Behavioral task
behavioral1
Sample
960a14f61af3e94c0702736f097dab03_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
960a14f61af3e94c0702736f097dab03_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
960a14f61af3e94c0702736f097dab03_JaffaCakes118
-
Size
277KB
-
MD5
960a14f61af3e94c0702736f097dab03
-
SHA1
0f0d1e38b522de60976a229872d7691cd1288f73
-
SHA256
9801ea6ea41220f101cbeca1cd3a2bbb033ccb9f04b3e121b62c47b2cb4112cc
-
SHA512
500df57c19673f93039341f697ac9e93e17e659b225e9736d496b7dfa7248e7f014add640ebbb22e07a45db779181db82f36f92a7ab20a6ab95cd79c6cd9a10a
-
SSDEEP
6144:7RWLJJp6tgWJLsnp5TlovshucMRuDdIGptJqlalRtNwh8zGd34:IFJeCTTc8uyiGptJqglfNwhRI
Malware Config
Extracted
gozi
2002
test1.ru
-
dga_base_url
opensource.apple.com/source/Security/Security-29/SecureTransport/LICENSE.txt?txt
-
dga_crc
0x6f0b167a
-
exe_type
worker
-
server_id
12
Signatures
-
Gozi family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 960a14f61af3e94c0702736f097dab03_JaffaCakes118
Files
-
960a14f61af3e94c0702736f097dab03_JaffaCakes118.dll windows:5 windows x86 arch:x86
527bab13e4997ee22e4b4c8fed77c0bb
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
Imports
ntdll
sscanf
_memicmp
strncpy
memmove
memcmp
RtlRandomEx
ZwQueryInformationToken
ZwOpenProcess
ZwOpenProcessToken
strcpy
ZwQueryInformationProcess
NtQuerySystemInformation
NtCreateSection
ZwClose
RtlNtStatusToDosError
NtMapViewOfSection
memcpy
_snprintf
_wcsupr
_strupr
wcscpy
memset
ZwQueryKey
RtlFreeUnicodeString
RtlUpcaseUnicodeString
wcstombs
RtlImageNtHeader
RtlAdjustPrivilege
mbstowcs
strstr
isxdigit
NtUnmapViewOfSection
sprintf
_allmul
_aulldiv
_allshl
_alldiv
_chkstk
RtlUnwind
NtQueryVirtualMemory
kernel32
SetFilePointerEx
SystemTimeToTzSpecificLocalTime
TerminateThread
IsBadReadPtr
QueueUserWorkItem
FileTimeToLocalFileTime
SystemTimeToFileTime
GetModuleFileNameA
GetLocalTime
GetModuleFileNameW
CreateFileA
lstrlenA
HeapAlloc
HeapFree
WriteFile
lstrcatA
CreateDirectoryA
GetLastError
RemoveDirectoryA
LoadLibraryA
CloseHandle
DeleteFileA
lstrcpyA
HeapReAlloc
InterlockedIncrement
InterlockedDecrement
SetEvent
GetTickCount
HeapDestroy
HeapCreate
SetWaitableTimer
CreateDirectoryW
GetCurrentThread
GetSystemTimeAsFileTime
GetWindowsDirectoryA
OpenProcess
Sleep
CopyFileW
CreateEventA
CreateFileW
lstrlenW
InterlockedExchange
GetModuleHandleA
lstrcatW
GetCurrentThreadId
DuplicateHandle
DeleteFileW
GetTempPathA
SuspendThread
ResumeThread
lstrcpyW
CreateThread
SwitchToThread
lstrcmpA
MapViewOfFile
UnmapViewOfFile
WaitForSingleObject
LeaveCriticalSection
SetLastError
lstrcmpiA
EnterCriticalSection
OpenWaitableTimerA
OpenMutexA
WaitForMultipleObjects
CreateMutexA
GetComputerNameW
CreateWaitableTimerA
GetSystemTime
InitializeCriticalSection
UnregisterWait
TlsGetValue
LoadLibraryExW
TlsSetValue
VirtualAlloc
RegisterWaitForSingleObject
VirtualProtect
TlsAlloc
GetProcAddress
GetFileSize
GetDriveTypeW
GetLogicalDriveStringsW
WideCharToMultiByte
GetExitCodeProcess
CreateProcessA
CreateFileMappingA
OpenFileMappingA
LocalFree
lstrcpynA
GlobalLock
GlobalUnlock
Thread32First
Thread32Next
QueueUserAPC
OpenThread
FileTimeToSystemTime
CallNamedPipeA
WaitNamedPipeA
ConnectNamedPipe
ReadFile
GetOverlappedResult
DisconnectNamedPipe
FlushFileBuffers
CreateNamedPipeA
CancelIo
RemoveVectoredExceptionHandler
SleepEx
AddVectoredExceptionHandler
OpenEventA
LocalAlloc
FreeLibrary
RaiseException
VirtualFree
GetCurrentProcessId
GetVersion
DeleteCriticalSection
ExpandEnvironmentStringsW
FindNextFileW
RemoveDirectoryW
FindClose
GetTempFileNameA
GetFileAttributesW
SetEndOfFile
SetFilePointer
FindFirstFileW
VirtualProtectEx
ResetEvent
lstrcmpiW
ReleaseMutex
CreateToolhelp32Snapshot
iphlpapi
GetAdaptersAddresses
GetIpAddrTable
GetBestRoute
oleaut32
VariantInit
VariantClear
SysAllocString
SysFreeString
Sections
.text Size: 230KB - Virtual size: 230KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 22KB - Virtual size: 21KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 4KB - Virtual size: 5KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.bss Size: 6KB - Virtual size: 6KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 13KB - Virtual size: 16KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