Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
03/03/2025, 02:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_4426ec8e6bcb568fc8ab4d84ab2ec3f8.dll
Resource
win7-20250207-en
5 signatures
150 seconds
General
-
Target
JaffaCakes118_4426ec8e6bcb568fc8ab4d84ab2ec3f8.dll
-
Size
69KB
-
MD5
4426ec8e6bcb568fc8ab4d84ab2ec3f8
-
SHA1
0dc39524f41f928e06e5a3931ad8d45231e9cb8f
-
SHA256
482e0d297f6900be8e0146384d61537ad6bc63e2ab94bd8a199ed769159e0abc
-
SHA512
1cc52ef5388e5a2686a0f6ad221ee2812c248842e6f8cae84c0ea1295416232adf9c0778cd862f4756cd39465209b23ea511336dedff6bd8fc7cc0201a706120
-
SSDEEP
1536:tm+yeA6LmpLHe2Aj6xCt/GxMH/J7hTHfHBZxvmIYMIbCntT/:t6emeFj3pRVr/xvVY7beZ
Malware Config
Signatures
-
Gozi family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4172 rundll32.exe 4172 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4436 wrote to memory of 4172 4436 rundll32.exe 85 PID 4436 wrote to memory of 4172 4436 rundll32.exe 85 PID 4436 wrote to memory of 4172 4436 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4426ec8e6bcb568fc8ab4d84ab2ec3f8.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4426ec8e6bcb568fc8ab4d84ab2ec3f8.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4172
-