Analysis
-
max time kernel
130s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 11:03
Behavioral task
behavioral1
Sample
15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe
-
Size
8KB
-
MD5
15c322e957e74d68ba7fb5a06fa8c2da
-
SHA1
67ea1c9321ec07c01332c35a982c76380a94b69c
-
SHA256
13bafa194263261f954f57d6a9d29f89f515faf8c30467e0a7287cec25ed665e
-
SHA512
9a9cbe001d04d7c242107eecd8747281afc5b6319fbc14c8294c537257ce77d27db1ac5b080106675ba3e1cdb338dde2af27e743cfe18068cd8f048875c774f7
-
SSDEEP
192:+sJZQFOq5VcchzIUbBFaNJhLkwcud2DH9VwGfctl3O:ZXWOq5+chEK3aNJawcudoD7US
Malware Config
Extracted
gozi
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exeb2e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 1 IoCs
Processes:
b2e.exepid process 396 b2e.exe -
Processes:
resource yara_rule behavioral2/memory/4380-0-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/4380-11-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exeb2e.exedescription pid process target process PID 4380 wrote to memory of 396 4380 15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe b2e.exe PID 4380 wrote to memory of 396 4380 15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe b2e.exe PID 4380 wrote to memory of 396 4380 15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe b2e.exe PID 396 wrote to memory of 3796 396 b2e.exe cmd.exe PID 396 wrote to memory of 3796 396 b2e.exe cmd.exe PID 396 wrote to memory of 3796 396 b2e.exe cmd.exe PID 396 wrote to memory of 2880 396 b2e.exe cmd.exe PID 396 wrote to memory of 2880 396 b2e.exe cmd.exe PID 396 wrote to memory of 2880 396 b2e.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\276E.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\276E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\276E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\27FA.tmp\batfile.bat" "3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\276E.tmp\b2e.exeFilesize
8KB
MD507c281da32f3b5d09ede7735a50543c4
SHA12c419eba3e2d8a73b8e40ef56d61a08700f2b03b
SHA256edd19019911dab46f1a6925a6246f41ca67a66c48c143e9d53fef797719712fe
SHA512179ecc29cde5f4d7ca363c65981697a7698da27e3b31690f92f2e3bf4d35a493bbc0cde195d9d67517a6fd8dfb7c462397bb81d54823284bf0ee9ac5c85fdd15
-
C:\Users\Admin\AppData\Local\Temp\27FA.tmp\batfile.batFilesize
94B
MD50fc8c95d090d58b2cb9c2ad0e26132e4
SHA114199fdc66d24d4cb8c07d8df4b341c5ba0130e3
SHA2566c08a607c6ff07db1cbe4f72123e6250a35f0a45f29f586ef558551b4708b2e6
SHA5127b2c88a83dd8b2b13fdf1645fc5f791798414e4c2d457cbe61b0ce63c23143c0c698ef3a7e44d82e8eca282995e0f9c493913e0b4c91220b16ac062847238942
-
C:\Users\Admin\AppData\Local\Temp\selfdel0.batFilesize
158B
MD5e861162804e52aceaec102e50cb70013
SHA13f1484573809c83682bae12072c05d5fb73d9059
SHA2566d54fcac43d9426703ead9495fc461d32a21d6898be4c04866fb362c03ae7581
SHA512a841a309eb48e9dd3987e744bc1c35de33e9665a14ed180b0b8cbbfe6a2f261b95aaa1336ccde83dfe5882bc5b77d4f929be0016f594cd5b3b4439465caef189
-
memory/396-12-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/396-19-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/4380-0-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4380-11-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB