Overview

overview

10

Static

static

3

1bb9fbe8e1...18.exe

windows7-x64

10

1bb9fbe8e1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-05-2024 08:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bb9fbe8e1e77efdb8f005aaf2f45cc5_JaffaCakes118.exe

  • Size

    372KB

  • MD5

    1bb9fbe8e1e77efdb8f005aaf2f45cc5

  • SHA1

    696c16e11b75113c55571b50e570ebf7cbda5099

  • SHA256

    906aa89aa8d9e6cd9645fec5b4318b080689a97a06be27ee254ff0cf681314a8

  • SHA512

    02186a34dc5931675d3270e34077b39a9f807f57c3f17a6b3d3ca5e322285013286ae657febc39872afbcdd4e0127189a22918a7d0c8a5bc76b2166e3811aa0d

  • SSDEEP

    6144:QfsvEug4/COMAIOVW3Uqz/HJpadR5FzxgF:QKEufaORxezE5Fz

Score
10/10
gozi3181bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214062

Extracted

Family

gozi

Botnet

3181

C2

bm25yp.com

xiivhaaou.email

m264591jasen.city
Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bb9fbe8e1e77efdb8f005aaf2f45cc5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1bb9fbe8e1e77efdb8f005aaf2f45cc5_JaffaCakes118.exe"
    1⤵
      PID:1652
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2400
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1260 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2056
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2084
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1764 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:676

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      8ee63d3dde066d1f2305940d4846c343

      SHA1

      d8d32846e3317f835d2ad3857f1270c907fe5a81

      SHA256

      a693fc970ea690ea93e37729122afb1908bec0ecc3246206b30e09fb1ecd49f0

      SHA512

      cd310281953e183d483cde1cbb1342939309c3fb1271f0491a96f93d9ab0f177551d86b79573f205de1a6ae2aec35b2bf86711cc5f8fefd1284b28c1f59cc04f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      d231ef4786c663af970dc2af088ae278

      SHA1

      a07ba3f70064a2c9ffa030a012902a06b3d55b4f

      SHA256

      b8b5388bd90e578bee03078ef256f3d9c9af3f83048a32a73157317b51f3cadd

      SHA512

      dae72367977eee064973e1eb324021f26dc05ffa23056e21d3c44f4dbf6ac5c95325a0d7ae225e945b6c993b1667a1ee3579d70ff270e0e76ad50b131b636366

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      82289057fd8847bd4544cb09052ab6db

      SHA1

      bc2fc5675fc6ffee73b10675ea1663797dc765c8

      SHA256

      e4032a3c389079a101df6d9e5676e023e5b1cdff9827e49e948b1865112fb89d

      SHA512

      63ceb3ce36adb4ae4c30834e3d847eeef1faf42f04acec1ce8f70f483674a3698e4b60d2a65ce488662ac2caad0ee54ce108ecee5ce8e22625555a6c24e823b9

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      2d7c01ad06f6c97da8fd40a606fc8748

      SHA1

      067f3fa50b940a86837fbff4c263bc46097c8687

      SHA256

      f9f8888af5a8139d86978e1f4117453ecb5571d3ecfe20841e1643fdb6c235c5

      SHA512

      d817c7054d9effe08dc3e480574331068ee7d6b47db256ef430d20d761141cbeb14fccb580901692437905dc4e32e37815d3600774d9f521ddba37cffbee7249

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      e2b2009fb0a7f3cca30944bb04e1cba1

      SHA1

      b19aed679f8051bf2762a620c1a8958637c8106a

      SHA256

      7519a69e5d72bc39a0f32104c43d4c53e8b470e8790c382b89a85c4be56866ab

      SHA512

      870ac042d8ed55758b53e114e2c6289eaba148b8fadba119ba4d762afc16e50c0dfd6f99fc6e81c4dd8254e40eaae7b73f6b3b7e8d1fae25abc68b169559ea0f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      893ceff8c1ea27c640ca1623023ba12c

      SHA1

      2de885cb6e23b65223cc55d81db9cb316d61c530

      SHA256

      61c562bb5c819c8c33c45d37be6e9378c8f51d79b0ed8673c5767a9af6442bef

      SHA512

      c474732314680084a84b3080a3d95da89589982770ee89ada5bff045f1741266d55188568ecacf3d4ec7d51e771e355aad9e190198e9e72051341dae002bdfff

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      a33e784021b9639ee989ad8090cef7ed

      SHA1

      c62e1aa847ec74ab64c310247a294ad6c86cff41

      SHA256

      cea20074a145846b676d5471d5c3e2a2cc6186d1ae8602efc0fd578cca1b0ce8

      SHA512

      8a2a9d13d46c224b9b9b0cfe5bcee3aabb459ee1d78dc50c529c03d0482fc8b41b1b016ca69b3bd0dd2becfea55b3109a81cfe3e5006c31e235d73409871b95f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3831aa033a0ba5041c1a0d0679ea3b46

      SHA1

      0839ac420b4616b82b1aa5b0b5580311eb52148d

      SHA256

      c8059adbf140d374709ccce6bb579ef50a6443b444393b93823b6421d989f1d9

      SHA512

      5a1d358cb04e8e80cd368ed083103e02318252d8b9a7ccec07776c0128116b492049363c3a581c2289acee7d2e88c99414c249553e52f15df68bcb31a403d609

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      47224408def44f863a9b994f47245213

      SHA1

      978b5fcc2193375c1f999b3ab9fdbc1a0f974b62

      SHA256

      d8228ce9cf1c5f6871bc20085427a849f313b51d1a9f8f015dd4d6bcb984d6aa

      SHA512

      c50fcfc7d93a6b8fcb788b9ee2e2717e0f28d744c01462f6a3e02636a845cbf9b60ba4dc400b44b217d80a19eb732d391f3e5fd6c3a0bc11098bd9f5e0eb8d7b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\CabD79D.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TarD86F.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~DFB0AE2FA4669E2710.TMP
      Filesize

      16KB

      MD5

      e964ab9f6581dc3ffb3996b59ead2096

      SHA1

      96c424b7aef7b3cf3bed380917c1a4cd75b50ac5

      SHA256

      df89c038e074e93bf48460f5b6ea825e76bda53e1a57b8715eeda1f4d91a8164

      SHA512

      a71630bd2222148b4fe560e42ccb6ea149d64fb4c7216ec523c6c494333dee58870e869ba54c36f2253930818378079047729792e765d8afd834938e9316e0e7

      Download Submit
    • memory/1652-1-0x0000000000290000-0x0000000000291000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1652-6-0x0000000000390000-0x0000000000392000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1652-2-0x0000000000370000-0x000000000038B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1652-0-0x0000000000400000-0x000000000046D000-memory.dmp
      Filesize

      436KB

      Download