gozi | 1333b96981052d2c51c9a49f4190e5df643358df419c0a614d814fab69b0b5ee

General

Target

eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe
Size

177KB
MD5

eafeaede0846e113be2b5deee22d336d
SHA1

7d2e7426f53ccbae25461c2c43c8cc96683ee20e
SHA256

1333b96981052d2c51c9a49f4190e5df643358df419c0a614d814fab69b0b5ee
SHA512

b3369cb59c496d8af405324f355971d5075089b1c046e36568593d8915f7e962f5e588a8e6fd607fc212afb253915c601b26e78287df75a7bd9aa81b66b4c5ca
SSDEEP

3072:o2bdgZfYA6mSfmBEvoau1Uhc7ZJsKdUAgV+dSn24/9frUQ7z6Eul6EgC6LHw:DbCZwA6FKEvBu1UhcFC14QV/drn6/x2Q

Score

10^/10

gozi banker discovery isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 2328	2524	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe	30

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2328-16-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PCGWIN32.LI5	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process
2072	2328	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{E9EEA727-DBB9E38B-5EBAD27A-1236B359}\ = 48fc0acbbb84d5caef28b415fa9084687e3345bee08573100e55ab5ce91ab7674d1d081893e566336df6abf2893ef34479cfc4d5a0d3ccd1a8539456a05dbc5878e545cfa0d56bef4e35553090b59380697d4cb8ab7ba9be0b3b2ebe8b058980f74dc248a7a882ae89f4880068394f84eab26838f7798d4457f1220f608a3316f9d3bb99f927fb0281c197239deedbd4591ee064aeefea956e13f56e432a6ed1f8a711cd9cd41baf59aa1c91d89cda9b26de3d65c4f0028f572aad56571dad18172752fd59fbe441eec4b480bdf87878bb3d06fbcc81542ce329c1946bdfee9a94df205a5726d2ada96bec2e89cbe8898b0fae0acab1cebbf43930c04e4bcbb6c933efbef5054f4f8a0af6ee329479ec40d6cbe22906907c5ec7248d8fd7b55dffe405902cec576ad2e9ae574a6231f94703629e49e5c8bc2eb94bfbb6f9b2bb368173f73ec245911c6019d5182f23eafe57fba23e173bddc1670fe28aeef74af2c98853c81ef5dabc98b91980e0e5951c6c67f762f2ff7ffafac747f2727fc97a6806d34dee688b0f8e2af476f2bd8e7b54be2d3bd4be90c46c62f5110358d123672ef275ce7c8a074e22cb563153885ee99bd0d9a867d262a619722079e9f82c3889bd30fbb1b93483f1e1b8d407e35d4ed8ab9e2e24ea4d96e81db7d8f2d9811b985ea3db8edeb5e58030760b73f1fec7040d8df414cc5ed4252c0cf537f3fdf9fb037926b8bd03c7a68dccd7b45dbde484b06c5c58fb436fc77717326655e3cdcdbf04255ea54c3612ca5d32c8db4339fec67cdf8c6ad4274e900de38d3682437e85c583e0d949dcb7db0d66689d6f24cadc305a7bd9be9b841e300f379eb29b801e1a5b191e981b9e1e1a1b191ea45b8ede34650f3c6a47ae228a4fe80a4a090f30f53dffc7052dc0a8ceed2ac82fb66ab2d176938d212b248e9f0aa5693f377a0247f1124f508a2f56d59da3181e67e562c0f10cc875f1cc38f7fdbdc4bbed81e857146211995498af5eb59b4f264aa3af06aa9d6818b5e5f3dc0124384383c6aefd2bf8d1c1630bde4e9ab4274222a0afc8ca28b1ef8c4ae8b1ea3cc885764c8d57cb52d157979d929b9fd99a67df125aa72062911f539a569fad1ab4e6f3b27ec63aa2875