Analysis
-
max time kernel
140s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 23:45
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_6ca809f6d8f61a99f4717e8f934c90ba419dc4b1e5db7ccedc5b24741972133f.dll
Resource
win7-20240729-en
General
-
Target
JaffaCakes118_6ca809f6d8f61a99f4717e8f934c90ba419dc4b1e5db7ccedc5b24741972133f.dll
-
Size
626KB
-
MD5
2dde17bd6194390875bf27af7a4b125d
-
SHA1
fd8b1eed36b078cda5eaed254bc8a04708709447
-
SHA256
6ca809f6d8f61a99f4717e8f934c90ba419dc4b1e5db7ccedc5b24741972133f
-
SHA512
8ab1be245849ed9320e4e200a716f56e6d590200662bd1cbf375cf1fb88c9206ddcfcdba86d1ea1eab0b5b3a06215c27dbe9ca955be5c0deef25b754bad16eef
-
SSDEEP
12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8ZV:+w1lEKOpuYxiwkkgjAN8ZV
Malware Config
Extracted
gozi
Extracted
gozi
999
config.edge.skype.com
146.70.35.138
146.70.35.142
-
base_path
/phpadmin/
-
build
250227
-
exe_type
loader
-
extension
.src
-
server_id
50
Signatures
-
Gozi family
-
Blocklisted process makes network request 2 IoCs
flow pid Process 33 3120 rundll32.exe 37 3120 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4144 wrote to memory of 3120 4144 rundll32.exe 82 PID 4144 wrote to memory of 3120 4144 rundll32.exe 82 PID 4144 wrote to memory of 3120 4144 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ca809f6d8f61a99f4717e8f934c90ba419dc4b1e5db7ccedc5b24741972133f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ca809f6d8f61a99f4717e8f934c90ba419dc4b1e5db7ccedc5b24741972133f.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:3120
-
Network
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request72.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
GEThttp://config.edge.skype.com/phpadmin/AzrPI5udrrFSfCxMS7Md/VGuInBCx7QIopHk4zxh/vRS4xR1vvDJtzC9v0WNYeS/wDLKAZ4WUFsI4/_2B2x11V/XzljuKBBqR5NNgZVRy8RMoz/zKPEr22h_2/FpfPrr4kQ57U3aI6_/2FdR7UmSrtGK/U8kLA32DYF_/2BqdRfY3LU3Yxl/aDMZVnWNsGeW1CGxvNr_2/BGuW_2BbGFNmqVsV/KhykSmj8KFAxry_/2FDt1g_2BOYF0Sr7_2/FmmFksB0Qxr70/B.srcrundll32.exeRemote address:13.107.42.16:80RequestGET /phpadmin/AzrPI5udrrFSfCxMS7Md/VGuInBCx7QIopHk4zxh/vRS4xR1vvDJtzC9v0WNYeS/wDLKAZ4WUFsI4/_2B2x11V/XzljuKBBqR5NNgZVRy8RMoz/zKPEr22h_2/FpfPrr4kQ57U3aI6_/2FdR7UmSrtGK/U8kLA32DYF_/2BqdRfY3LU3Yxl/aDMZVnWNsGeW1CGxvNr_2/BGuW_2BbGFNmqVsV/KhykSmj8KFAxry_/2FDt1g_2BOYF0Sr7_2/FmmFksB0Qxr70/B.src HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
Host: config.edge.skype.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 400 Bad Request
X-MSEdge-Ref: 0YlNnZwAAAADbIEmQhGlGR6C+OOMh79fSTE9OMDRFREdFMTExOQBFZGdl
Date: Sat, 21 Dec 2024 23:46:41 GMT
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request134.130.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
13.107.42.16:80http://config.edge.skype.com/phpadmin/AzrPI5udrrFSfCxMS7Md/VGuInBCx7QIopHk4zxh/vRS4xR1vvDJtzC9v0WNYeS/wDLKAZ4WUFsI4/_2B2x11V/XzljuKBBqR5NNgZVRy8RMoz/zKPEr22h_2/FpfPrr4kQ57U3aI6_/2FdR7UmSrtGK/U8kLA32DYF_/2BqdRfY3LU3Yxl/aDMZVnWNsGeW1CGxvNr_2/BGuW_2BbGFNmqVsV/KhykSmj8KFAxry_/2FDt1g_2BOYF0Sr7_2/FmmFksB0Qxr70/B.srchttprundll32.exe673 B 583 B 5 5
HTTP Request
GET http://config.edge.skype.com/phpadmin/AzrPI5udrrFSfCxMS7Md/VGuInBCx7QIopHk4zxh/vRS4xR1vvDJtzC9v0WNYeS/wDLKAZ4WUFsI4/_2B2x11V/XzljuKBBqR5NNgZVRy8RMoz/zKPEr22h_2/FpfPrr4kQ57U3aI6_/2FdR7UmSrtGK/U8kLA32DYF_/2BqdRfY3LU3Yxl/aDMZVnWNsGeW1CGxvNr_2/BGuW_2BbGFNmqVsV/KhykSmj8KFAxry_/2FDt1g_2BOYF0Sr7_2/FmmFksB0Qxr70/B.srcHTTP Response
400 -
260 B 5
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
72.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
134.130.81.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
30.243.111.52.in-addr.arpa