Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 07:26
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_a04a20a3fce0ab07fc2537a95666b3009c3cd08ad8c8342ae22dd1737fa3c1a9.dll
Resource
win7-20240729-en
General
-
Target
JaffaCakes118_a04a20a3fce0ab07fc2537a95666b3009c3cd08ad8c8342ae22dd1737fa3c1a9.dll
-
Size
625KB
-
MD5
558276724fb83b9d044143c1b4d8ee47
-
SHA1
852076fcb63df359559d6859ff215b7641308a79
-
SHA256
a04a20a3fce0ab07fc2537a95666b3009c3cd08ad8c8342ae22dd1737fa3c1a9
-
SHA512
a14fd60423e8a2ccce4cada68268f43a08ef707c70d64122e3072f5be66031c242a419330cd44d7b0c9c4d94b55919b9757e265b6379c81d3f7146b6117dd35c
-
SSDEEP
12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8Zb1:+w1lEKOpuYxiwkkgjAN8ZZ
Malware Config
Extracted
gozi
Extracted
gozi
999
config.edge.skype.com
146.70.35.138
146.70.35.142
-
base_path
/phpadmin/
-
build
250227
-
exe_type
loader
-
extension
.src
-
server_id
50
Signatures
-
Gozi family
-
Blocklisted process makes network request 4 IoCs
flow pid Process 15 3652 rundll32.exe 24 3652 rundll32.exe 46 3652 rundll32.exe 47 3652 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1708 wrote to memory of 3652 1708 rundll32.exe 82 PID 1708 wrote to memory of 3652 1708 rundll32.exe 82 PID 1708 wrote to memory of 3652 1708 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a04a20a3fce0ab07fc2537a95666b3009c3cd08ad8c8342ae22dd1737fa3c1a9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a04a20a3fce0ab07fc2537a95666b3009c3cd08ad8c8342ae22dd1737fa3c1a9.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:3652
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request69.31.126.40.in-addr.arpaIN PTRResponse
-
GEThttp://config.edge.skype.com/phpadmin/lO0ssH7pFFG1L8DJaZ1w/wZKdFakdxHmdR_2BSlI/sqZ354J4Z370sr8_2ByEQN/psfyl7KTznEIs/8kVbtZQa/nc1TUWs_2Fu1Arh8hpt6p3N/goNiKzHYDL/qg2lE84omP3ugzdg8/6J3pGKJDs7_2/B4_2BPbvrcE/ytrObi9_2FEIJH/DEo9PolLb8ObOPXbDE7Ts/cBheyCmbogTpIdcD/WPBqYaskizyIoVV/Paoiaz2j30LuCbxG3v/ktcsFi5Q.srcrundll32.exeRemote address:13.107.42.16:80RequestGET /phpadmin/lO0ssH7pFFG1L8DJaZ1w/wZKdFakdxHmdR_2BSlI/sqZ354J4Z370sr8_2ByEQN/psfyl7KTznEIs/8kVbtZQa/nc1TUWs_2Fu1Arh8hpt6p3N/goNiKzHYDL/qg2lE84omP3ugzdg8/6J3pGKJDs7_2/B4_2BPbvrcE/ytrObi9_2FEIJH/DEo9PolLb8ObOPXbDE7Ts/cBheyCmbogTpIdcD/WPBqYaskizyIoVV/Paoiaz2j30LuCbxG3v/ktcsFi5Q.src HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
Host: config.edge.skype.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 400 Bad Request
X-MSEdge-Ref: 0J79nZwAAAAAxCjrr4XtNR6Sqtl8+qe+vTE9OMDRFREdFMTIxOQBFZGdl
Date: Sun, 22 Dec 2024 07:26:30 GMT
