Overview

overview

10

Static

static

1

1a6c3538fd...18.exe

windows7-x64

10

1a6c3538fd...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-05-2024 02:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a6c3538fdc7f47444941df8698b068e_JaffaCakes118.exe

  • Size

    972KB

  • MD5

    1a6c3538fdc7f47444941df8698b068e

  • SHA1

    f0a71eec25204c81e4f4fb7a91110a8fd3bedeab

  • SHA256

    30bb7b0a988a5d25a8a9da3f01634e49792acd8f97d05fb162971b3307654056

  • SHA512

    dd8268951b3de43fd32f85713d18a264e08c68c44ad31741f0067b8c8cfed4d981889151b1d34a407bbbc1f12c56db6d48e59ce12ebdc2209f078ecd167ce636

  • SSDEEP

    6144:AqqZdrSLcCjbcU5h7bALnlpSIu5U7/AW+NtBgn3CqzwdGUm66e5z/+QrcpTOV8Ns:SdrIwU5hT

Score
10/10
gozi201909031bankerrm3trojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    300768

Extracted

Family

gozi

Botnet

201909031

C2

https://ciaraburkett.xyz

Attributes
  • build

    300768

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SetWindowsHookEx 40 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a6c3538fdc7f47444941df8698b068e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1a6c3538fdc7f47444941df8698b068e_JaffaCakes118.exe"
    1⤵
      PID:1688
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2704
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1868 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:744
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1596
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2596
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2320
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:932
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:932 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1204
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2064 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1992
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1972
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:820 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2436
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1492 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2680

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      fc70917a902c964e0ddb11dfcd178d0f

      SHA1

      3543f5b073ca5674b661e03a733b56271e50a357

      SHA256

      5cb1642cadd34452d6411045cd5697abf6546fcf1bb6899757e54a4580ca605c

      SHA512

      c85eb68c158dd4882f609e5a1de6e91179b1d2dbf5c4881402c310cf30ea3fffe2753738e7af6797008b017a6f00fb953b6a6d3feae55bcc7439269319644863

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      91cda1762d0084d5b54edadd84a1801a

      SHA1

      8537a421d363ef391be11338c82c23b212a745c7

      SHA256

      2d99694ccfab66280b2d48bdfc9ec5ec816dc56b231ebb48ea769e5314feb397

      SHA512

      c0cb98497636d8d634741d0dd5b73191f8cf6ec5be99d6004a21348d94c658ae04d1ece4585a4735251f8b3701968b2373895e99476537fa344c381d1ba22dcb

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      ad351ce18aa385a7052052d3909e36e6

      SHA1

      311d35a3aa398e7169aa02776a0ea48a019e0694

      SHA256

      135209131fd6df4459d85d430a996a3ffb7147b1e1eb714b5025e403e24bdfc1

      SHA512

      781032cc6dd5b1ab764e9543ab87f18cebe88faf1b7600a96920128e73b0374a37f3d25f6b7b2c6b4280a927c4962d1ab7e77d1b276b0b49b456ceb112e14c93

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      aa2c6cf84cfc484fbb91d1ceadd1b830

      SHA1

      d323f25001b76d513965547a963ba803a641b00c

      SHA256

      9369344d6b2f6dfb170051f7f2648056c2b97482c1c684a16714e7f279fdec19

      SHA512

      7d0fc41510ebb05acc053ac8a50e5492ece7c40493e90d71e7e8648f9a841f2fbadad4034af1a64f9aacc9c616598be09ad6692b814daaf30adadeb425413bf7

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      ccd142571b1aa6023b9faf40e6747ac7

      SHA1

      4516de874d3c29e229b01ec1ff7657a83e74cd32

      SHA256

      8e0d3cda54eb8533a6af00bfed24272a2c45dff6cb1a9ee729ab97c11e4dba3d

      SHA512

      2fab37950e03e54ff162cd69c11050d0dc44d656eaced6678e08d6b116befa502b9fcb5581f313efcdc03c8430ca67372274fe740f8d208f3d5672eee1c2db0c

