Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 07:26

General

  • Target

    JaffaCakes118_a04a20a3fce0ab07fc2537a95666b3009c3cd08ad8c8342ae22dd1737fa3c1a9.dll

  • Size

    625KB

  • MD5

    558276724fb83b9d044143c1b4d8ee47

  • SHA1

    852076fcb63df359559d6859ff215b7641308a79

  • SHA256

    a04a20a3fce0ab07fc2537a95666b3009c3cd08ad8c8342ae22dd1737fa3c1a9

  • SHA512

    a14fd60423e8a2ccce4cada68268f43a08ef707c70d64122e3072f5be66031c242a419330cd44d7b0c9c4d94b55919b9757e265b6379c81d3f7146b6117dd35c

  • SSDEEP

    12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8Zb1:+w1lEKOpuYxiwkkgjAN8ZZ

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

999

C2

config.edge.skype.com

146.70.35.138

146.70.35.142

Attributes
  • base_path

    /phpadmin/

  • build

    250227

  • exe_type

    loader

  • extension

    .src

  • server_id

    50

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIdG2NVRT4bIwAE0zLT2DTbLDZ
3
979eMzKPtARqeuvDBcFf2A+4K8FvGS1r/gid2qMVfP9RlPEOv2lwbiYN49dYO+Qr
4
8W9jU/t6qakm8l85c780VPQBjhOUrKpM+044k5wroz4Vu5OjfJF3j4SRrbe6ea/0
5
sHXQ+NV6gNEXzbTyDwIDAQAB
6
-----END PUBLIC KEY-----
aes.plain
1
1f4DxymshQl48FMz

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Gozi family
  • Blocklisted process makes network request 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a04a20a3fce0ab07fc2537a95666b3009c3cd08ad8c8342ae22dd1737fa3c1a9.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a04a20a3fce0ab07fc2537a95666b3009c3cd08ad8c8342ae22dd1737fa3c1a9.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:3652

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    69.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://config.edge.skype.com/phpadmin/lO0ssH7pFFG1L8DJaZ1w/wZKdFakdxHmdR_2BSlI/sqZ354J4Z370sr8_2ByEQN/psfyl7KTznEIs/8kVbtZQa/nc1TUWs_2Fu1Arh8hpt6p3N/goNiKzHYDL/qg2lE84omP3ugzdg8/6J3pGKJDs7_2/B4_2BPbvrcE/ytrObi9_2FEIJH/DEo9PolLb8ObOPXbDE7Ts/cBheyCmbogTpIdcD/WPBqYaskizyIoVV/Paoiaz2j30LuCbxG3v/ktcsFi5Q.src
    rundll32.exe
    Remote address:
    13.107.42.16:80
    Request
    GET /phpadmin/lO0ssH7pFFG1L8DJaZ1w/wZKdFakdxHmdR_2BSlI/sqZ354J4Z370sr8_2ByEQN/psfyl7KTznEIs/8kVbtZQa/nc1TUWs_2Fu1Arh8hpt6p3N/goNiKzHYDL/qg2lE84omP3ugzdg8/6J3pGKJDs7_2/B4_2BPbvrcE/ytrObi9_2FEIJH/DEo9PolLb8ObOPXbDE7Ts/cBheyCmbogTpIdcD/WPBqYaskizyIoVV/Paoiaz2j30LuCbxG3v/ktcsFi5Q.src HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
    Host: config.edge.skype.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    X-MSEdge-Ref: 0J79nZwAAAAAxCjrr4XtNR6Sqtl8+qe+vTE9OMDRFREdFMTIxOQBFZGdl
    Date: Sun, 22 Dec 2024 07:26:30 GMT
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    65.139.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    65.139.73.23.in-addr.arpa
    IN PTR
    Response
    65.139.73.23.in-addr.arpa
    IN PTR
    a23-73-139-65deploystaticakamaitechnologiescom
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://config.edge.skype.com/phpadmin/QLTry8ar/jJNKm_2Fjvh2DfzCYtUrDJl/chUg8cxwOs/p_2F7x_2FLJ9QAhGm/2CYU3D_2FKcR/zNmVLBBYn1N/4r32WKlFYlOrzG/J6DxM9idY6x1ocQQewT69/6W0okgC8rx7yrrT2/L0kpXNOU14SpEvK/ToinEWKepMJCeKu15P/VzHOT39AX/nQYz3XHBg9DswnEGkYkp/NrxmXZ9VSR6K1gxkbPS/fgcqLNfFYqkFXHRLsoGe1T/nE8X9WID.src
    rundll32.exe
    Remote address:
    13.107.42.16:80
    Request
    GET /phpadmin/QLTry8ar/jJNKm_2Fjvh2DfzCYtUrDJl/chUg8cxwOs/p_2F7x_2FLJ9QAhGm/2CYU3D_2FKcR/zNmVLBBYn1N/4r32WKlFYlOrzG/J6DxM9idY6x1ocQQewT69/6W0okgC8rx7yrrT2/L0kpXNOU14SpEvK/ToinEWKepMJCeKu15P/VzHOT39AX/nQYz3XHBg9DswnEGkYkp/NrxmXZ9VSR6K1gxkbPS/fgcqLNfFYqkFXHRLsoGe1T/nE8X9WID.src HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
    Host: config.edge.skype.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    X-MSEdge-Ref: 0oL9nZwAAAAA9zL1lUDH5Ra8f0wazl+6mTE9OMDRFREdFMTIwOABFZGdl
    Date: Sun, 22 Dec 2024 07:28:32 GMT
  • 13.107.42.16:80
    http://config.edge.skype.com/phpadmin/lO0ssH7pFFG1L8DJaZ1w/wZKdFakdxHmdR_2BSlI/sqZ354J4Z370sr8_2ByEQN/psfyl7KTznEIs/8kVbtZQa/nc1TUWs_2Fu1Arh8hpt6p3N/goNiKzHYDL/qg2lE84omP3ugzdg8/6J3pGKJDs7_2/B4_2BPbvrcE/ytrObi9_2FEIJH/DEo9PolLb8ObOPXbDE7Ts/cBheyCmbogTpIdcD/WPBqYaskizyIoVV/Paoiaz2j30LuCbxG3v/ktcsFi5Q.src
    http
    rundll32.exe
    666 B
    583 B
    5
    5

