Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 06:48
Static task
static1
Behavioral task
behavioral1
Sample
bb2bbdfd56cfa56164b14a0a574d1544_JaffaCakes118.dll
Resource
win7-20231129-en
General
-
Target
bb2bbdfd56cfa56164b14a0a574d1544_JaffaCakes118.dll
-
Size
848KB
-
MD5
bb2bbdfd56cfa56164b14a0a574d1544
-
SHA1
b639e690382f6a6e3e9debb304ef09111a6d9a4d
-
SHA256
32d2ce148c7d07c6b2acac5b1f4c3e668ab15518c5e17fa4be0ed128008837f0
-
SHA512
11a2e1e40fb66e45eff486c45bc3e0c7ea76ee8920b8374c6b207ec378faa2fe8659fcf6301f3d01d0510da9af56256af4c6b4d0d2b7fd3e97e2c5ef0993ff07
-
SSDEEP
12288:o+AtHVEapHjI6Y8ND2SE8a43uc+11rKQoPgPli+fsWfplphiPwiH:7At1PEj8cB8aqAULoPw+fsWX3BiH
Malware Config
Extracted
gozi
Extracted
gozi
700
http://cxzko43pnr7ujnte.onion
http://intraders-support.at
http://freshness-girls.at
-
build
216098
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Signatures
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridclen = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Batmimer\\crypider.dll\",DllRegisterServer" Explorer.EXE -
Suspicious use of SetThreadContext 9 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEdescription pid process target process PID 3116 set thread context of 2432 3116 rundll32.exe control.exe PID 2432 set thread context of 3484 2432 control.exe Explorer.EXE PID 3484 set thread context of 3988 3484 Explorer.EXE RuntimeBroker.exe PID 3484 set thread context of 2956 3484 Explorer.EXE RuntimeBroker.exe PID 3484 set thread context of 4452 3484 Explorer.EXE RuntimeBroker.exe PID 2432 set thread context of 3976 2432 control.exe rundll32.exe PID 3484 set thread context of 1492 3484 Explorer.EXE RuntimeBroker.exe PID 3484 set thread context of 1212 3484 Explorer.EXE RuntimeBroker.exe PID 3484 set thread context of 3984 3484 Explorer.EXE cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exeExplorer.EXEpid process 3116 rundll32.exe 3116 rundll32.exe 3484 Explorer.EXE 3484 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEpid process 3116 rundll32.exe 2432 control.exe 3484 Explorer.EXE 3484 Explorer.EXE 3484 Explorer.EXE 2432 control.exe 3484 Explorer.EXE 3484 Explorer.EXE 3484 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3484 Explorer.EXE Token: SeCreatePagefilePrivilege 3484 Explorer.EXE Token: SeShutdownPrivilege 3484 Explorer.EXE Token: SeCreatePagefilePrivilege 3484 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 3484 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3484 Explorer.EXE -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exedescription pid process target process PID 2924 wrote to memory of 3116 2924 rundll32.exe rundll32.exe PID 2924 wrote to memory of 3116 2924 rundll32.exe rundll32.exe PID 2924 wrote to memory of 3116 2924 rundll32.exe rundll32.exe PID 3116 wrote to memory of 2432 3116 rundll32.exe control.exe PID 3116 wrote to memory of 2432 3116 rundll32.exe control.exe PID 3116 wrote to memory of 2432 3116 rundll32.exe control.exe PID 3116 wrote to memory of 2432 3116 rundll32.exe control.exe PID 3116 wrote to memory of 2432 3116 rundll32.exe control.exe PID 2432 wrote to memory of 3484 2432 control.exe Explorer.EXE PID 2432 wrote to memory of 3484 2432 control.exe Explorer.EXE PID 2432 wrote to memory of 3484 2432 control.exe Explorer.EXE PID 3484 wrote to memory of 3988 3484 Explorer.EXE RuntimeBroker.exe PID 3484 wrote to memory of 3988 3484 Explorer.EXE RuntimeBroker.exe PID 3484 wrote to memory of 3988 3484 Explorer.EXE RuntimeBroker.exe PID 3484 wrote to memory of 2956 3484 Explorer.EXE RuntimeBroker.exe PID 3484 wrote to memory of 2956 3484 Explorer.EXE RuntimeBroker.exe PID 3484 wrote to memory of 2956 3484 Explorer.EXE RuntimeBroker.exe PID 3484 wrote to memory of 4452 3484 Explorer.EXE RuntimeBroker.exe PID 2432 wrote to memory of 3976 2432 control.exe rundll32.exe PID 2432 wrote to memory of 3976 2432 control.exe rundll32.exe PID 2432 wrote to memory of 3976 2432 control.exe rundll32.exe PID 3484 wrote to memory of 4452 3484 Explorer.EXE RuntimeBroker.exe PID 3484 wrote to memory of 4452 3484 Explorer.EXE RuntimeBroker.exe PID 3484 wrote to memory of 1492 3484 Explorer.EXE RuntimeBroker.exe PID 2432 wrote to memory of 3976 2432 control.exe rundll32.exe PID 2432 wrote to memory of 3976 2432 control.exe rundll32.exe PID 3484 wrote to memory of 1492 3484 Explorer.EXE RuntimeBroker.exe PID 3484 wrote to memory of 1492 3484 Explorer.EXE RuntimeBroker.exe PID 3484 wrote to memory of 1212 3484 Explorer.EXE RuntimeBroker.exe PID 3484 wrote to memory of 1212 3484 Explorer.EXE RuntimeBroker.exe PID 3484 wrote to memory of 1212 3484 Explorer.EXE RuntimeBroker.exe PID 3484 wrote to memory of 652 3484 Explorer.EXE cmd.exe PID 3484 wrote to memory of 652 3484 Explorer.EXE cmd.exe PID 652 wrote to memory of 4032 652 cmd.exe nslookup.exe PID 652 wrote to memory of 4032 652 cmd.exe nslookup.exe PID 3484 wrote to memory of 1756 3484 Explorer.EXE cmd.exe PID 3484 wrote to memory of 1756 3484 Explorer.EXE cmd.exe PID 3484 wrote to memory of 3984 3484 Explorer.EXE cmd.exe PID 3484 wrote to memory of 3984 3484 Explorer.EXE cmd.exe PID 3484 wrote to memory of 3984 3484 Explorer.EXE cmd.exe PID 3484 wrote to memory of 3984 3484 Explorer.EXE cmd.exe PID 3484 wrote to memory of 3984 3484 Explorer.EXE cmd.exe PID 3484 wrote to memory of 3984 3484 Explorer.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bb2bbdfd56cfa56164b14a0a574d1544_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bb2bbdfd56cfa56164b14a0a574d1544_JaffaCakes118.dll,#13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?5⤵
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\FBC.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\FBC.bi1"2⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FBC.bi1Filesize
122B
MD586ae6b510c19228190f4b797503ce192
SHA10a6c67bc4f36fcdaa7a553f9ff9ae439f13b32d1
SHA256be8c30a0e245b6d86db1e7bdf04b8cfa3117846d5b88f6d476066041eaea1c3a
SHA512bec76ed958ccf192f26b2eb9250f02ce2cf04318cc4f51d30cbbd24b96de172f4f26bbac018938ebd2f7c38f70e70def8d8f6b0e9b473b3a32bbe252449e3dd5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Batmimer\crypider.dllFilesize
848KB
MD5bb2bbdfd56cfa56164b14a0a574d1544
SHA1b639e690382f6a6e3e9debb304ef09111a6d9a4d
SHA25632d2ce148c7d07c6b2acac5b1f4c3e668ab15518c5e17fa4be0ed128008837f0
SHA51211a2e1e40fb66e45eff486c45bc3e0c7ea76ee8920b8374c6b207ec378faa2fe8659fcf6301f3d01d0510da9af56256af4c6b4d0d2b7fd3e97e2c5ef0993ff07
-
memory/1212-58-0x000001FCBD810000-0x000001FCBD8C3000-memory.dmpFilesize
716KB
-
memory/1492-50-0x00000177542E0000-0x0000017754393000-memory.dmpFilesize
716KB
-
memory/2432-62-0x0000000000340000-0x00000000003F3000-memory.dmpFilesize
716KB
-
memory/2432-17-0x0000000000340000-0x00000000003F3000-memory.dmpFilesize
716KB
-
memory/2432-24-0x0000000000340000-0x00000000003F3000-memory.dmpFilesize
716KB
-
memory/2432-23-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/2956-44-0x000002B532B70000-0x000002B532C23000-memory.dmpFilesize
716KB
-
memory/2956-65-0x000002B532B70000-0x000002B532C23000-memory.dmpFilesize
716KB
-
memory/2956-39-0x000002B532B70000-0x000002B532C23000-memory.dmpFilesize
716KB
-
memory/2956-43-0x000002B5307C0000-0x000002B5307C1000-memory.dmpFilesize
4KB
-
memory/3116-22-0x00000000028A0000-0x000000000327E000-memory.dmpFilesize
9.9MB
-
memory/3116-1-0x00000000028A0000-0x000000000327E000-memory.dmpFilesize
9.9MB
-
memory/3116-3-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/3116-2-0x00000000028A0000-0x000000000327E000-memory.dmpFilesize
9.9MB
-
memory/3116-4-0x00000000028A0000-0x000000000327E000-memory.dmpFilesize
9.9MB
-
memory/3116-7-0x0000000000F80000-0x0000000000FCA000-memory.dmpFilesize
296KB
-
memory/3116-14-0x0000000000F80000-0x0000000000FCA000-memory.dmpFilesize
296KB
-
memory/3484-31-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/3484-32-0x0000000008510000-0x00000000085C3000-memory.dmpFilesize
716KB
-
memory/3484-25-0x0000000008510000-0x00000000085C3000-memory.dmpFilesize
716KB
-
memory/3484-63-0x0000000008510000-0x00000000085C3000-memory.dmpFilesize
716KB
-
memory/3976-54-0x000002196FA60000-0x000002196FB13000-memory.dmpFilesize
716KB
-
memory/3984-71-0x0000000000700000-0x00000000007A5000-memory.dmpFilesize
660KB
-
memory/3988-37-0x0000018B2BF70000-0x0000018B2BF71000-memory.dmpFilesize
4KB
-
memory/3988-64-0x0000018B2C200000-0x0000018B2C2B3000-memory.dmpFilesize
716KB
-
memory/3988-38-0x0000018B2C200000-0x0000018B2C2B3000-memory.dmpFilesize
716KB
-
memory/3988-33-0x0000018B2C200000-0x0000018B2C2B3000-memory.dmpFilesize
716KB
-
memory/4452-45-0x0000019FAADF0000-0x0000019FAAEA3000-memory.dmpFilesize
716KB