Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 09:19
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7b257f1a97efc89a722b6db2fc845da6e1f5b17a01b74a9ad36ec9e111ee1a14.dll
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_7b257f1a97efc89a722b6db2fc845da6e1f5b17a01b74a9ad36ec9e111ee1a14.dll
-
Size
625KB
-
MD5
d57b11e17c6d5986a53bddf82a51e341
-
SHA1
91f71d810d65ce8111eb988a17ea87bfb420aa38
-
SHA256
7b257f1a97efc89a722b6db2fc845da6e1f5b17a01b74a9ad36ec9e111ee1a14
-
SHA512
10427dba2de00e097a696adb68b2a3d25b7eaeb83f558a0af3273eef9e73b76bf71fd5a3b65b072ec006cfb75a6b00cee5196933cf71bddd014a42a4736c9958
-
SSDEEP
12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8ZN2:+w1lEKOpuYxiwkkgjAN8ZN2
Malware Config
Extracted
gozi
Extracted
gozi
999
config.edge.skype.com
146.70.35.138
146.70.35.142
-
base_path
/phpadmin/
-
build
250227
-
exe_type
loader
-
extension
.src
-
server_id
50
Signatures
-
Gozi family
-
Blocklisted process makes network request 4 IoCs
flow pid Process 16 4704 rundll32.exe 22 4704 rundll32.exe 43 4704 rundll32.exe 44 4704 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3968 wrote to memory of 4704 3968 rundll32.exe 82 PID 3968 wrote to memory of 4704 3968 rundll32.exe 82 PID 3968 wrote to memory of 4704 3968 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b257f1a97efc89a722b6db2fc845da6e1f5b17a01b74a9ad36ec9e111ee1a14.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b257f1a97efc89a722b6db2fc845da6e1f5b17a01b74a9ad36ec9e111ee1a14.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:4704
-