Analysis
-
max time kernel
141s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 09:19
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7b257f1a97efc89a722b6db2fc845da6e1f5b17a01b74a9ad36ec9e111ee1a14.dll
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_7b257f1a97efc89a722b6db2fc845da6e1f5b17a01b74a9ad36ec9e111ee1a14.dll
-
Size
625KB
-
MD5
d57b11e17c6d5986a53bddf82a51e341
-
SHA1
91f71d810d65ce8111eb988a17ea87bfb420aa38
-
SHA256
7b257f1a97efc89a722b6db2fc845da6e1f5b17a01b74a9ad36ec9e111ee1a14
-
SHA512
10427dba2de00e097a696adb68b2a3d25b7eaeb83f558a0af3273eef9e73b76bf71fd5a3b65b072ec006cfb75a6b00cee5196933cf71bddd014a42a4736c9958
-
SSDEEP
12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8ZN2:+w1lEKOpuYxiwkkgjAN8ZN2
Malware Config
Extracted
gozi
Extracted
gozi
999
config.edge.skype.com
146.70.35.138
146.70.35.142
-
base_path
/phpadmin/
-
build
250227
-
exe_type
loader
-
extension
.src
-
server_id
50
Signatures
-
Gozi family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2496 wrote to memory of 1992 2496 rundll32.exe 30 PID 2496 wrote to memory of 1992 2496 rundll32.exe 30 PID 2496 wrote to memory of 1992 2496 rundll32.exe 30 PID 2496 wrote to memory of 1992 2496 rundll32.exe 30 PID 2496 wrote to memory of 1992 2496 rundll32.exe 30 PID 2496 wrote to memory of 1992 2496 rundll32.exe 30 PID 2496 wrote to memory of 1992 2496 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b257f1a97efc89a722b6db2fc845da6e1f5b17a01b74a9ad36ec9e111ee1a14.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b257f1a97efc89a722b6db2fc845da6e1f5b17a01b74a9ad36ec9e111ee1a14.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:1992
-