Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2024, 02:41 UTC

General

  • Target

    JaffaCakes118_e5832d3238da12d21f60a2b8e736594ff758c6d1ea3d9f63841fa0d6825743f3.dll

  • Size

    626KB

  • MD5

    1d1b6cbf522cacca5aad0ebd6488c9be

  • SHA1

    6da74b64f56c38e245d662ec00ba66057e978a67

  • SHA256

    e5832d3238da12d21f60a2b8e736594ff758c6d1ea3d9f63841fa0d6825743f3

  • SHA512

    60f57c2e0d110c550a0561d28bf1cc0b5a2957cd685acb7604452fcd06e7afef605766adfa023699dec73395b4ca8e8f9683d604ceed04ccad5cbfababef6852

  • SSDEEP

    12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8Za:+w1lEKOpuYxiwkkgjAN8Za

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

999

C2

config.edge.skype.com

146.70.35.138

146.70.35.142

Attributes
  • base_path

    /phpadmin/

  • build

    250227

  • exe_type

    loader

  • extension

    .src

  • server_id

    50

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIdG2NVRT4bIwAE0zLT2DTbLDZ
3
979eMzKPtARqeuvDBcFf2A+4K8FvGS1r/gid2qMVfP9RlPEOv2lwbiYN49dYO+Qr
4
8W9jU/t6qakm8l85c780VPQBjhOUrKpM+044k5wroz4Vu5OjfJF3j4SRrbe6ea/0
5
sHXQ+NV6gNEXzbTyDwIDAQAB
6
-----END PUBLIC KEY-----
aes.plain
1
1f4DxymshQl48FMz

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Gozi family
  • Blocklisted process makes network request 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5832d3238da12d21f60a2b8e736594ff758c6d1ea3d9f63841fa0d6825743f3.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5832d3238da12d21f60a2b8e736594ff758c6d1ea3d9f63841fa0d6825743f3.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:3196

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    134.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://config.edge.skype.com/phpadmin/FJAzuw0xZ/DIWTlPXBcALErtmnM8QV/8dqwsCunvpIiVmcAJfA/YDiFLbXoZn8baEhyyDi_2B/c7T0i2EINYsuM/GAiqKnWa/wdisT6dgQppH5EtEBi8j5j4/lueAY_2FkR/hjZ_2FX3rOO0TORar/iv7kxFvdpA0d/ky571FF7o9R/akgwWLCNaptXDw/dBLuEt2P8pNlSDZ4ZsQXQ/E9ZEp5HdaagrKP6W/0_2FfSTXNjMTp7p/vMWGZv3NJv/b1h.src
    rundll32.exe
    Remote address:
    13.107.42.16:80
    Request
    GET /phpadmin/FJAzuw0xZ/DIWTlPXBcALErtmnM8QV/8dqwsCunvpIiVmcAJfA/YDiFLbXoZn8baEhyyDi_2B/c7T0i2EINYsuM/GAiqKnWa/wdisT6dgQppH5EtEBi8j5j4/lueAY_2FkR/hjZ_2FX3rOO0TORar/iv7kxFvdpA0d/ky571FF7o9R/akgwWLCNaptXDw/dBLuEt2P8pNlSDZ4ZsQXQ/E9ZEp5HdaagrKP6W/0_2FfSTXNjMTp7p/vMWGZv3NJv/b1h.src HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
    Host: config.edge.skype.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    X-MSEdge-Ref: 04XBrZwAAAABeJyzyHoDxRoqmXxGV2ndiTE9OMDRFREdFMDYwNwBFZGdl
    Date: Wed, 25 Dec 2024 02:41:37 GMT
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    180.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.130.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.130.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://config.edge.skype.com/phpadmin/nZ_2FxPlDQzja4krcfwB/LMR2HtWs5bQbIlXc3Vv/dcJsUnYqoo_2FUP9lIIgqP/18Spuzhp9to_2/BjWbyM53/R1ObmacX7peA7yS1zWG6I8k/dga8Jc3uNk/1LM5MrYuSryBy9br2/lPS7OMu6NPdU/lbJlKBhX9_2/BQEERcHzUvqpjc/aFcqjseAteNy_2BM1EgKp/aqvBy_2Fx7Z0Xw0b/91vYF_2BOShPAk2/yVzoMS2FylshBquv9o/_2BmEqqPs/h_2Bf.src
    rundll32.exe
    Remote address:
    13.107.42.16:80
    Request
    GET /phpadmin/nZ_2FxPlDQzja4krcfwB/LMR2HtWs5bQbIlXc3Vv/dcJsUnYqoo_2FUP9lIIgqP/18Spuzhp9to_2/BjWbyM53/R1ObmacX7peA7yS1zWG6I8k/dga8Jc3uNk/1LM5MrYuSryBy9br2/lPS7OMu6NPdU/lbJlKBhX9_2/BQEERcHzUvqpjc/aFcqjseAteNy_2BM1EgKp/aqvBy_2Fx7Z0Xw0b/91vYF_2BOShPAk2/yVzoMS2FylshBquv9o/_2BmEqqPs/h_2Bf.src HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
    Host: config.edge.skype.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    X-MSEdge-Ref: 0WnFrZwAAAAAQjql3C/ZmQ4qUKwc0mSKVTE9OMDRFREdFMDgxOABFZGdl
    Date: Wed, 25 Dec 2024 02:43:38 GMT
  • 13.107.42.16:80
    http://config.edge.skype.com/phpadmin/FJAzuw0xZ/DIWTlPXBcALErtmnM8QV/8dqwsCunvpIiVmcAJfA/YDiFLbXoZn8baEhyyDi_2B/c7T0i2EINYsuM/GAiqKnWa/wdisT6dgQppH5EtEBi8j5j4/lueAY_2FkR/hjZ_2FX3rOO0TORar/iv7kxFvdpA0d/ky571FF7o9R/akgwWLCNaptXDw/dBLuEt2P8pNlSDZ4ZsQXQ/E9ZEp5HdaagrKP6W/0_2FfSTXNjMTp7p/vMWGZv3NJv/b1h.src
    http
    rundll32.exe
    663 B
    583 B
    5
    5

