Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 12:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eb19d6504abbde76b67b22ee8564dddb_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
2 signatures
150 seconds
General
-
Target
eb19d6504abbde76b67b22ee8564dddb_JaffaCakes118.dll
-
Size
461KB
-
MD5
eb19d6504abbde76b67b22ee8564dddb
-
SHA1
b583fe36a47495557a6708eb6bcc02d63d101f02
-
SHA256
e2ee5e490c9675415df0fea69affe1b63febb6ca886e69997e106eca9b106d1d
-
SHA512
cdec8cfbd48f92568a445c775768f1af775593d1ada1ba3528a7767f3af50a6665008d5210260db9331bda3b63c15ea9d4c707fb764cb2f75d1de2cc9ff2b6f0
-
SSDEEP
12288:mxIkdQI90tC1o4isB/QD3Jv58kEPGxU3aV+2d:5pI90k3isB/Q1mZ73a42
Malware Config
Extracted
Family
gozi
Extracted
Family
gozi
Botnet
1500
C2
gtr.antoinfer.com
app.bighomegl.at
Attributes
-
build
250211
-
exe_type
loader
-
server_id
580
rsa_pubkey.plain
aes.plain
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2852 wrote to memory of 2744 2852 rundll32.exe rundll32.exe PID 2852 wrote to memory of 2744 2852 rundll32.exe rundll32.exe PID 2852 wrote to memory of 2744 2852 rundll32.exe rundll32.exe PID 2852 wrote to memory of 2744 2852 rundll32.exe rundll32.exe PID 2852 wrote to memory of 2744 2852 rundll32.exe rundll32.exe PID 2852 wrote to memory of 2744 2852 rundll32.exe rundll32.exe PID 2852 wrote to memory of 2744 2852 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eb19d6504abbde76b67b22ee8564dddb_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eb19d6504abbde76b67b22ee8564dddb_JaffaCakes118.dll,#12⤵PID:2744