Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 09:02
Behavioral task
behavioral1
Sample
JaffaCakes118_525600a23d6b55bc740abf7e6df42a17bf7873aef667ad9f35835e1cbf5862af.dll
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_525600a23d6b55bc740abf7e6df42a17bf7873aef667ad9f35835e1cbf5862af.dll
-
Size
44KB
-
MD5
4f11c41c1103266ac8158e616af88cbe
-
SHA1
02f977e958097e6f402544d3b8c48979a8ff9cdd
-
SHA256
525600a23d6b55bc740abf7e6df42a17bf7873aef667ad9f35835e1cbf5862af
-
SHA512
cbc3dacdd4c134a35f699b62ba8f348c907a6b869551ac9c941f45684d200672d731f84b283137e4f9ef84f6fdca06e39d61bad0a0bca6ac8e35c629d432dd16
-
SSDEEP
768:/fl+nrGv4jsSCe1LYI6cN3l+p0AHnM7/mPrZG96A/6ENTaQY8xoQRL:/t+nljstwYIRcyenM7gU9/6oTaQYXo
Malware Config
Extracted
gozi
7408
signin.microsoft.com
linolleum.com
linolleum.bar
infomeetc.co
-
base_path
/includes/
-
build
250196
-
dns_servers
107.174.86.134
107.175.127.22
-
exe_type
loader
-
extension
.img
-
server_id
12
Signatures
-
Gozi family
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ielowutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2484990377" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008110495d4aa4cb41b6757eb2472c6e51000000000200000000001066000000010000200000005429f9be3b68df876954afbb79f45b9894b531e2f336890eb69db10620c95162000000000e8000000002000020000000629d9447a6f9e35a81299260fb971c8021a938f5905847a751f6df4ee778f90b20000000a79bb339b8634d3bdbda600c9d9c6d10041b947f2c617445797760e63c8740a940000000a0cd864cf479e979544ef13a6757be4637014406d97d4963b6ae9cfafcfc8d78b36406b7a9865676385bca3fea9dfb04230fade7dea7f6138af783e53e528938 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2484990377" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1080f4945054db01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31151184" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2054ed945054db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31151184" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008110495d4aa4cb41b6757eb2472c6e5100000000020000000000106600000001000020000000e07c07d6e44fc1e240c7c96f11fdbc06b7d076b27c5ea97a3a2d93b893bca50f000000000e800000000200002000000035e7ff92e1a17357c046581023092243cf607e20dd9412f354ccc04baecf910b200000001821db7463338d4f2170822b042cd4e89dbb01bc0506aa2be9776c07652297b240000000683c14bcd34d46689c2534f874bf643361c2232930ddad2773d32cae1139636454d6df2fcdf9cddcf3b3c8eb4a30278a8695862c52672f627fd07c24a83801b3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BFC05168-C043-11EF-A7EA-EE8B2F3CE00B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2728 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2728 iexplore.exe 2728 iexplore.exe 1728 IEXPLORE.EXE 1728 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2548 wrote to memory of 1308 2548 regsvr32.exe 83 PID 2548 wrote to memory of 1308 2548 regsvr32.exe 83 PID 2548 wrote to memory of 1308 2548 regsvr32.exe 83 PID 2728 wrote to memory of 1728 2728 iexplore.exe 104 PID 2728 wrote to memory of 1728 2728 iexplore.exe 104 PID 2728 wrote to memory of 1728 2728 iexplore.exe 104
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_525600a23d6b55bc740abf7e6df42a17bf7873aef667ad9f35835e1cbf5862af.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_525600a23d6b55bc740abf7e6df42a17bf7873aef667ad9f35835e1cbf5862af.dll2⤵
- System Location Discovery: System Language Discovery
PID:1308
-
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:4584
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:17410 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1728
-