    HTTP Request

    GET http://config.edge.skype.com/phpadmin/FJAzuw0xZ/DIWTlPXBcALErtmnM8QV/8dqwsCunvpIiVmcAJfA/YDiFLbXoZn8baEhyyDi_2B/c7T0i2EINYsuM/GAiqKnWa/wdisT6dgQppH5EtEBi8j5j4/lueAY_2FkR/hjZ_2FX3rOO0TORar/iv7kxFvdpA0d/ky571FF7o9R/akgwWLCNaptXDw/dBLuEt2P8pNlSDZ4ZsQXQ/E9ZEp5HdaagrKP6W/0_2FfSTXNjMTp7p/vMWGZv3NJv/b1h.src

    HTTP Response

    400
  • 146.70.35.138:80
    rundll32.exe
    260 B
    5
  • 13.107.42.16:80
    http://config.edge.skype.com/phpadmin/nZ_2FxPlDQzja4krcfwB/LMR2HtWs5bQbIlXc3Vv/dcJsUnYqoo_2FUP9lIIgqP/18Spuzhp9to_2/BjWbyM53/R1ObmacX7peA7yS1zWG6I8k/dga8Jc3uNk/1LM5MrYuSryBy9br2/lPS7OMu6NPdU/lbJlKBhX9_2/BQEERcHzUvqpjc/aFcqjseAteNy_2BM1EgKp/aqvBy_2Fx7Z0Xw0b/91vYF_2BOShPAk2/yVzoMS2FylshBquv9o/_2BmEqqPs/h_2Bf.src
    http
    rundll32.exe
    673 B
    543 B
    5
    4

    HTTP Request

    GET http://config.edge.skype.com/phpadmin/nZ_2FxPlDQzja4krcfwB/LMR2HtWs5bQbIlXc3Vv/dcJsUnYqoo_2FUP9lIIgqP/18Spuzhp9to_2/BjWbyM53/R1ObmacX7peA7yS1zWG6I8k/dga8Jc3uNk/1LM5MrYuSryBy9br2/lPS7OMu6NPdU/lbJlKBhX9_2/BQEERcHzUvqpjc/aFcqjseAteNy_2BM1EgKp/aqvBy_2Fx7Z0Xw0b/91vYF_2BOShPAk2/yVzoMS2FylshBquv9o/_2BmEqqPs/h_2Bf.src

    HTTP Response

    400
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    134.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    134.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    180.129.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    180.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    133.130.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    133.130.81.91.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3196-0-0x0000000001410000-0x0000000001416000-memory.dmp

    Filesize

    24KB

  • memory/3196-1-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/3196-2-0x0000000002F10000-0x0000000002F1D000-memory.dmp

    Filesize

    52KB

  • memory/3196-5-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.