Analysis Overview
SHA256
7c6245ba75bde7535a52a2bbdfe113c24a2cd8d0c7a94c72962a363acdca8abf
Threat Level: Known bad
The file 1404211e963a92d91f74a7c0b575de1b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gozi
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-04 15:59
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-04 15:59
Reported
2024-10-04 16:02
Platform
win7-20240903-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 276 wrote to memory of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe |
| PID 276 wrote to memory of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe |
| PID 276 wrote to memory of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe |
| PID 276 wrote to memory of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | publisher.linkvertise.com | udp |
| US | 172.67.31.186:443 | publisher.linkvertise.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.169.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | linkvertise.com | udp |
| US | 104.22.22.72:443 | linkvertise.com | tcp |
Files
memory/276-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/276-1-0x0000000000130000-0x0000000000263000-memory.dmp
memory/276-2-0x0000000000400000-0x000000000062A000-memory.dmp
\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe
| MD5 | 6e931612d66f2896185cc7090b7b46aa |
| SHA1 | aa891b917593e09312f69d5850a61977c1cdb516 |
| SHA256 | 831d8c5c4661a11634044ac5b1670f63be4d2ef3e37df10a647d3640a74362d7 |
| SHA512 | 3b10d41692b644bdbc9984a400b4601bdb5eb19cfe68aa40247a34f600bfdd02bc089b8257e28bb19741132275d2dc9f9eed1f0af6d40dc3960e06674375400c |
memory/276-14-0x0000000003DC0000-0x00000000042AF000-memory.dmp
memory/276-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1668-21-0x0000000000400000-0x000000000061D000-memory.dmp
memory/1668-29-0x00000000034F0000-0x000000000371A000-memory.dmp
memory/1668-28-0x0000000000260000-0x0000000000393000-memory.dmp
memory/1668-16-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1668-27-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/1668-46-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-04 15:59
Reported
2024-10-04 16:02
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
126s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3716 wrote to memory of 4544 | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe |
| PID 3716 wrote to memory of 4544 | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe |
| PID 3716 wrote to memory of 4544 | N/A | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | publisher.linkvertise.com | udp |
| US | 104.22.22.72:443 | publisher.linkvertise.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.169.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.22.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3716-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/3716-1-0x0000000001D40000-0x0000000001E73000-memory.dmp
memory/3716-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1404211e963a92d91f74a7c0b575de1b_JaffaCakes118.exe
| MD5 | 4097f69060af502b5f0004cfd48190b0 |
| SHA1 | d50be854d40f0d8ed2f4df8fa2bebe546be49e4b |
| SHA256 | 74603da339707362d1e4ece2ede1b1e3c621fe2de09355ffd62f406a931589df |
| SHA512 | 08920b05a319f4af9f5f069c0aac8f04d765cba4d939424331a2ee3d89922d829eb709c942e48453768f89f6672134b7d2412ab2935631d87bb7bfd9e97d868c |
memory/4544-13-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/3716-12-0x0000000000400000-0x000000000062A000-memory.dmp
memory/4544-15-0x0000000000400000-0x000000000062A000-memory.dmp
memory/4544-21-0x0000000000400000-0x000000000061D000-memory.dmp
memory/4544-20-0x00000000045F0000-0x000000000481A000-memory.dmp
memory/4544-14-0x0000000001CF0000-0x0000000001E23000-memory.dmp
memory/4544-33-0x0000000000400000-0x00000000008EF000-memory.dmp