8194148bac56571c4ada7fd353d9f |
| SHA256 | e40c15b06de499d1579c76e512b220c4d0701157e28b3aca62d778cc06885444 |
| SHA512 | 43eba0c35bc04c5ddab54eee212221e1162169239ec08a3b6a84714af94d90fda902822602584001a3cfe6ef668f828dcf70ef90c4626786f11e4901bb00b13b |
memory/2308-14-0x0000000004270000-0x000000000475F000-memory.dmp
memory/2308-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2076-29-0x00000000034C0000-0x00000000036EA000-memory.dmp
memory/2076-28-0x0000000000230000-0x0000000000363000-memory.dmp
memory/2076-27-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2076-21-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2076-16-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2076-45-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-30 20:37
Reported
2024-09-30 20:39
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
141s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2164 wrote to memory of 2304 | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe |
| PID 2164 wrote to memory of 2304 | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe |
| PID 2164 wrote to memory of 2304 | N/A | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | publisher.linkvertise.com | udp |
| US | 104.22.23.72:443 | publisher.linkvertise.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.23.22.104.in-addr.arpa | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/2164-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2164-1-0x0000000001CE0000-0x0000000001E13000-memory.dmp
memory/2164-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\032c65b1bf312ba8244cff6c94c06d74_JaffaCakes118.exe
| MD5 | 7f5952f403ad94bd56fae2448e7eaef5 |
| SHA1 | e627280f21e34c5813a309b107064b439b81e0eb |
| SHA256 | 42d3cd9d12ec235191fe2a0e19f3a7d6f6762a48a39244411e5076299552b3ff |
| SHA512 | 5b6d4f794b08a34f4af3081398751123d808f9318296f17da743f0421b3dd0469f24eff2f0d4cdf5235bf42bfab0a8267d24d2d4af187d041c91a2786dd8d988 |
memory/2164-12-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2304-13-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2304-14-0x0000000001A30000-0x0000000001B63000-memory.dmp
memory/2304-15-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2304-26-0x0000000004660000-0x000000000488A000-memory.dmp
memory/2304-20-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2304-33-0x0000000000400000-0x00000000008EF000-memory.dmp