    HTTP Request

    GET http://config.edge.skype.com/phpadmin/lO0ssH7pFFG1L8DJaZ1w/wZKdFakdxHmdR_2BSlI/sqZ354J4Z370sr8_2ByEQN/psfyl7KTznEIs/8kVbtZQa/nc1TUWs_2Fu1Arh8hpt6p3N/goNiKzHYDL/qg2lE84omP3ugzdg8/6J3pGKJDs7_2/B4_2BPbvrcE/ytrObi9_2FEIJH/DEo9PolLb8ObOPXbDE7Ts/cBheyCmbogTpIdcD/WPBqYaskizyIoVV/Paoiaz2j30LuCbxG3v/ktcsFi5Q.src

    HTTP Response

    400
  • 146.70.35.138:80
    rundll32.exe
    260 B
    5
  • 13.107.42.16:80
    http://config.edge.skype.com/phpadmin/QLTry8ar/jJNKm_2Fjvh2DfzCYtUrDJl/chUg8cxwOs/p_2F7x_2FLJ9QAhGm/2CYU3D_2FKcR/zNmVLBBYn1N/4r32WKlFYlOrzG/J6DxM9idY6x1ocQQewT69/6W0okgC8rx7yrrT2/L0kpXNOU14SpEvK/ToinEWKepMJCeKu15P/VzHOT39AX/nQYz3XHBg9DswnEGkYkp/NrxmXZ9VSR6K1gxkbPS/fgcqLNfFYqkFXHRLsoGe1T/nE8X9WID.src
    http
    rundll32.exe
    662 B
    543 B
    5
    4

    HTTP Request

    GET http://config.edge.skype.com/phpadmin/QLTry8ar/jJNKm_2Fjvh2DfzCYtUrDJl/chUg8cxwOs/p_2F7x_2FLJ9QAhGm/2CYU3D_2FKcR/zNmVLBBYn1N/4r32WKlFYlOrzG/J6DxM9idY6x1ocQQewT69/6W0okgC8rx7yrrT2/L0kpXNOU14SpEvK/ToinEWKepMJCeKu15P/VzHOT39AX/nQYz3XHBg9DswnEGkYkp/NrxmXZ9VSR6K1gxkbPS/fgcqLNfFYqkFXHRLsoGe1T/nE8X9WID.src

    HTTP Response

    400
  • 146.70.35.142:80
    rundll32.exe
    156 B
    3
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    69.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    69.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    65.139.73.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    65.139.73.23.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3652-0-0x0000000002280000-0x000000000231F000-memory.dmp

    Filesize

    636KB

  • memory/3652-2-0x0000000000A80000-0x0000000000A86000-memory.dmp

    Filesize

    24KB

  • memory/3652-3-0x0000000002280000-0x000000000231F000-memory.dmp

    Filesize

    636KB

  • memory/3652-4-0x00000000029C0000-0x00000000029CD000-memory.dmp

    Filesize

    52KB

  • memory/3652-7-0x0000000002280000-0x000000000231F000-memory.dmp

    Filesize

    636KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.