Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 02:53

General

  • Target

    1a6c3538fdc7f47444941df8698b068e_JaffaCakes118.exe

  • Size

    972KB

  • MD5

    1a6c3538fdc7f47444941df8698b068e

  • SHA1

    f0a71eec25204c81e4f4fb7a91110a8fd3bedeab

  • SHA256

    30bb7b0a988a5d25a8a9da3f01634e49792acd8f97d05fb162971b3307654056

  • SHA512

    dd8268951b3de43fd32f85713d18a264e08c68c44ad31741f0067b8c8cfed4d981889151b1d34a407bbbc1f12c56db6d48e59ce12ebdc2209f078ecd167ce636

  • SSDEEP

    6144:AqqZdrSLcCjbcU5h7bALnlpSIu5U7/AW+NtBgn3CqzwdGUm66e5z/+QrcpTOV8Ns:SdrIwU5hT

Malware Config

Extracted

Family

gozi

Attributes
  • build

    300768

Extracted

Family

gozi

Botnet

201909031

C2

https://ciaraburkett.xyz

Attributes
  • build

    300768

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SetWindowsHookEx 44 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a6c3538fdc7f47444941df8698b068e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1a6c3538fdc7f47444941df8698b068e_JaffaCakes118.exe"
    1⤵
      PID:3568
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:3340
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3144
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3144 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:2352
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4332
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4332 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:4100
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1104 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:2308
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4392
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4392 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:1064
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2516
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4384
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3384
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3384 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4196
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3708
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3708 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:5020
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3688
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3688 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:3676
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3760
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3760 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4124
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4052
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4052 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:2768
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3012
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3012 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:3380

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\693APRNP\httpErrorPagesScripts[1]
        Filesize

        11KB

        MD5

        9234071287e637f85d721463c488704c

        SHA1

        cca09b1e0fba38ba29d3972ed8dcecefdef8c152

        SHA256

        65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

        SHA512

        87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6WJSJ70T\NewErrorPageTemplate[1]
        Filesize

        1KB

        MD5

        dfeabde84792228093a5a270352395b6

        SHA1

        e41258c9576721025926326f76063c2305586f76

        SHA256

        77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

        SHA512

        e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GHECI205\errorPageStrings[1]
        Filesize

        4KB

        MD5

        d65ec06f21c379c87040b83cc1abac6b

        SHA1

        208d0a0bb775661758394be7e4afb18357e46c8b

        SHA256

        a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

        SHA512

        8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VQ4FFWVS\dnserror[1]
        Filesize

        2KB

        MD5

        2dc61eb461da1436f5d22bce51425660

        SHA1

        e1b79bcab0f073868079d807faec669596dc46c1

        SHA256

        acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

        SHA512

        a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VQ4FFWVS\down[1]
        Filesize

        748B

        MD5

        c4f558c4c8b56858f15c09037cd6625a

        SHA1

        ee497cc061d6a7a59bb66defea65f9a8145ba240

        SHA256

        39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

        SHA512

        d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

      • C:\Users\Admin\AppData\Local\Temp\~DF71E3EFBFD7EF8455.TMP
        Filesize

        16KB

        MD5

        94b1b1762704457fe8d0d8016f99edfa

        SHA1

        eb1b7a3dcad45dac54ce3d2ea7dc1f37c459f72d

        SHA256

        15fe5b6d62a43c170c262392acf3a5a45d5ee7bfa8e610d2bf944daaa9ae4093

        SHA512

        8bf65e07eb5c3751894e07d2d14225fe423de19475ac0e1ca6d061394446a8011c65a703b174f0a59c9e2c3d0ea472758cf0adbf406c9ac84b8bc2b45cd8f6ac

      • memory/3568-1-0x0000000000680000-0x0000000000686000-memory.dmp
        Filesize

        24KB

      • memory/3568-0-0x0000000000400000-0x00000000004F3000-memory.dmp
        Filesize

        972KB

      • memory/3568-2-0x00000000006A0000-0x00000000006B1000-memory.dmp
        Filesize

        68KB

      • memory/3568-13-0x0000000000400000-0x00000000004F3000-memory.dmp
        Filesize

        972KB