General
-
Target
69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118
-
Size
586KB
-
Sample
240523-gtqvpsfh54
-
MD5
69fb0b7092d4f247ac065abc6b06042b
-
SHA1
8d8d9b846e2f4624063806291c5875953d67457c
-
SHA256
3eec66b77b94ef402c0b11c496df2f27867d0406dc59540d0bfaff4b271ecc2b
-
SHA512
4f06d42fed4c033b1d835f0b7fc79450a8432c1168f4232d5534f26ec9bc07f5ed6df0a33736f41849b37be3279d23b0fa2b77dfb68ab92caaab9d3ec33a6b78
-
SSDEEP
12288:osiOZO5I+h2gOoIMUUtN5y1iyqTU/zWjdp9fs:+eO5I22lMUUEiyqM+dp9f
Static task
static1
Behavioral task
behavioral1
Sample
69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe
Resource
win7-20240221-en
Malware Config
Extracted
gozi
Extracted
gozi
1100
cyajon.at/krp3cmg
outaplaceshave.cn/krp3cmg
nozakin.at/krp3cmg
hothegivforsuffer.cn/krp3cmg
austrinok.at/krp3cmg
comerail.su/krp3cmg
ambieko.at/krp3cmg
justiceseasfriends.cn/krp3cmg
semitrol.at/krp3cmg
goinumder.su/krp3cmg
arexan.at/krp3cmg
trepeatedandequal.cn/krp3cmg
golovor.at/krp3cmg
therepalon.su/krp3cmg
creatortherefore.cn/krp3cmg
-
build
214798
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
exe_type
worker
-
server_id
110
Targets
-
-
Target
69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118
-
Size
586KB
-
MD5
69fb0b7092d4f247ac065abc6b06042b
-
SHA1
8d8d9b846e2f4624063806291c5875953d67457c
-
SHA256
3eec66b77b94ef402c0b11c496df2f27867d0406dc59540d0bfaff4b271ecc2b
-
SHA512
4f06d42fed4c033b1d835f0b7fc79450a8432c1168f4232d5534f26ec9bc07f5ed6df0a33736f41849b37be3279d23b0fa2b77dfb68ab92caaab9d3ec33a6b78
-
SSDEEP
12288:osiOZO5I+h2gOoIMUUtN5y1iyqTU/zWjdp9fs:+eO5I22lMUUEiyqM+dp9f
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-