Analysis

  • max time kernel
    140s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 23:45

General

  • Target

    JaffaCakes118_6ca809f6d8f61a99f4717e8f934c90ba419dc4b1e5db7ccedc5b24741972133f.dll

  • Size

    626KB

  • MD5

    2dde17bd6194390875bf27af7a4b125d

  • SHA1

    fd8b1eed36b078cda5eaed254bc8a04708709447

  • SHA256

    6ca809f6d8f61a99f4717e8f934c90ba419dc4b1e5db7ccedc5b24741972133f

  • SHA512

    8ab1be245849ed9320e4e200a716f56e6d590200662bd1cbf375cf1fb88c9206ddcfcdba86d1ea1eab0b5b3a06215c27dbe9ca955be5c0deef25b754bad16eef

  • SSDEEP

    12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8ZV:+w1lEKOpuYxiwkkgjAN8ZV

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

999

C2

config.edge.skype.com

146.70.35.138

146.70.35.142

Attributes
  • base_path

    /phpadmin/

  • build

    250227

  • exe_type

    loader

  • extension

    .src

  • server_id

    50

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIdG2NVRT4bIwAE0zLT2DTbLDZ
3
979eMzKPtARqeuvDBcFf2A+4K8FvGS1r/gid2qMVfP9RlPEOv2lwbiYN49dYO+Qr
4
8W9jU/t6qakm8l85c780VPQBjhOUrKpM+044k5wroz4Vu5OjfJF3j4SRrbe6ea/0
5
sHXQ+NV6gNEXzbTyDwIDAQAB
6
-----END PUBLIC KEY-----
aes.plain
1
1f4DxymshQl48FMz

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Gozi family
  • Blocklisted process makes network request 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ca809f6d8f61a99f4717e8f934c90ba419dc4b1e5db7ccedc5b24741972133f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4144
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ca809f6d8f61a99f4717e8f934c90ba419dc4b1e5db7ccedc5b24741972133f.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:3120

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://config.edge.skype.com/phpadmin/AzrPI5udrrFSfCxMS7Md/VGuInBCx7QIopHk4zxh/vRS4xR1vvDJtzC9v0WNYeS/wDLKAZ4WUFsI4/_2B2x11V/XzljuKBBqR5NNgZVRy8RMoz/zKPEr22h_2/FpfPrr4kQ57U3aI6_/2FdR7UmSrtGK/U8kLA32DYF_/2BqdRfY3LU3Yxl/aDMZVnWNsGeW1CGxvNr_2/BGuW_2BbGFNmqVsV/KhykSmj8KFAxry_/2FDt1g_2BOYF0Sr7_2/FmmFksB0Qxr70/B.src
    rundll32.exe
    Remote address:
    13.107.42.16:80
    Request
    GET /phpadmin/AzrPI5udrrFSfCxMS7Md/VGuInBCx7QIopHk4zxh/vRS4xR1vvDJtzC9v0WNYeS/wDLKAZ4WUFsI4/_2B2x11V/XzljuKBBqR5NNgZVRy8RMoz/zKPEr22h_2/FpfPrr4kQ57U3aI6_/2FdR7UmSrtGK/U8kLA32DYF_/2BqdRfY3LU3Yxl/aDMZVnWNsGeW1CGxvNr_2/BGuW_2BbGFNmqVsV/KhykSmj8KFAxry_/2FDt1g_2BOYF0Sr7_2/FmmFksB0Qxr70/B.src HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
    Host: config.edge.skype.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    X-MSEdge-Ref: 0YlNnZwAAAADbIEmQhGlGR6C+OOMh79fSTE9OMDRFREdFMTExOQBFZGdl
    Date: Sat, 21 Dec 2024 23:46:41 GMT
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    134.130.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.130.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 13.107.42.16:80
    http://config.edge.skype.com/phpadmin/AzrPI5udrrFSfCxMS7Md/VGuInBCx7QIopHk4zxh/vRS4xR1vvDJtzC9v0WNYeS/wDLKAZ4WUFsI4/_2B2x11V/XzljuKBBqR5NNgZVRy8RMoz/zKPEr22h_2/FpfPrr4kQ57U3aI6_/2FdR7UmSrtGK/U8kLA32DYF_/2BqdRfY3LU3Yxl/aDMZVnWNsGeW1CGxvNr_2/BGuW_2BbGFNmqVsV/KhykSmj8KFAxry_/2FDt1g_2BOYF0Sr7_2/FmmFksB0Qxr70/B.src
    http
    rundll32.exe
    673 B
    583 B
    5
    5

    HTTP Request

    GET http://config.edge.skype.com/phpadmin/AzrPI5udrrFSfCxMS7Md/VGuInBCx7QIopHk4zxh/vRS4xR1vvDJtzC9v0WNYeS/wDLKAZ4WUFsI4/_2B2x11V/XzljuKBBqR5NNgZVRy8RMoz/zKPEr22h_2/FpfPrr4kQ57U3aI6_/2FdR7UmSrtGK/U8kLA32DYF_/2BqdRfY3LU3Yxl/aDMZVnWNsGeW1CGxvNr_2/BGuW_2BbGFNmqVsV/KhykSmj8KFAxry_/2FDt1g_2BOYF0Sr7_2/FmmFksB0Qxr70/B.src

    HTTP Response

    400
  • 146.70.35.138:80
    rundll32.exe
    260 B
    5
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    72.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    72.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    134.130.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    134.130.81.91.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3120-0-0x0000000000D90000-0x0000000000D96000-memory.dmp

    Filesize

    24KB

  • memory/3120-1-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/3120-2-0x0000000002BE0000-0x0000000002BED000-memory.dmp

    Filesize

    52KB

  • memory/3120-5-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.