General
-
Target
3ba3d648ca74d5bd772f483c4a9d22fd_JaffaCakes118
-
Size
764KB
-
Sample
240512-xsl35aef56
-
MD5
3ba3d648ca74d5bd772f483c4a9d22fd
-
SHA1
c2de8076341421ddbc42dce2421b55eef65cf7c4
-
SHA256
dcf378c464b7206e115e6ca75db611d0139eac32efe516843f30e8f7081c6b4a
-
SHA512
956449e72ba7599ba28b71b9ac9ebbe0e8086953f5290e5394b3c299878841d1aabbb4364675b8352815508f0c8d40796542eb8c15b242349611230de14cf613
-
SSDEEP
12288:1g85EoktIBKProGyVqaybmLp9N2dWELilk1EdKdf1t+dNyysAtqzq3GLX+X4Dg:e8J6dProG+qayC12PLmDdqf2doys4qG3
Behavioral task
behavioral1
Sample
cav3cab.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cav3cab.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
info_03_03.docm
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
info_03_03.docm
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
run.bat
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
run.bat
Resource
win10v2004-20240426-en
Malware Config
Extracted
gozi
Extracted
gozi
300
http://aaxvkah7dudzoloq.onion
http://lissavets.at
http://tahhir.at
http://limpopo.at
http://estate-advice.at
-
build
217107
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
cav3cab.dll
-
Size
1.0MB
-
MD5
eff6cec9d94195747f5df45c78074f7d
-
SHA1
fb413fe8d9ea0f9c55e8615de737094cbf4f2d0b
-
SHA256
43f843ac28b5d6b36f43e6df9130ee1b2107638c3fce0db982bf83940f946364
-
SHA512
7ea6d81b594bc3c1a1bd8bc89f5a3bf3d857b730371f133d7626bf7d085edc5373a4f8eecb030a509598383ebaad8eaeca14f7d8421512d6859b0c0b8e8189a7
-
SSDEEP
12288:3W2sluOeKWvMW2r2wL37YzBJSrT352FJTZagJtaKQqBB2Tud4XI53jkheoix:3WhlxeVvr2LYzw352f5wCLTIhix
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
info_03_03.doc
-
Size
122KB
-
MD5
c719f640ec5d01d146a7591282160ceb
-
SHA1
3bce005dd3e50ef9e0fc884b0d6e9df719b453e8
-
SHA256
e437d83f688c0d5b7937df9636bdb60756e65e902c1341d4b2b1109f9a7a00d7
-
SHA512
f88acc7db24feba428b2e30331c618d18af21e7c61c05e2f2f6187cc628f6e38000b20179532b71677824bd1cbd131a104b8bc099f481d7385fcd955da267178
-
SSDEEP
1536:fQnmpNwNPXIDtD9BnfEbS9asziTtOJ2WJDGmTTkPEko8WltDrKigmIkLxBIaz+To:fQ6wZbbS9+32KStfKigeU7znMMDXG
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
-
-
Target
run.bat
-
Size
30B
-
MD5
faf8c0f3b9e854b0cae85850b3576572
-
SHA1
26f0f7765b315a8c0de19db80b977aad38c5b120
-
SHA256
0e4387c13ff166e8b1001cfd888d1dccd4e24ccf951ed62924a79a5cf56b00b8
-
SHA512
56547db51212e5e0e05de3f40101bb69f56e5eab2839165c11679d9210b821188345fbe84be581938d722f0e872752910deab1e96723862af60fe4c7fe1208b3
Score3/10 -