Analysis

  • max time kernel
    140s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-04-2024 00:58

General

  • Target

    06772ffd858cbcae85a391def1182db6_JaffaCakes118.exe

  • Size

    547KB

  • MD5

    06772ffd858cbcae85a391def1182db6

  • SHA1

    f38cc5e5a9d855b3060227c05f34aa20e788765d

  • SHA256

    ed2a2d9210f45a20ebf709dcea6b0bd68da6c1e5ce9d66defc631b27ad48ae24

  • SHA512

    33e771844a22f559e11331278bfd0d1da5305cae534b2e426658c048a98e74a054f113640221624db3d209f72718e09a6c44acc46fd6edc23b3735b64672e5b5

  • SSDEEP

    6144:uVJt7IsATy65KJZnF/gYdpOLwCF/lauaS7tsPUF18avHUwAIgJ+ke:uFTM5utF/tdpmp7tKO6asJIgJt

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214062

Extracted

Family

gozi

Botnet

3187

C2

qrodericky94.company

g77yelsao.company

tromainevirginia.email

Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06772ffd858cbcae85a391def1182db6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\06772ffd858cbcae85a391def1182db6_JaffaCakes118.exe"
    1⤵
      PID:1944
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:2136
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1484
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1484 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1444
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3664
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3664 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3356
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:852
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:852 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4780
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:772
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:772 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4276

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\~DF07F21EC8B70A8231.TMP
        Filesize

        16KB

        MD5

        ee35e62267f5de92efb737873716fb40

        SHA1

        62539822d1c896a80936ad152c5a687621102919

        SHA256

        e9b68cdb12adbd420e8387dc50cc3ae99af7fe7a8911acd291175d90f36acb6d

        SHA512

        c1113055968917101ab96f2a4e60a44a14947994826cfe6722149a1483318f11d636d0776a902aae3bbcf4f3c8dae3877aff3a6f2ec3f1b8ccd001b632dc6464

      • memory/1944-0-0x0000000000840000-0x00000000008DE000-memory.dmp
        Filesize

        632KB

      • memory/1944-1-0x00000000009C0000-0x00000000009C1000-memory.dmp
        Filesize

        4KB

      • memory/1944-2-0x0000000000A10000-0x0000000000A2B000-memory.dmp
        Filesize

        108KB