General
-
Target
1c4ed93e152e93cfecac0871341349c8_JaffaCakes118
-
Size
300KB
-
Sample
241007-jl9nysxhmd
-
MD5
1c4ed93e152e93cfecac0871341349c8
-
SHA1
4abf656619a854fcfc71074973476af31059a63f
-
SHA256
d15fb20a7df2aab845ef54a0e45771fcf1ec96365a4e067d3871d299dd3ae628
-
SHA512
6524390e5cd8968953ebd59cd630ff696e651071d5b7e43f77b1f3c8eb7b10c9c048ff77ce434dc93e47e09447d9328dc4ad295f77dd12abc9092d30f2cc6ca5
-
SSDEEP
6144:aa+iFt8DQxjQ6oyeKSgb0HAwM/Kv97VNntEjOaBiJuMI/cyhlWr6FOo:aa+iFt8DQxU6NPSpgv/ApGDBiJuMI/3w
Static task
static1
Behavioral task
behavioral1
Sample
1c4ed93e152e93cfecac0871341349c8_JaffaCakes118.exe
Resource
win7-20240903-en
Malware Config
Extracted
gozi
Extracted
gozi
1100
andlegislature.at/zpvp/gtr02po/krp3cmg
outaplaceshave.cn/zpvp/gtr02po/krp3cmg
exvorid.at/zpvp/gtr02po/krp3cmg
letaformerrightru.su/zpvp/gtr02po/krp3cmg
volhood.at/zpvp/gtr02po/krp3cmg
vopiolek.at/zpvp/gtr02po/krp3cmg
veroilko.at/zpvp/gtr02po/krp3cmg
hothegivforsuffer.cn/zpvp/gtr02po/krp3cmg
volaerop.at/zpvp/gtr02po/krp3cmg
plus5005.at/zpvp/gtr02po/krp3cmg
justiceseasfriends.cn/zpvp/gtr02po/krp3cmg
moonjoehon.at/zpvp/gtr02po/krp3cmg
verosamko.at/zpvp/gtr02po/krp3cmg
trepeatedandequal.cn/zpvp/gtr02po/krp3cmg
theindependence.su/zpvp/gtr02po/krp3cmg
creatortherefore.cn/zpvp/gtr02po/krp3cmg
-
build
214734
-
exe_type
worker
-
server_id
110
Targets
-
-
Target
1c4ed93e152e93cfecac0871341349c8_JaffaCakes118
-
Size
300KB
-
MD5
1c4ed93e152e93cfecac0871341349c8
-
SHA1
4abf656619a854fcfc71074973476af31059a63f
-
SHA256
d15fb20a7df2aab845ef54a0e45771fcf1ec96365a4e067d3871d299dd3ae628
-
SHA512
6524390e5cd8968953ebd59cd630ff696e651071d5b7e43f77b1f3c8eb7b10c9c048ff77ce434dc93e47e09447d9328dc4ad295f77dd12abc9092d30f2cc6ca5
-
SSDEEP
6144:aa+iFt8DQxjQ6oyeKSgb0HAwM/Kv97VNntEjOaBiJuMI/cyhlWr6FOo:aa+iFt8DQxU6NPSpgv/ApGDBiJuMI/3w
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-