e7d1b449ead9b94e1ed13142613add1b42b7faeba357f8c7a0b7fb67a3df9b8047b9f7e1a7ba17e00baaff82a02f1c78c7249872c22f5c0b0b03fc23aaec174584161e8f42c3ea9bb10f9918354b111f39cf6a58d3c54f8ddb81b05e6dc2cd995e4e30ff10a73b77ec245df705acd61cb64916190bf5dc5d803e1fe5c7be78642f3713ec40543df0ee54b0fce2a55f7ec3de9b8b4f8bdf88444e1b1540712c2a95f57da52d9a960cb9a51605cd119285b915e2865a98cd3e8a9567363061e521b19e6df23a5cecfcbb5f64f0d0af48931a8802f1f6a9a6f1f159a1ce0d9922350be633a8effb4c572cfb8d53c13852623ada6a8d2116728428926b45d0f27f5028f29d5d0ef1cd5a76f2d8a74f6fff2ba460153731ece649423e226aecdea6868ac177492be9ffae500ff0dc5945f5c9a24e06dda746673a3c609c3ec9949a7f46df1c88008abc89652d3a1263303f6be7dbbb8f907ff828501934399cee7ca4dc80812c81fec9a349831d8b8e3c4c69e4de4946cdfe9daab9e11da58e1e3e8f62a8217fe5284e950575bd29e90a523303e77bb72be003b3b46fe3d444443df06a5d31f59da5ca0db721939db8059aae44e8ed515ef1cb55a7f9f3a9ac1dfb71a4d590858a91c97672d2dc814b0ef02352780525e5fe51a20df879a5d61d8dc5a2661fd3844c1f167b7b20d39d4b890fc2e466b3309becc84943c1cc5279f7225bec084cacec80a282f0d8af4b0ffce7a34c1ff9c7adbbf9e3ae5fe8c84d7136226268dad88b7ec0d34340d71b4b7b18d3cd7c45d80d81960dc25a59c6c99cbdf11e59cd31851a36c5137684d5574a00f760a4d4fa895956f10b5dcffa4053d3c38b97a87415d04a4f1507793826940b4f50033c78e524a99cf244af0777cf2bb4701c2e0be5d44a42eed95f4a373f97ef83a83799e78a505c0fc6787f2628137208260a9fd50c7d1addcd7a7ad6294d951d8ac5f29daf7674d6288172c12f76872b5c973f4ce4f14ca5f8f9acadeaf1aca598f9caae4ce121459e264702f8f75d530ef35953090ca5de8a42a23e9b63773c2460082ebd6115de864ca2ed0752c7cf507ffc2c549df4c25150cd0895788ad154bdf91651fcc9ae8e072638f5e5565909013ab660e1d156453c196bb6c01f7184d5d349bb1a178d33d11b854bda338f13d3bc47e1d7bd8fe25faccf8153a90ff25058cccd4f69cf2a70862cd911750a26100abedc9970b2d2e14aba36989f45373e6012c8cca882e326a39e984f7c0fde8fb68015573108e6e5435a10028df691a689f081a13e1d6b42c73f5c63fe3fab638b3fd8607a3f2710874b1c34329eef35501138cdee99ad4d890a6ee6caa0ab6774c3dcb04d1e1a303a1a6b702bda787cd8dab4b91565fddda64e0e3a2a19e439a29e0681a6d2748c2d5e9ec08aad3e81eed9b9459a11c9866a55d7f24badd3f9bba593f20fae7bf9d7a67f922f89f79a5c4438df634c27e88fb74f93ffbba39b8047a8dc1d7e39da1a7438dceebf4717ef4bb8e3e2abb4906f0cdb788c24f972ad2ef91aae42f9d55e42c532bded65b6d5e971b1de6645351661cdd196420c3e4a9f23378f6b98c3c36b97dc7f8ad8777d2026f761533a00e4ecb6b6e8eb4950e108be611429cd726dda3a7e18da38ba9f16b33ae0634c3c1395844e7c1c2bc7707c26dafc8caaa89288809b5f4c04e4795d21caf59ca58af1aaa19b7e4c25c67a7f2028f772a426808f571c33389fed3fba9466f920a2e76550360360fc32a6ec9b4504259efe46a5f77da32df0f5a75e77cb23bc73e9245ef7c6a3be9066c13571ed2e459fe204461affc7547801207a942ef19756470f1778b420989d4cfa0356cf3cb01114bdbf661f280800ec28bbe717a487997c0ed5857236276170d2248172f226a112924305173a876914d57ab92b1d8cf5c351b405eb725cd6cebd7699d905bea5e16e56d7f483ae981eba7916d9094a52e63cb9e56e4ad2cd40bddae9b54a1dd9b675922a3eec9ea3770f2cf4f75aa7cd1fbe4398284e8c3aa9e4e9b2ae157df52a511a3d08199f71c0d66483371c138df44652ddc289a2f1e0a5b31de38e53ba3c1c9efd05593a06e541593e0169f6d5a74d93ee47b93399ef8a584dc1c6727f2628977304270a8fff0c5329f3fe5bab34679f3004e560a1d97db9d992724521351a618dd1f981adb19a658addbb466c333668602ec9f4aa52f1f4a1ae999b3e7719d30a7b3adbeebfa51fe18c49f009a33274e62f567b3f239fff885c2c3c8cef0eb40117b6406d30d9ee8db4f9eb5e5034cb62afcb17b8b7e090414516d2f682a31cf0015469c93649edd1b24d98d9b1426ed03d45112a86f56ea9391e12873177ee245795c7c99399c04e5704c871682ad1f57e552b359c960cfabd5ae2f2b0af17773b2b687026dff4885b3df79da40dfb5258c1c299befa1552bd0eeac5535a03cc185e8f04d8b54ee2c4b17d6d2ad661453621ed11ba71e1d1b58e6e5c39036	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{E9EEA727-DBB9E38B-5EBAD27A-1236B359}	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{E9EEA727-DBB9E38B-5EBAD27A-1236B359}\ = ae622074bb84d5caef28b415fa9084687e3345bee08573100e55ab5ce91ab7674d1d081893e566336df6abf2893ef34479cfc4d5a0d3ccd1a8539456a05dbc5878e545cfa0d56bef4e35553090b59380697d4cb8ab7ba9be0b3b2ebe8b058980f74dc248a7a882ae89f4880068394f84eab26838f7798d4457f1220f608a3316f9d3bb99f927fb0281c197239deedbd4591ee064aeefea956e13f56e432a6ed1ffa711cd9cd41baf59aa1c91d89cda9b26de3d65c4f0028f572aad56571dad18172752fd59fbe441eec4b480bdf87878bb3d06fbcc81542ce329c1946bdfee9a94df205a5726d2ada96bec2e89cbe8898b0fae0acab1cebbf43930c04e4bcbb6c933efbef5054f4f8a0af6ee329479ec40d6cbe22906907c5ec7248d8fd7b55dffe405902cec576ad2e9ae574a6231f94703629e49e5c8bc2eb94bfbb6f9b2bb368173f73ec245911c6019d5182f23eafe57fba23e173bddc1670fe28aeef74af2c98853c81ef5dabc98b91980e0e5951c6c67f762f2ff7ffafac747f2727fc97a6806d34dee688b0f8e2af476f2bd8e7b54be2d3bd4be90c46c62f5110358d123672ef275ce7c8a074e22cb563153885ee99bd0d9a867d262a619722079e9f82c3889bd30fbb1b93483f1e1b8d407e35d4ed8ab9e2e24ea4d96e81db7d8f2d9811b985ea3db8edeb5e58030760b73f1fec7040d8df414cc5ed4252c0cf537f3fdf9fb037926b8bd03c7a68dccd7b45dbde484b06cacd5fa436fc77717326655e3cdcdbf04255ea54c3612ca5d32c8db4339fec67cdf8c6ad4274e900de38d3682437e85c583e0d949dcb7db0d66689d6f24cadc305a7bd9be9b841e300f379eb29b801e1a5b191e981b9e1e1a1b191ea45b8ede34650f3c6a47ae228a4fe80a4a090f30f53dffc7052dc0a8ceed2ac82fb66ab2d176938d212b248e9f0aa5693f377a0247f1124f508a2f56d59da3181e67e562c0f10cc875f1cc38f7fdbdc4bbed81e857146211995498af5eb59b4f264aa3af06aa9d6818b5e5f3dc0124384383c6aefd2bf8d1c1630bde4e9ab4274222a0afc8ca28b1ef8c4ae8b1ea