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      2766d5b615fe5a4bbb5593ffedd4771d

      SHA1

      a5665a093d9e7ae1d177c26753f951b9cf18a8b6

      SHA256

      756aec15cbb45e0f2f2cc46a3402cf6386f2cd92a50c1e8865e1653b1b772547

      SHA512

      d105e82c85c3a5e6800a61d6c345cc3c354a42bbbd3b50896109e41cde7b056246bf3ef59335b5e1d97aa62e670344b2b9f179fda606e796b14ba3ef84d780ff

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      af41cd2042e8bb46c6b0ec9e199b405c

      SHA1

      a9fefc0270a435c1245e124fe2a13c520358e0a0

      SHA256

      69ab2830bd1d5c69b14f4a0d9a97fc5840990f0483cb6164adac4c30f7f00644

      SHA512

      ea706aa3f163dec48b8884b6c1105d259671c13017aaa40649e695c78329f8ef0ebd606acc1cf2f6700f043eeba5531575537fb5e7c61ec149c9807df20d7060

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b643f275158fdcac33bc6f1dc2fb49d9

      SHA1

      3d35f521b695440f68e7e099b3d50178d0ad4baa

      SHA256

      0d275c93dfacfd3a1d1f576ed84f1a15d3f2ab5f47749f9a626563bb3b4c2b2e

      SHA512

      351f7bb0904bfafe109f4b7136cdc54d6fa1ac915aab86f8a6d78528c5afa14dc58286db2db504784b66c5dd4d69fc9842512218530169431e00e91036e42e8e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\dnserror[1]
      Filesize

      1KB

      MD5

      73c70b34b5f8f158d38a94b9d7766515

      SHA1

      e9eaa065bd6585a1b176e13615fd7e6ef96230a9

      SHA256

      3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

      SHA512

      927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\errorPageStrings[1]
      Filesize

      2KB

      MD5

      e3e4a98353f119b80b323302f26b78fa

      SHA1

      20ee35a370cdd3a8a7d04b506410300fd0a6a864

      SHA256

      9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

      SHA512

      d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\httpErrorPagesScripts[2]
      Filesize

      8KB

      MD5

      3f57b781cb3ef114dd0b665151571b7b

      SHA1

      ce6a63f996df3a1cccb81720e21204b825e0238c

      SHA256

      46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

      SHA512

      8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\NewErrorPageTemplate[1]
      Filesize

      1KB

      MD5

      cdf81e591d9cbfb47a7f97a2bcdb70b9

      SHA1

      8f12010dfaacdecad77b70a3e781c707cf328496

      SHA256

      204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

      SHA512

      977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\CabCF80.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\CabD07E.tmp
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TarD0B3.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~DF697509464757D90F.TMP
      Filesize

      16KB

      MD5

      529c08b77dc86c7282bd74554b5379dd

      SHA1

      3aacbb34dc125b105ea2a000bea687c2017a52f6

      SHA256

      a8c81040b6d29b64e9ce6c6013f7413bccf5bd69813d17d07dae84e2a4ea5f22

      SHA512

      db9312ef83e2e403f2e6198a7d68311b2c3dca97ba26d32951e89e1f9ec2b14f21b15fcfcfac2ca6a9621f3806840d3ad9ff78fd89cca591d9a4831a05c2eec8

      Download Submit
    • memory/1688-0-0x0000000000400000-0x00000000004F3000-memory.dmp
      Filesize

      972KB

      Download
    • memory/1688-1-0x0000000000250000-0x0000000000256000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1688-2-0x0000000000270000-0x0000000000281000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1688-8-0x00000000002C0000-0x00000000002C2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1688-9-0x0000000000400000-0x00000000004F3000-memory.dmp
      Filesize

      972KB

      Download