Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
03-07-2024 05:04
Behavioral task
behavioral1
Sample
212947bf3797326e027c6ba76356ebf6_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
212947bf3797326e027c6ba76356ebf6_JaffaCakes118.exe
-
Size
8KB
-
MD5
212947bf3797326e027c6ba76356ebf6
-
SHA1
dff9beaaefe15398ded22a2befe31b77681c69d2
-
SHA256
40aacba65706b2398ec6f8e3eaac2581fc6a69e7cc6eea1f212d91a134c37255
-
SHA512
d8b9e402ff1640d02d7625e6a4ae4d75572c00089f285529fbd4a21f54006d3349d8afa71b8271ab9f9ec57bc9aab170a591b425a52618e75c37d36b13f981c5
-
SSDEEP
192:+sDSsYDbDioaBtrl/qtM37yx985FaNJhLkwcud2DH9VwGfctlyO:VcpaBtBy63mxuvaNJawcudoD7Ur
Malware Config
Extracted
gozi
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
b2e.exepid process 2064 b2e.exe -
Loads dropped DLL 2 IoCs
Processes:
212947bf3797326e027c6ba76356ebf6_JaffaCakes118.exepid process 2020 212947bf3797326e027c6ba76356ebf6_JaffaCakes118.exe 2020 212947bf3797326e027c6ba76356ebf6_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral1/memory/2020-0-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2020-12-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
212947bf3797326e027c6ba76356ebf6_JaffaCakes118.exeb2e.exedescription pid process target process PID 2020 wrote to memory of 2064 2020 212947bf3797326e027c6ba76356ebf6_JaffaCakes118.exe b2e.exe PID 2020 wrote to memory of 2064 2020 212947bf3797326e027c6ba76356ebf6_JaffaCakes118.exe b2e.exe PID 2020 wrote to memory of 2064 2020 212947bf3797326e027c6ba76356ebf6_JaffaCakes118.exe b2e.exe PID 2020 wrote to memory of 2064 2020 212947bf3797326e027c6ba76356ebf6_JaffaCakes118.exe b2e.exe PID 2064 wrote to memory of 3004 2064 b2e.exe cmd.exe PID 2064 wrote to memory of 3004 2064 b2e.exe cmd.exe PID 2064 wrote to memory of 3004 2064 b2e.exe cmd.exe PID 2064 wrote to memory of 3004 2064 b2e.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\212947bf3797326e027c6ba76356ebf6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\212947bf3797326e027c6ba76356ebf6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EC0.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\EC0.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\EC0.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\212947bf3797326e027c6ba76356ebf6_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\F7B.tmp\batchfile.bat" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\F7B.tmp\batchfile.batFilesize
317B
MD5444c926512b905d8da2ebf3f478e95e1
SHA1136df8ecd76f6d96cfb514e4f5430189e853606c
SHA256a1c81daa113fcace6123766ec73bbaed33abffcd4500f28694a44c22a978ef73
SHA512be8f2e0bc91782730386b632100718ffc48e1cbcb5b7df637f6a3e513294cf137a5c39a0735ce7f816999144876172f6ed785c8543ac0a93d4231cf37e34044a
-
\Users\Admin\AppData\Local\Temp\EC0.tmp\b2e.exeFilesize
8KB
MD524ba1b91bbcbdeaac7a08b5b512466da
SHA13fba10164cf6a85c8ae52d0d62715f81c0d6dfa2
SHA2566c8fa5424c1e6c89160253c3d41912e772b6f85c123ed128ea053ae85f6c4f16
SHA512b83aa10dc37306294c9bac82afef812530dbbe65f5dc9e5ecc577e2186b34041450f503765d25b165519b8a8901678bbd8c9b63607e7972046efe72289b76b46
-
memory/2020-0-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2020-5-0x00000000002D0000-0x00000000002D5000-memory.dmpFilesize
20KB
-
memory/2020-12-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2064-13-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/2064-30-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB