Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 18:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4793f12ab09ca31973a406b5b7f922d9_JaffaCakes118.dll
Resource
win7-20240221-en
2 signatures
150 seconds
General
-
Target
4793f12ab09ca31973a406b5b7f922d9_JaffaCakes118.dll
-
Size
239KB
-
MD5
4793f12ab09ca31973a406b5b7f922d9
-
SHA1
5c67cc128cf3ebc18b4cf3e68572915bcee75f73
-
SHA256
86c04f8984f540bce436da84987705137a3efb548fc46ec4b28db62be7548934
-
SHA512
947d31acd7d818922c395fee969cb1516c8ef43582446d8349c71ad450ccd6fb115d42be6f0a42d5783bd2d539b63b2874d86bfff94088f6cf6352181214ca05
-
SSDEEP
3072:E9jW9lCztEjPEUEz5od5csjgDOQNp4Mk/58Xs3gxA33K3HaisqYa7m7/1lx57eDi:E9LR4PEz5owqBExu6DWK0a7C7eDi
Malware Config
Extracted
Family
gozi
rsa_pubkey.plain
Extracted
Family
gozi
Botnet
200
C2
samesupretendedpretended.ru
Attributes
-
exe_type
loader
-
server_id
12
rsa_pubkey.plain
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2872 wrote to memory of 2920 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2920 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2920 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2920 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2920 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2920 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2920 2872 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4793f12ab09ca31973a406b5b7f922d9_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4793f12ab09ca31973a406b5b7f922d9_JaffaCakes118.dll,#12⤵PID:2920