Malware Analysis Report

2025-01-22 16:28

Sample ID 241009-h4m28sshlp
Target 2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118
SHA256 b24a8262ddfbe90b795e3525bed6987cf8609c5ebd2f53884bdf2ae2b09e8be8
Tags
upx isfb gozi discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b24a8262ddfbe90b795e3525bed6987cf8609c5ebd2f53884bdf2ae2b09e8be8

Threat Level: Known bad

The file 2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi discovery

Gozi family

Loads dropped DLL

Deletes itself

Executes dropped EXE

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 07:17

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 07:17

Reported

2024-10-09 18:47

Platform

win7-20240704-en

Max time kernel

117s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 publisher.linkvertise.com udp
US 104.22.23.72:443 publisher.linkvertise.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 linkvertise.com udp
US 104.22.23.72:443 linkvertise.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:80 www.microsoft.com tcp

Files

memory/2652-9-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2652-7-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2652-0-0x0000000000400000-0x000000000062A000-memory.dmp

\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe

MD5 58eed63493c539f12adca49ec9f228c8
SHA1 938671eac76535679de065900bfcfd21513c8a44
SHA256 441fd51dcf4ecb64fb7b047be28a3822307cf8299664141721fb84e58485db6c
SHA512 551dcd7299177d9ef070a67d7c3d81b0f4d765ac9cc6a170c445bf7be1bfb1a2bed52b1fec0ede8cc016818e602c5ffc0fe614ac734bdea8d52229ed479c66f7

memory/1884-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1884-28-0x0000000003420000-0x000000000364A000-memory.dmp

memory/1884-24-0x0000000000130000-0x0000000000263000-memory.dmp

memory/1884-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2652-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1884-20-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1884-44-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-09 07:17

Reported

2024-10-09 18:48

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 publisher.linkvertise.com udp
US 104.22.23.72:443 publisher.linkvertise.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 72.23.22.104.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4272-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4272-1-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/4272-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe

MD5 56b576908e1f5a4d2215f2cf9d29f174
SHA1 732ed6d9909037f8dad4368e33a3940d9022b5bd
SHA256 0f8401e992651171084619c7232b10fd91a0a573bf5dfb7de34679d21409c373
SHA512 9b12fe99e1323126e30954be2c6970a67b749763361e09179cbb50a6eb0135ecbfef3eec7cd272218546941d358fac5952d516ba9f230ae8e058291b6805ebb2

memory/4272-19-0x0000000000400000-0x000000000062A000-memory.dmp

memory/436-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/436-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/436-13-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/436-12-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/436-28-0x0000000004570000-0x000000000479A000-memory.dmp

memory/436-35-0x0000000000400000-0x00000000008EF000-memory.dmp