Analysis
-
max time kernel
129s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 11:25
Behavioral task
behavioral1
Sample
1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe
-
Size
416KB
-
MD5
1f26e5f9b44c28b37b6cd13283838366
-
SHA1
272b94c4d1d30dc9478675dd3df4a38029c1113e
-
SHA256
1225de9af9f6b29985e9304fa1056b8c7da036215a5e054c0ff6d7129c91a59f
-
SHA512
3d3d10eb33006de70ffa36a5999b9d6ac2eafdff0a27c313542b34cffdbb8b736b5573ce21bd9778ddd0a825c7a807c64e15bd9d284fa80b316464505267936c
-
SSDEEP
6144:N4IB2aqIOEzOFtXs0ncp2sRAztOf7Yp4jOa9UpU:TBQIsFtXlc4w
Malware Config
Extracted
gozi
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll" reg.exe -
Executes dropped EXE 2 IoCs
Processes:
temp.exenet.exepid process 2548 temp.exe 2904 net.exe -
Loads dropped DLL 2 IoCs
Processes:
1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exesvchost.exepid process 1704 1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe 3012 svchost.exe -
Drops file in System32 directory 12 IoCs
Processes:
sysprep.exenet.exesvchost.exedescription ioc process File opened for modification C:\Windows\system32\sysprep\Panther\diagwrn.xml sysprep.exe File created C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll net.exe File created C:\Windows\SysWOW64\system_t.dll svchost.exe File opened for modification C:\Windows\SysWOW64\system_t.dll svchost.exe File created C:\Windows\SysWOW64\enumfs.ini svchost.exe File opened for modification C:\Windows\SysWOW64\dnlist.ini svchost.exe File opened for modification C:\Windows\system32\sysprep\Panther\setuperr.log sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\diagerr.xml sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\setupact.log sysprep.exe File created C:\Windows\SysWOW64\net.bat net.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\nettraveler[1].htm svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
net.exesvchost.exedescription ioc process File created C:\Windows\system\config_t.dat net.exe File opened for modification C:\Windows\system\config_t.dat net.exe File opened for modification C:\Windows\system\config_t.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1660 ipconfig.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BF5F85-1140-4F75-9343-6FEE53099C02}\WpadNetworkName = "Network 3" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-e3-83-0f-ea-0b\WpadDecisionTime = 30487db772ccda01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BF5F85-1140-4F75-9343-6FEE53099C02}\WpadDecisionReason = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BF5F85-1140-4F75-9343-6FEE53099C02}\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BF5F85-1140-4F75-9343-6FEE53099C02} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-e3-83-0f-ea-0b\WpadDecisionReason = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-e3-83-0f-ea-0b\WpadDecision = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BF5F85-1140-4F75-9343-6FEE53099C02}\WpadDecisionTime = 30487db772ccda01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-e3-83-0f-ea-0b svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BF5F85-1140-4F75-9343-6FEE53099C02}\86-e3-83-0f-ea-0b svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
temp.exesvchost.exepid process 2548 temp.exe 3012 svchost.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exetemp.exeExplorer.EXEsysprep.exenet.execmd.exesvchost.exedescription pid process target process PID 1704 wrote to memory of 2548 1704 1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe temp.exe PID 1704 wrote to memory of 2548 1704 1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe temp.exe PID 1704 wrote to memory of 2548 1704 1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe temp.exe PID 1704 wrote to memory of 2548 1704 1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe temp.exe PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 2548 wrote to memory of 1284 2548 temp.exe Explorer.EXE PID 1284 wrote to memory of 2492 1284 Explorer.EXE sysprep.exe PID 1284 wrote to memory of 2492 1284 Explorer.EXE sysprep.exe PID 1284 wrote to memory of 2492 1284 Explorer.EXE sysprep.exe PID 2492 wrote to memory of 2904 2492 sysprep.exe net.exe PID 2492 wrote to memory of 2904 2492 sysprep.exe net.exe PID 2492 wrote to memory of 2904 2492 sysprep.exe net.exe PID 2492 wrote to memory of 2904 2492 sysprep.exe net.exe PID 2904 wrote to memory of 2472 2904 net.exe cmd.exe PID 2904 wrote to memory of 2472 2904 net.exe cmd.exe PID 2904 wrote to memory of 2472 2904 net.exe cmd.exe PID 2904 wrote to memory of 2472 2904 net.exe cmd.exe PID 2472 wrote to memory of 2580 2472 cmd.exe reg.exe PID 2472 wrote to memory of 2580 2472 cmd.exe reg.exe PID 2472 wrote to memory of 2580 2472 cmd.exe reg.exe PID 2472 wrote to memory of 2580 2472 cmd.exe reg.exe PID 3012 wrote to memory of 1660 3012 svchost.exe ipconfig.exe PID 3012 wrote to memory of 1660 3012 svchost.exe ipconfig.exe PID 3012 wrote to memory of 1660 3012 svchost.exe ipconfig.exe PID 3012 wrote to memory of 1660 3012 svchost.exe ipconfig.