Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 09:19

General

  • Target

    JaffaCakes118_7b257f1a97efc89a722b6db2fc845da6e1f5b17a01b74a9ad36ec9e111ee1a14.dll

  • Size

    625KB

  • MD5

    d57b11e17c6d5986a53bddf82a51e341

  • SHA1

    91f71d810d65ce8111eb988a17ea87bfb420aa38

  • SHA256

    7b257f1a97efc89a722b6db2fc845da6e1f5b17a01b74a9ad36ec9e111ee1a14

  • SHA512

    10427dba2de00e097a696adb68b2a3d25b7eaeb83f558a0af3273eef9e73b76bf71fd5a3b65b072ec006cfb75a6b00cee5196933cf71bddd014a42a4736c9958

  • SSDEEP

    12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8ZN2:+w1lEKOpuYxiwkkgjAN8ZN2

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

999

C2

config.edge.skype.com

146.70.35.138

146.70.35.142

Attributes
  • base_path

    /phpadmin/

  • build

    250227

  • exe_type

    loader

  • extension

    .src

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Gozi family
  • Blocklisted process makes network request 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b257f1a97efc89a722b6db2fc845da6e1f5b17a01b74a9ad36ec9e111ee1a14.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b257f1a97efc89a722b6db2fc845da6e1f5b17a01b74a9ad36ec9e111ee1a14.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:4704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4704-0-0x0000000000D40000-0x0000000000D46000-memory.dmp

    Filesize

    24KB

  • memory/4704-1-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/4704-2-0x0000000002820000-0x000000000282D000-memory.dmp

    Filesize

    52KB

  • memory/4704-5-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB