Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 05:15

General

  • Target

    2d87019dc99ab08a8502e1fdebe177be_JaffaCakes118.exe

  • Size

    243KB

  • MD5

    2d87019dc99ab08a8502e1fdebe177be

  • SHA1

    e51aaaccee9f82db145756bd9a58889b686f3450

  • SHA256

    9d2aa360c9712e2d7b71143a09f7bb219bd82dedfb7ab8987c43c1d8cdc3c64b

  • SHA512

    5d37598ab76da92fbe2b4d6458e8c3b66dd66ab9d0bc0de1ce767b4e66f636394e4025a9e09b39cd6c92b87cbc1d911bda731822515d599ac150022fee74bb8a

  • SSDEEP

    6144:EDLKwp//Rucg4LF3LPqYRQfoF23dnd/H:ILK5e1qBfoFgdn

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214098

Extracted

Family

gozi

Botnet

3515

C2

google.com

gmail.com

v61nkkybd.com

dee12yadira43.com

ffhyyo51y.com

Attributes
  • build

    214098

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d87019dc99ab08a8502e1fdebe177be_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2d87019dc99ab08a8502e1fdebe177be_JaffaCakes118.exe"
    1⤵
      PID:2912
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2544 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2436
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:908
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:908 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2072
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2524
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1548 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:344
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:652
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:652 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1716

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      fc09fd311f70b307ea8631a1b4879375

      SHA1

      fd407cd52e566a1f1b3c5d0b1ca7a63cf65fd427

      SHA256

      ee2beaace9d6e1c5267e2c80b763ec7f172f78434c1085d7aef1434869d83fb6

      SHA512

      a4eb1c6f4bedf9f834ce7bd7a157a92e34c81e0e2bc401f9639e0d4a9c27c29f7cb1b7060e37c7fc17149c29d84373f254235e0996fc53336c279fda1a0c25c4

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      dbd3d3a5a0424bffc6421d28bc26dbd1

      SHA1

      fec69a2ed5e1d37fad0e01be9d845f4b44187e88

      SHA256

      ae0fd21573a1f542023e95b8cb6fe8ae15aebb63ee2a389d6f5f9f277ecdbe64

      SHA512

      e7fd3d9588db6b07a16659b9d492704201d9e579e26499a4e6aabd9f4b51fdb780703d08b680be971d9b05370eb314597a920ef2331d4ef03cf45fca1dc33d37

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      492ee8b76e518800229566c8ed5b05d3

      SHA1

      257e681046ca8f8c10b94efd05ada752728c9e24

      SHA256

      e203b7903d88386ff6e8dadbc03a3d764729f3681ad1c2771e8550ed13e21684

      SHA512

      e8e743bb71626dab0f7b6de4db0eedddb5c9bcf89dee815abb94bf8dbe3f842cb1e5974de6f52f21607f9d2b449911ab7046402e1c0c12801d7a67aa50e796fb

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      931846a576eaa5c300b869b0572ad796

      SHA1

      2c144d56c399b21a833c314c082242576793d803

      SHA256

      1cf81df0d904fa8b505182cc767cfcbc04d53b6a4eef72ec202ca9d6612366f8

      SHA512

      9c6dca565ec1dc2c04ee992318d886581087a468a8b533ad28e226384379fc9fe5c4485ba9a8f695681a67211911faa3f60272b041fe6caa2c871ad4f2ccdec1

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      60b9e4dffc3bcf6922ece297d6653208

      SHA1

      da94af572775c19a61a2c671fa346ca1c0a61546

      SHA256

      3c88ac86a9a90a9df111b7aa74d280c24f66140ccf22d041b5e6d25d6cef7764

      SHA512

      c3ca7bea28bf105cf3d58127f1ebc81db26a4ee05625ec77cf9d9e9474df218cf6bea314d9f821f14f098f766a341d868374a41f06eb201767a417565f6a8dfb

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      b79f43e6f11977b270478c57259d91ed

      SHA1

      518e4535fc4b17e3e1418240644514aafed4a7df

      SHA256

      60e61a5b39684d76d9d679d50ec7049276707b8798b792090dc1565d9db0ef39

      SHA512

      da31049e7a2930b13e29b16d3aa9008fd8f9ff979cc74f934820aa0d26e6e945677b2f28c2e63cd44ca5d074fe6cdb3962c14fda3044612f0d121d9b77c923d8

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      c7b4851cf080e0c4e410cef7b206743a

      SHA1

      6119dc772b751ca18e4c080a03da46cbd1f80569

      SHA256

      e99182d8a513bdf2e3645d8d404e385ae53dcb7999db929d822ca6d06d621cfe

      SHA512

      f2be7d65b1627d2759889941fd4722785013a85ceca15d9cd5af376529abc7ff685f77bb842c145f83dafb05561ed652b9018a8989b6c606863b5c2beb2f80ea

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\googlelogo_color_150x54dp[1].png

      Filesize

      3KB

      MD5

      9d73b3aa30bce9d8f166de5178ae4338

      SHA1

      d0cbc46850d8ed54625a3b2b01a2c31f37977e75

      SHA256

      dbef5e5530003b7233e944856c23d1437902a2d3568cdfd2beaf2166e9ca9139

      SHA512

      8e55d1677cdbfe9db6700840041c815329a57df69e303adc1f994757c64100fe4a3a17e86ef4613f4243e29014517234debfbcee58dab9fc56c81dd147fdc058

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\robot[1].png

      Filesize

      6KB

      MD5

      4c9acf280b47cef7def3fc91a34c7ffe

      SHA1

      c32bb847daf52117ab93b723d7c57d8b1e75d36b

      SHA256

      5f9fc5b3fbddf0e72c5c56cdcfc81c6e10c617d70b1b93fbe1e4679a8797bff7

      SHA512

      369d5888e0d19b46cb998ea166d421f98703aec7d82a02dc7ae10409aec253a7ce099d208500b4e39779526219301c66c2fd59fe92170b324e70cf63ce2b429c

    • C:\Users\Admin\AppData\Local\Temp\CabA3E0.tmp

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • C:\Users\Admin\AppData\Local\Temp\TarA4B2.tmp

      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    • C:\Users\Admin\AppData\Local\Temp\~DF0002FFF232B09259.TMP

      Filesize

      16KB

      MD5

      f8c1d4c7950a1fda11d02a430c19e2a9

      SHA1

      8bb6d262654f7e605cbf8ea9c001da0f9dc3acd3

      SHA256

      760825a8a0f8b3fd19aa3558e1cec6d476e49e3b84d8d3ad08956395857639a9

      SHA512

      808b09f3fb4348ea08b7848ae5f19b1098fb40c41fe28ebc1265d41529e5ed3383f0eae991565f05a4f8107f7bcdccfb80554d818e4bc4224225c661c30a6e0c

    • memory/2912-0-0x0000000000A10000-0x0000000000B48000-memory.dmp

      Filesize

      1.2MB

    • memory/2912-10-0x0000000000270000-0x0000000000272000-memory.dmp

      Filesize

      8KB

    • memory/2912-3-0x00000000000C0000-0x00000000000CF000-memory.dmp

      Filesize

      60KB

    • memory/2912-2-0x0000000000A10000-0x0000000000B48000-memory.dmp

      Filesize

      1.2MB

    • memory/2912-1-0x0000000000A4C000-0x0000000000A4F000-memory.dmp

      Filesize

      12KB