Analysis Overview
SHA256
b24a8262ddfbe90b795e3525bed6987cf8609c5ebd2f53884bdf2ae2b09e8be8
Threat Level: Known bad
The file 2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gozi family
Loads dropped DLL
Deletes itself
Executes dropped EXE
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 07:17
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 07:17
Reported
2024-10-09 18:47
Platform
win7-20240704-en
Max time kernel
117s
Max time network
128s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2652 wrote to memory of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe |
| PID 2652 wrote to memory of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe |
| PID 2652 wrote to memory of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe |
| PID 2652 wrote to memory of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | publisher.linkvertise.com | udp |
| US | 104.22.23.72:443 | publisher.linkvertise.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | linkvertise.com | udp |
| US | 104.22.23.72:443 | linkvertise.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 2.17.5.133:80 | www.microsoft.com | tcp |
Files
memory/2652-9-0x0000000001B20000-0x0000000001C53000-memory.dmp
memory/2652-7-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2652-0-0x0000000000400000-0x000000000062A000-memory.dmp
\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe
| MD5 | 58eed63493c539f12adca49ec9f228c8 |
| SHA1 | 938671eac76535679de065900bfcfd21513c8a44 |
| SHA256 | 441fd51dcf4ecb64fb7b047be28a3822307cf8299664141721fb84e58485db6c |
| SHA512 | 551dcd7299177d9ef070a67d7c3d81b0f4d765ac9cc6a170c445bf7be1bfb1a2bed52b1fec0ede8cc016818e602c5ffc0fe614ac734bdea8d52229ed479c66f7 |
memory/1884-15-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1884-28-0x0000000003420000-0x000000000364A000-memory.dmp
memory/1884-24-0x0000000000130000-0x0000000000263000-memory.dmp
memory/1884-21-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2652-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1884-20-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/1884-44-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 07:17
Reported
2024-10-09 18:48
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
125s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4272 wrote to memory of 436 | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe |
| PID 4272 wrote to memory of 436 | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe |
| PID 4272 wrote to memory of 436 | N/A | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | publisher.linkvertise.com | udp |
| US | 104.22.23.72:443 | publisher.linkvertise.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.23.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/4272-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/4272-1-0x00000000018F0000-0x0000000001A23000-memory.dmp
memory/4272-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2d130747a7e5b4afe8f4775fce20ad76_JaffaCakes118.exe
| MD5 | 56b576908e1f5a4d2215f2cf9d29f174 |
| SHA1 | 732ed6d9909037f8dad4368e33a3940d9022b5bd |
| SHA256 | 0f8401e992651171084619c7232b10fd91a0a573bf5dfb7de34679d21409c373 |
| SHA512 | 9b12fe99e1323126e30954be2c6970a67b749763361e09179cbb50a6eb0135ecbfef3eec7cd272218546941d358fac5952d516ba9f230ae8e058291b6805ebb2 |
memory/4272-19-0x0000000000400000-0x000000000062A000-memory.dmp
memory/436-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/436-20-0x0000000000400000-0x000000000061D000-memory.dmp
memory/436-13-0x00000000018F0000-0x0000000001A23000-memory.dmp
memory/436-12-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/436-28-0x0000000004570000-0x000000000479A000-memory.dmp
memory/436-35-0x0000000000400000-0x00000000008EF000-memory.dmp