3cc885764c8d57cb52d157979d929b9fd99a67df125aa72062911f539a569fad1ab4e6f3b27ec63aa2875e7d1b449ead9b94e1ed13142613add1b42b7faeba357f8c7a0b7fb67a3df9b8047b9f7e1a7ba17e00baaff82a02f1c78c7249872c22f5c0b0b03fc23aaec174584161e8f42c3ea9bb10f9918354b111f39cf6a58d3c54f8ddb81b05e6dc2cd995e4e30ff10a73b77ec245df705acd61cb64916190bf5dc5d803e1fe5c7be78642f3713ec40543df0ee54b0fce2a55f7ec3de9b8b4f8bdf88444e1b1540712c2a95f57da52d9a960cb9a51605cd119285b915e2865a98cd3e8a9567363061e521b19e6df23a5cecfcbb5f64f0d0af48931a8802f1f6a9a6f1f159a1ce0d9922350be633a8effb4c572cfb8d53c13852623ada6a8d2116728428926b45d0f27f5028f29d5d0ef1cd5a76f2d8a74f6fff2ba460153731ece649423e226aecdea6868ac177492be9ffae500ff0dc5945f5c9a24e06dda746673a3c609c3ec9949a7f46df1c88008abc89652d3a1263303f6be7dbbb8f907ff828501934399cee7ca4dc80812c81fec9a349831d8b8e3c4c69e4de4946cdfe9daab9e11da58e1e3e8f62a8217fe5284e950575bd29e90a523303e77bb72be003b3b46fe3d444443df06a5d31f59da5ca0db721939db8059aae44e8ed515ef1cb55a7f9f3a9ac1dfb71a4d590858a91c97672d2dc814b0ef02352780525e5fe51a20df879a5d61d8dc5a2661fd3844c1f167b7b20d39d4b890fc2e466b3309becc84943c1cc5279f7225bec084cacec80a282f0d8af4b0ffce7a34c1ff9c7adbbf9e3ae5fe8c84d7136226268dad88b7ec0d34340d71b4b7b18d3cd7c45d80d81960dc25a59c6c99cbdf11e59cd31851a36c5137684d5574a00f760a4d4fa895956f10b5dcffa4053d3c38b97a87415d04a4f1507793826940b4f50033c78e524a99cf244af0777cf2bb4701c2e0be5d44a42eed95f4a373f97ef83a83799e78a505c0fc6787f2628137208260a9fd50c7d1addcd7a7ad6294d951d8ac5f29daf7674d6288172c12f76872b5c973f4ce4f14ca5f8f9acadeaf1aca598f9caae4ce121459e264702f8f75d530ef35953090ca5de8a42a23e9b63773c2460082ebd6115de864ca2ed0752c7cf507ffc2c549df4c25150cd0895788ad154bdf91651fcc9ae8e072638f5e5565909013ab660e1d156453c196bb6c01f7184d5d349bb1a178d33d11b854bda338f13d3bc47e1d7bd8fe25faccf8153a90ff25058cccd4f69cf2a70862cd911750a26100abedc9970b2d2e14aba36989f45373e6012c8cca882e326a39e984f7c0fde8fb68015573108e6e5435a10028df691a689f081a13e1d6b42c73f5c63fe3fab638b3fd8607a3f2710874b1c34329eef35501138cdee99ad4d890a6ee6caa0ab6774c3dcb04d1e1a303a1a6b702bda787cd8dab4b91565fddda64e0e3a2a19e439a29e0681a6d2748c2d5e9ec08aad3e81eed9b9459a11c9866a55d7f24badd3f9bba593f20fae7bf9d7a67f922f89f79a5c4438df634c27e88fb74f93ffbba39b8047a8dc1d7e39da1a7438dceebf4717ef4bb8e3e2abb4906f0cdb788c24f972ad2ef91aae42f9d55e42c532bded65b6d5e971b1de6645351661cdd196420c3e4a9f23378f6b98c3c36b97dc7f8ad8777d2026f761533a00e4ecb6b6e8eb4950e108be611429cd726dda3a7e18da38ba9f16b33ae0634c3c1395844e7c1c2bc7707c26dafc8caaa89288809b5f4c04e4795d21caf59ca58af1aaa19b7e4c25c67a7f2028f772a426808f571c33389fed3fba9466f920a2e76550360360fc32a6ec9b4504259efe46a5f77da32df0f5a75e77cb23bc73e9245ef7c6a3be9066c13571ed2e459fe204461affc7547801207a942ef19756470f1778b420989d4cfa0356cf3cb01114bdbf661f280800ec28bbe717a487997c0ed5857236276170d2248172f226a112924305173a876914d57ab92b1d8cf5c351b405eb725cd6cebd7699d905bea5e16e56d7f483ae981eba7916d9094a52e63cb9e56e4ad2cd40bddae9b54a1dd9b675922a3eec9ea3770f2cf4f75aa7cd1fbe4398284e8c3aa9e4e9b2ae157df52a511a3d08199f71c0d66483371c138df44652ddc289a2f1e0a5b31de38e53ba3c1c9efd05593a06e541593e0169f6d5a74d93ee47b93399ef8a584dc1c6727f2628977304270a8fff0c5329f3fe5bab34679f3004e560a1d97db9d992724521351a618dd1f981adb19a658addbb466c333668602ec9f4aa52f1f4a1ae999b3e7719d30a7b3adbeebfa51fe18c49f009a33274e62f567b3f239fff885c2c3c8cef0eb40117b6406d30d9ee8db4f9eb5e5034cb62afcb17b8b7e090414516d2f682a31cf0015469c93649edd1b24d98d9b1426ed03d45112a86f56ea9391e12873177ee245795c7c99399c04e5704c871682ad1f57e552b359c960cfabd5ae2f2b0af17773b2b687026dff4885b3df79da40dfb5258c1c299befa1552bd0eeac5535a03cc185e8f04d8b54ee2c4b17d6d2ad661453621ed11ba71e1d1b58e6e5c39036	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{E9EEA727-DBB9E38B-5EBAD27A-1236B359}\ = 53c8b017bb84d5caef28b415fa9084687e3345bee08573100e55ab5ce91ab7674d1d081893e566336df6abf2893ef34479cfc4d5a0d3ccd1a8539456a05dbc5878e545cfa0d56bef4e35553090b59380697d4cb8ab7ba9be0b3b2ebe8b058980f74dc248a7a882ae89f4880068394f84eab26838f7798d4457f1220f608a3316f9d3bb99f927fb0281c197239deedbd4591ee064aeefea956e13f56e432a6ed1ffa711cd9cd41baf59aa1c91d89cda9b26de3d65c4f0028f572aad56571dad18172752fd59fbe441eec4b480bdf87878bb3d06fbcc81542ce329c1946bdfee9a94df205a5726d2ada96bec2e89cbe8898b0fae0acab1cebbf43930c04e4bcbb6c933efbef5054f4f8a0af6ee329479ec40d6cbe22906907c5ec7248d8fd7b55dffe405902cec576ad2e9ae574a6231f94703629e49e5c8bc2eb94bfbb6f9b2bb368173f73ec245911c6019d5182f23eafe57fba23e173bddc1670fe28aeef74af2c98853c81ef5dabc98b91980e0e5951c6c67f762f2ff7ffafac747f2727fc97a6806d34dee688b0f8e2af476f2bd8e7b54be2d3bd4be90c46c62f5110358d123672ef275ce7c8a074e22cb563153885ee99bd0d9a867d262a619722079e9f82c3889bd30fbb1b93483f1e1b8d407e35d4ed8ab9e2e24ea4d96e81db7d8f2d9811b985ea3db8edeb5e58030760b73f1fec7040d8df414cc5ed4252c0cf537f3fdf9fb037926b8bd03c7a68dccd7b45dbde484b06c4ca3fa436fc77717326655e3cdcdbf04255ea54c3612ca5d32c8db4339fec67cdf8c6ad4274e900de38d3682437e85c583e0d949dcb7db0d66689d6f24cadc305a7bd9be9b841e300f379eb29b801e1a5b191e981b9e1e1a1b191ea45b8ede34650f3c6a47ae228a4fe80a4a090f30f53dffc7052dc0a8ceed2ac82fb66ab2d176938d212b248e9f0aa5693f377a0247f1124f508a2f56d59da3181e67e562c0f10cc875f1cc38f7fdbdc4bbed81e857146211995498af5eb59b4f264aa3af06aa9d6818b5e5f3dc0124384383c6aefd2bf8d1c1630bde4e9ab4274222a0afc8ca28b1ef8c4ae8b1ea3cc885764