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\temp.exe"C:\Users\Admin\AppData\Local\Temp\temp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sysprep\sysprep.exe"C:\Windows\system32\sysprep\sysprep.exe" "C:\Users\Admin\AppData\Local\Temp\net.exe" "C:\Windows\system32" ""2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\net.exe"C:\Users\Admin\AppData\Local\Temp\net.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d C:\Windows\system32\FastUserSwitchingCompatibilityex.dll5⤵
- Server Software Component: Terminal Services DLL
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all2⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\net.exeFilesize
178KB
MD557f2374d9f2a787339b0c6a5b1008a72
SHA1d34418fb66e48bd3b563c0f6c81e7f1c17d7f5d3
SHA2569637b2dcd5f9d5fdc0f1c1104f73f3dbdcfd803cac47196cc94c768c21fa2ae4
SHA512bacf6b7142d2525d017a4a38c83875540e670a39c357d5c946ca04731557968dd2272fa7b6ba4635c3ced823c99d650da5438f2db292f6c8eebe8ce236e6432b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\nettraveler[1].htmFilesize
1024B
MD5545bfde42a67146caa2d16606ae834f1
SHA190195c18c8c29d4598cdef34931a9df42add0545
SHA256d9cccfddb6f9d5d28ba693232256ffc49f637e3f74f3909836b1c62c617c5013
SHA512966b20d82435baf20689067a89dce6164657eca28abf7c63de2dcfed72793bbad16b79885d9d0371a713210f1d41da58ba4cc35d78e6a0329c0942c47bff0d02
-
C:\Windows\SysWOW64\dnlist.iniFilesize
60B
MD530b5f3ca639ddfa69575968b4032a8cf
SHA17d0b96c596bc7fb81dd52f62aac4709025e0dd3c
SHA25627c94ea9dc125000c55e3c8be0067aece091046b3b000304e75a013dda982c0b
SHA512a7d9ea4b99b755ecd8498fb2ba910e52f7cd70f02625ef9628c57612bdf0f9488647aa66e10cb4aaaaf1ad1531fba8e28bc7c1c41933dd11a7171cf567e181ad
-
C:\Windows\SysWOW64\enumfs.iniFilesize
62B
MD53cdd5067e3df908bdb48c205463efdae
SHA1985fa99672add2707667bc93062c05373ba2ebfe
SHA2562e3380864f1a2c16825abc682ad65ff680d3630c0ff52f8d5fb28a0e0b66bbc8
SHA512bdcb9889b3616ce8614dad9ed9fe9312664ff2fbeeacceaef84e9de295dadaab80b8b71adae01883846fab9cd8acbc156095953af2d4ec8510a57857676be1c4
-
C:\Windows\SysWOW64\net.batFilesize
211B
MD5dde99ab936da8cbda74ea779ef0b2e67
SHA11e27e432e0b7c81b990b92595daebdf0539efea4
SHA256ab6da77270cb63c49d1d12e854850e882d03f41ce48782e98c81bcede0c9ad80
SHA51262a124172d34dc56d00328b45ac13a029c847c2b7e2843ec38270a7c4d813b68b7d66b9a8ef80b8adfa7b1a894f36b5f8c6365fa5551c35939c0b76cd4439437
-
C:\Windows\SysWOW64\system_t.dllFilesize
809B
MD5bf2c97c558dbcab12ce8b742b10a3897
SHA1ddf034f79325ce70ebb189666a47a8d5c319fb78
SHA256c1b96a24078a285657a55a5242a4535e6a2661741bfc160a761d31aac2837aac
SHA512ab5a445afc08ac62ea55aeaf25fffaf6b015157af911c9761fe90acb0d9d131c0b54bfc46a4d5d94ca843b71fcb6de625f8f3dca60a12a8b92e895120a08ca98
-
C:\Windows\system\config_t.datFilesize
186B
MD52708043b77d6ea590696856b9f44aa4e
SHA1aca48ecf7347fe444a2b7d2c11680a6918e67c7a
SHA256998ec5c11540cca088e079c8afda1d9222ed343dd0e6294817a187dd57185e9d
SHA512b14053d01726da26eaaeccbbe666e0f472c68f8cc38aff404ac0b659caa427f7c50f6efbc67fdc4d0c593273457632477eb393780cd6b720564dfda9307d4c49
-
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dllFilesize
127KB
MD5ba20c70e538db853613bd65a7caf1d91
SHA196c935e51e3fed095f7158901ff10ebe32794c8b
SHA256520b773ce8d6855abc992c1499609ca5e8c45446b10b8c2a804ecb1c967bda08
SHA5127d3110f7ebe6b5c3099b7c919c2141db4b4684ba0193c21bdf5ceae6dd5f191fd2f653768253f40db367f0d44f965587564f4ad52490dcb6761df431f6498230
-
\Users\Admin\AppData\Local\Temp\temp.exeFilesize
86KB
MD5425609a2c35081730982a01d72a76cbe
SHA164f95fe985a7ef7ee4f396e36279aa31498ac3cc
SHA256e03145fefe7fef82c2a476d7dec03305d7da79cd3c8fe1578177580175febbd3
SHA5126ede1415ac51d588a71bfb5697a599eb777e9530240b7a3524626d2a230bb51017c9b3d05923c5cb41800cca9818f2d99484310390a0425ef8e48984c4c9cfd4
-
memory/1284-28-0x0000000003A00000-0x0000000003A01000-memory.dmpFilesize
4KB
-
memory/1284-13-0x0000000002A00000-0x0000000002A01000-memory.dmpFilesize
4KB
-
memory/1284-7-0x00000000029B0000-0x00000000029B1000-memory.dmpFilesize
4KB