Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 17:03
Behavioral task
behavioral1
Sample
09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe
-
Size
2.5MB
-
MD5
09bf965f2e6c6182342110ec95cbacdd
-
SHA1
7dcf765c2a4afc9ed14cc19cdb925f9857748213
-
SHA256
d81b25ba955e8ab608e792df5b5ddc3a1c3a3dfc66c8801fa82c456326af597a
-
SHA512
4dec0bcda949aae0409019218690036bec483e340faea4d7c2b8a30218a082c371957ecf193a938acb8ac4e88dec5ebb30c6d61870f218ed979c58837541c018
-
SSDEEP
49152:7pVxXrwHcI9iOe1SfGYo1IiouCpAPcuv3+FwieK6EUhmQudRlS7hChUPH:7RXrw8I9JeaoaioUTv3+FLeKPUhZud7G
Malware Config
Extracted
gozi
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
b2e.exepid process 2208 b2e.exe -
Loads dropped DLL 5 IoCs
Processes:
09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exeWerFault.exepid process 2484 09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe 2484 09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe 2908 WerFault.exe 2908 WerFault.exe 2908 WerFault.exe -
Processes:
resource yara_rule behavioral1/memory/2484-0-0x0000000000400000-0x00000000006A2000-memory.dmp upx behavioral1/memory/2484-12-0x0000000000400000-0x00000000006A2000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2908 2208 WerFault.exe b2e.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exeb2e.exedescription pid process target process PID 2484 wrote to memory of 2208 2484 09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe b2e.exe PID 2484 wrote to memory of 2208 2484 09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe b2e.exe PID 2484 wrote to memory of 2208 2484 09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe b2e.exe PID 2484 wrote to memory of 2208 2484 09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe b2e.exe PID 2208 wrote to memory of 2908 2208 b2e.exe WerFault.exe PID 2208 wrote to memory of 2908 2208 b2e.exe WerFault.exe PID 2208 wrote to memory of 2908 2208 b2e.exe WerFault.exe PID 2208 wrote to memory of 2908 2208 b2e.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CCD.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\CCD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\CCD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1243⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\CCD.tmp\b2e.exeFilesize
2.6MB
MD5333daf1122d0b642a24caf3e35e6c685
SHA1ed051b2e422f8487d166da4461ea9a9bf2ff22ca
SHA256985645c3ccff912547cf542cb4c5efed1c9254f78ebe96ea4bc2587895c686ac
SHA51298fec4a769e1499d6eb0717e62b7519df1aead8c27f181d3cd5058bdd548df0b99ce65baae33dcd18f95199f2f5233a0dcfe653a3d4bc05c0b56f23df17d68d1
-
memory/2208-13-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/2484-0-0x0000000000400000-0x00000000006A2000-memory.dmpFilesize
2.6MB
-
memory/2484-4-0x0000000000250000-0x0000000000255000-memory.dmpFilesize
20KB
-
memory/2484-12-0x0000000000400000-0x00000000006A2000-memory.dmpFilesize
2.6MB