c8d57cb52d157979d929b9fd99a67df125aa72062911f539a569fad1ab4e6f3b27ec63aa2875e7d1b449ead9b94e1ed13142613add1b42b7faeba357f8c7a0b7fb67a3df9b8047b9f7e1a7ba17e00baaff82a02f1c78c7249872c22f5c0b0b03fc23aaec174584161e8f42c3ea9bb10f9918354b111f39cf6a58d3c54f8ddb81b05e6dc2cd995e4e30ff10a73b77ec245df705acd61cb64916190bf5dc5d803e1fe5c7be78642f3713ec40543df0ee54b0fce2a55f7ec3de9b8b4f8bdf88444e1b1540712c2a95f57da52d9a960cb9a51605cd119285b915e2865a98cd3e8a9567363061e521b19e6df23a5cecfcbb5f64f0d0af48931a8802f1f6a9a6f1f159a1ce0d9922350be633a8effb4c572cfb8d53c13852623ada6a8d2116728428926b45d0f27f5028f29d5d0ef1cd5a76f2d8a74f6fff2ba460153731ece649423e226aecdea6868ac177492be9ffae500ff0dc5945f5c9a24e06dda746673a3c609c3ec9949a7f46df1c88008abc89652d3a1263303f6be7dbbb8f907ff828501934399cee7ca4dc80812c81fec9a349831d8b8e3c4c69e4de4946cdfe9daab9e11da58e1e3e8f62a8217fe5284e950575bd29e90a523303e77bb72be003b3b46fe3d444443df06a5d31f59da5ca0db721939db8059aae44e8ed515ef1cb55a7f9f3a9ac1dfb71a4d590858a91c97672d2dc814b0ef02352780525e5fe51a20df879a5d61d8dc5a2661fd3844c1f167b7b20d39d4b890fc2e466b3309becc84943c1cc5279f7225bec084cacec80a282f0d8af4b0ffce7a34c1ff9c7adbbf9e3ae5fe8c84d7136226268dad88b7ec0d34340d71b4b7b18d3cd7c45d80d81960dc25a59c6c99cbdf11e59cd31851a36c5137684d5574a00f760a4d4fa895956f10b5dcffa4053d3c38b97a87415d04a4f1507793826940b4f50033c78e524a99cf244af0777cf2bb4701c2e0be5d44a42eed95f4a373f97ef83a83799e78a505c0fc6787f2628137208260a9fd50c7d1addcd7a7ad6294d951d8ac5f29daf7674d6288172c12f76872b5c973f4ce4f14ca5f8f9acadeaf1aca598f9caae4ce121459e264702f8f75d530ef35953090ca5de8a42a23e9b63773c2460082ebd6115de864ca2ed0752c7cf507ffc2c549df4c25150cd0895788ad154bdf91651fcc9ae8e072638f5e5565909013ab660e1d156453c196bb6c01f7184d5d349bb1a178d33d11b854bda338f13d3bc47e1d7bd8fe25faccf8153a90ff25058cccd4f69cf2a70862cd911750a26100abedc9970b2d2e14aba36989f45373e6012c8cca882e326a39e984f7c0fde8fb68015573108e6e5435a10028df691a689f081a13e1d6b42c73f5c63fe3fab638b3fd8607a3f2710874b1c34329eef35501138cdee99ad4d890a6ee6caa0ab6774c3dcb04d1e1a303a1a6b702bda787cd8dab4b91565fddda64e0e3a2a19e439a29e0681a6d2748c2d5e9ec08aad3e81eed9b9459a11c9866a55d7f24badd3f9bba593f20fae7bf9d7a67f922f89f79a5c4438df634c27e88fb74f93ffbba39b8047a8dc1d7e39da1a7438dceebf4717ef4bb8e3e2abb4906f0cdb788c24f972ad2ef91aae42f9d55e42c532bded65b6d5e971b1de6645351661cdd196420c3e4a9f23378f6b98c3c36b97dc7f8ad8777d2026f761533a00e4ecb6b6e8eb4950e108be611429cd726dda3a7e18da38ba9f16b33ae0634c3c1395844e7c1c2bc7707c26dafc8caaa89288809b5f4c04e4795d21caf59ca58af1aaa19b7e4c25c67a7f2028f772a426808f571c33389fed3fba9466f920a2e76550360360fc32a6ec9b4504259efe46a5f77da32df0f5a75e77cb23bc73e9245