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.42.69.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request65.139.73.23.in-addr.arpaIN PTRResponse65.139.73.23.in-addr.arpaIN PTRa23-73-139-65deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
GEThttp://config.edge.skype.com/phpadmin/QLTry8ar/jJNKm_2Fjvh2DfzCYtUrDJl/chUg8cxwOs/p_2F7x_2FLJ9QAhGm/2CYU3D_2FKcR/zNmVLBBYn1N/4r32WKlFYlOrzG/J6DxM9idY6x1ocQQewT69/6W0okgC8rx7yrrT2/L0kpXNOU14SpEvK/ToinEWKepMJCeKu15P/VzHOT39AX/nQYz3XHBg9DswnEGkYkp/NrxmXZ9VSR6K1gxkbPS/fgcqLNfFYqkFXHRLsoGe1T/nE8X9WID.srcrundll32.exeRemote address:13.107.42.16:80RequestGET /phpadmin/QLTry8ar/jJNKm_2Fjvh2DfzCYtUrDJl/chUg8cxwOs/p_2F7x_2FLJ9QAhGm/2CYU3D_2FKcR/zNmVLBBYn1N/4r32WKlFYlOrzG/J6DxM9idY6x1ocQQewT69/6W0okgC8rx7yrrT2/L0kpXNOU14SpEvK/ToinEWKepMJCeKu15P/VzHOT39AX/nQYz3XHBg9DswnEGkYkp/NrxmXZ9VSR6K1gxkbPS/fgcqLNfFYqkFXHRLsoGe1T/nE8X9WID.src HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
Host: config.edge.skype.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 400 Bad Request
X-MSEdge-Ref: 0oL9nZwAAAAA9zL1lUDH5Ra8f0wazl+6mTE9OMDRFREdFMTIwOABFZGdl
Date: Sun, 22 Dec 2024 07:28:32 GMT
-
13.107.42.16:80http://config.edge.skype.com/phpadmin/lO0ssH7pFFG1L8DJaZ1w/wZKdFakdxHmdR_2BSlI/sqZ354J4Z370sr8_2ByEQN/psfyl7KTznEIs/8kVbtZQa/nc1TUWs_2Fu1Arh8hpt6p3N/goNiKzHYDL/qg2lE84omP3ugzdg8/6J3pGKJDs7_2/B4_2BPbvrcE/ytrObi9_2FEIJH/DEo9PolLb8ObOPXbDE7Ts/cBheyCmbogTpIdcD/WPBqYaskizyIoVV/Paoiaz2j30LuCbxG3v/ktcsFi5Q.srchttprundll32.exe666 B 583 B 5 5
HTTP Request
GET http://config.edge.skype.com/phpadmin/lO0ssH7pFFG1L8DJaZ1w/wZKdFakdxHmdR_2BSlI/sqZ354J4Z370sr8_2ByEQN/psfyl7KTznEIs/8kVbtZQa/nc1TUWs_2Fu1Arh8hpt6p3N/goNiKzHYDL/qg2lE84omP3ugzdg8/6J3pGKJDs7_2/B4_2BPbvrcE/ytrObi9_2FEIJH/DEo9PolLb8ObOPXbDE7Ts/cBheyCmbogTpIdcD/WPBqYaskizyIoVV/Paoiaz2j30LuCbxG3v/ktcsFi5Q.srcHTTP Response
400 -
260 B 5
-
13.107.42.16:80http://config.edge.skype.com/phpadmin/QLTry8ar/jJNKm_2Fjvh2DfzCYtUrDJl/chUg8cxwOs/p_2F7x_2FLJ9QAhGm/2CYU3D_2FKcR/zNmVLBBYn1N/4r32WKlFYlOrzG/J6DxM9idY6x1ocQQewT69/6W0okgC8rx7yrrT2/L0kpXNOU14SpEvK/ToinEWKepMJCeKu15P/VzHOT39AX/nQYz3XHBg9DswnEGkYkp/NrxmXZ9VSR6K1gxkbPS/fgcqLNfFYqkFXHRLsoGe1T/nE8X9WID.srchttprundll32.exe662 B 543 B 5 4
HTTP Request
GET http://config.edge.skype.com/phpadmin/QLTry8ar/jJNKm_2Fjvh2DfzCYtUrDJl/chUg8cxwOs/p_2F7x_2FLJ9QAhGm/2CYU3D_2FKcR/zNmVLBBYn1N/4r32WKlFYlOrzG/J6DxM9idY6x1ocQQewT69/6W0okgC8rx7yrrT2/L0kpXNOU14SpEvK/ToinEWKepMJCeKu15P/VzHOT39AX/nQYz3XHBg9DswnEGkYkp/NrxmXZ9VSR6K1gxkbPS/fgcqLNfFYqkFXHRLsoGe1T/nE8X9WID.srcHTTP Response
400 -
156 B 3
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
69.31.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
241.42.69.40.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
65.139.73.23.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa