Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
18-06-2024 06:48
General
-
Target
bb2bbdfd56cfa56164b14a0a574d1544_JaffaCakes118.dll
-
Size
848KB
-
MD5
bb2bbdfd56cfa56164b14a0a574d1544
-
SHA1
b639e690382f6a6e3e9debb304ef09111a6d9a4d
-
SHA256
32d2ce148c7d07c6b2acac5b1f4c3e668ab15518c5e17fa4be0ed128008837f0
-
SHA512
11a2e1e40fb66e45eff486c45bc3e0c7ea76ee8920b8374c6b207ec378faa2fe8659fcf6301f3d01d0510da9af56256af4c6b4d0d2b7fd3e97e2c5ef0993ff07
-
SSDEEP
12288:o+AtHVEapHjI6Y8ND2SE8a43uc+11rKQoPgPli+fsWfplphiPwiH:7At1PEj8cB8aqAULoPw+fsWX3BiH
Malware Config
Extracted
gozi
Extracted
gozi
700
http://cxzko43pnr7ujnte.onion
http://intraders-support.at
http://freshness-girls.at
-
build
216098
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Signatures
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bb2bbdfd56cfa56164b14a0a574d1544_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bb2bbdfd56cfa56164b14a0a574d1544_JaffaCakes118.dll,#13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?5⤵
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\FBC.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\FBC.bi1"2⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FBC.bi1Filesize
122B
MD586ae6b510c19228190f4b797503ce192
SHA10a6c67bc4f36fcdaa7a553f9ff9ae439f13b32d1
SHA256be8c30a0e245b6d86db1e7bdf04b8cfa3117846d5b88f6d476066041eaea1c3a
SHA512bec76ed958ccf192f26b2eb9250f02ce2cf04318cc4f51d30cbbd24b96de172f4f26bbac018938ebd2f7c38f70e70def8d8f6b0e9b473b3a32bbe252449e3dd5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Batmimer\crypider.dllFilesize
848KB
MD5bb2bbdfd56cfa56164b14a0a574d1544
SHA1b639e690382f6a6e3e9debb304ef09111a6d9a4d
SHA25632d2ce148c7d07c6b2acac5b1f4c3e668ab15518c5e17fa4be0ed128008837f0
SHA51211a2e1e40fb66e45eff486c45bc3e0c7ea76ee8920b8374c6b207ec378faa2fe8659fcf6301f3d01d0510da9af56256af4c6b4d0d2b7fd3e97e2c5ef0993ff07
-
memory/1212-58-0x000001FCBD810000-0x000001FCBD8C3000-memory.dmpFilesize
716KB
-
memory/1492-50-0x00000177542E0000-0x0000017754393000-memory.dmpFilesize
716KB
-
memory/2432-62-0x0000000000340000-0x00000000003F3000-memory.dmpFilesize
716KB
-
memory/2432-17-0x0000000000340000-0x00000000003F3000-memory.dmpFilesize
716KB
-
memory/2432-24-0x0000000000340000-0x00000000003F3000-memory.dmpFilesize
716KB
-
memory/2432-23-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/2956-44-0x000002B532B70000-0x000002B532C23000-memory.dmpFilesize
716KB
-
memory/2956-65-0x000002B532B70000-0x000002B532C23000-memory.dmpFilesize
716KB
-
memory/2956-39-0x000002B532B70000-0x000002B532C23000-memory.dmpFilesize
716KB
-
memory/2956-43-0x000002B5307C0000-0x000002B5307C1000-memory.dmpFilesize
4KB
-
memory/3116-22-0x00000000028A0000-0x000000000327E000-memory.dmpFilesize
9.9MB
-
memory/3116-1-0x00000000028A0000-0x000000000327E000-memory.dmpFilesize
9.9MB
-
memory/3116-3-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/3116-2-0x00000000028A0000-0x000000000327E000-memory.dmpFilesize
9.9MB
-
memory/3116-4-0x00000000028A0000-0x000000000327E000-memory.dmpFilesize
9.9MB
-
memory/3116-7-0x0000000000F80000-0x0000000000FCA000-memory.dmpFilesize
296KB
-
memory/3116-14-0x0000000000F80000-0x0000000000FCA000-memory.dmpFilesize
296KB
-
memory/3484-31-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/3484-32-0x0000000008510000-0x00000000085C3000-memory.dmpFilesize
716KB
-
memory/3484-25-0x0000000008510000-0x00000000085C3000-memory.dmpFilesize
716KB
-
memory/3484-63-0x0000000008510000-0x00000000085C3000-memory.dmpFilesize
716KB
-
memory/3976-54-0x000002196FA60000-0x000002196FB13000-memory.dmpFilesize
716KB
-
memory/3984-71-0x0000000000700000-0x00000000007A5000-memory.dmpFilesize
660KB
-
memory/3988-37-0x0000018B2BF70000-0x0000018B2BF71000-memory.dmpFilesize
4KB
-
memory/3988-64-0x0000018B2C200000-0x0000018B2C2B3000-memory.dmpFilesize
716KB
-
memory/3988-38-0x0000018B2C200000-0x0000018B2C2B3000-memory.dmpFilesize
716KB
-
memory/3988-33-0x0000018B2C200000-0x0000018B2C2B3000-memory.dmpFilesize
716KB
-
memory/4452-45-0x0000019FAADF0000-0x0000019FAAEA3000-memory.dmpFilesize
716KB