ef7c6a3be9066c13571ed2e459fe204461affc7547801207a942ef19756470f1778b420989d4cfa0356cf3cb01114bdbf661f280800ec28bbe717a487997c0ed5857236276170d2248172f226a112924305173a876914d57ab92b1d8cf5c351b405eb725cd6cebd7699d905bea5e16e56d7f483ae981eba7916d9094a52e63cb9e56e4ad2cd40bddae9b54a1dd9b675922a3eec9ea3770f2cf4f75aa7cd1fbe4398284e8c3aa9e4e9b2ae157df52a511a3d08199f71c0d66483371c138df44652ddc289a2f1e0a5b31de38e53ba3c1c9efd05593a06e541593e0169f6d5a74d93ee47b93399ef8a584dc1c6727f2628977304270a8fff0c5329f3fe5bab34679f3004e560a1d97db9d992724521351a618dd1f981adb19a658addbb466c333668602ec9f4aa52f1f4a1ae999b3e7719d30a7b3adbeebfa51fe18c49f009a33274e62f567b3f239fff885c2c3c8cef0eb40117b6406d30d9ee8db4f9eb5e5034cb62afcb17b8b7e090414516d2f682a31cf0015469c93649edd1b24d98d9b1426ed03d45112a86f56ea9391e12873177ee245795c7c99399c04e5704c871682ad1f57e552b359c960cfabd5ae2f2b0af17773b2b687026dff4885b3df79da40dfb5258c1c299befa1552bd0eeac5535a03cc185e8f04d8b54ee2c4b17d6d2ad661453621ed11ba71e1d1b58e6e5c39036	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2328	2524	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2328	2524	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2328	2524	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2328	2524	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2328	2524	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2328	2524	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe	30
PID 2328 wrote to memory of 2072	2328	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2072	2328	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2072	2328	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2072	2328	eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eafeaede0846e113be2b5deee22d336d_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 88
    3⤵
    - Program crash
    PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\PCGWIN32.LI5

Filesize
2KB

MD5
b6d68b6f06d0068483d61f81b610d381

SHA1
dbed8e562a080e11177814bfb65af1718c1351e1

SHA256
498ddab11bc245d105d761e8b1975b54fffbf2323b07af4225845c0bd5987a91

SHA512
37f5a648e9f6a534a080cc2d94bffc354b7316d9c1756a1947ba5ec70b4582679a9199c9d0d57dd62f5877322c4c4be7ef52ad5ce182628fa82757339804052d

Download Submit
memory/2328-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2328-16-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2524-10-0x0000000000400000-0x0000000000B81000-memory.dmp

Filesize
7.5MB

Download
memory/2524-15-0x0000000002500000-0x0000000002C81000-memory.dmp

Filesize
7.5MB

Download
memory/2524-14-0x0000000000400000-0x0000000000B81000-memory.dmp

Filesize
7.5MB

Download

Analysis

Sharing