Malware Analysis Report

2025-01-22 16:26

Sample ID 241004-tfab1sxdnf
Target 1404211e963a92d91f74a7c0b575de1b_JaffaCakes118
SHA256 7c6245ba75bde7535a52a2bbdfe113c24a2cd8d0c7a94c72962a363acdca8abf
Tags
discovery upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c6245ba75bde7535a52a2bbdfe113c24a2cd8d0c7a94c72962a363acdca8abf

Threat Level: Known bad

The file 1404211e963a92d91f74a7c0b575de1b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery upx gozi banker isfb trojan

Gozi

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-04 15:59

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-04 15:59

Reported

2024-10-04 16:02

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 publisher.linkvertise.com udp
US 172.67.31.186:443 publisher.linkvertise.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 linkvertise.com udp
US 104.22.22.72:443 linkvertise.com tcp

Files

memory/276-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/276-1-0x0000000000130000-0x0000000000263000-memory.dmp

memory/276-2-0x0000000000400000-0x000000000062A000-memory.dmp

\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe

MD5 6e931612d66f2896185cc7090b7b46aa
SHA1 aa891b917593e09312f69d5850a61977c1cdb516
SHA256 831d8c5c4661a11634044ac5b1670f63be4d2ef3e37df10a647d3640a74362d7
SHA512 3b10d41692b644bdbc9984a400b4601bdb5eb19cfe68aa40247a34f600bfdd02bc089b8257e28bb19741132275d2dc9f9eed1f0af6d40dc3960e06674375400c

memory/276-14-0x0000000003DC0000-0x00000000042AF000-memory.dmp

memory/276-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1668-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/1668-29-0x00000000034F0000-0x000000000371A000-memory.dmp

memory/1668-28-0x0000000000260000-0x0000000000393000-memory.dmp

memory/1668-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1668-27-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1668-46-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-04 15:59

Reported

2024-10-04 16:02

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 publisher.linkvertise.com udp
US 104.22.22.72:443 publisher.linkvertise.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 72.22.22.104.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3716-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3716-1-0x0000000001D40000-0x0000000001E73000-memory.dmp

memory/3716-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe

MD5 4097f69060af502b5f0004cfd48190b0
SHA1 d50be854d40f0d8ed2f4df8fa2bebe546be49e4b
SHA256 74603da339707362d1e4ece2ede1b1e3c621fe2de09355ffd62f406a931589df
SHA512 08920b05a319f4af9f5f069c0aac8f04d765cba4d939424331a2ee3d89922d829eb709c942e48453768f89f6672134b7d2412ab2935631d87bb7bfd9e97d868c

memory/4544-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3716-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/4544-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/4544-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/4544-20-0x00000000045F0000-0x000000000481A000-memory.dmp

memory/4544-14-0x0000000001CF0000-0x0000000001E23000-memory.dmp

memory/4544-33-0x0000000000400000-0x00000000008EF000-memory.dmp