Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 05:15

General

  • Target

    2d87019dc99ab08a8502e1fdebe177be_JaffaCakes118.exe

  • Size

    243KB

  • MD5

    2d87019dc99ab08a8502e1fdebe177be

  • SHA1

    e51aaaccee9f82db145756bd9a58889b686f3450

  • SHA256

    9d2aa360c9712e2d7b71143a09f7bb219bd82dedfb7ab8987c43c1d8cdc3c64b

  • SHA512

    5d37598ab76da92fbe2b4d6458e8c3b66dd66ab9d0bc0de1ce767b4e66f636394e4025a9e09b39cd6c92b87cbc1d911bda731822515d599ac150022fee74bb8a

  • SSDEEP

    6144:EDLKwp//Rucg4LF3LPqYRQfoF23dnd/H:ILK5e1qBfoFgdn

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214098

Extracted

Family

gozi

Botnet

3515

C2

google.com

gmail.com

v61nkkybd.com

dee12yadira43.com

ffhyyo51y.com

Attributes
  • build

    214098

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d87019dc99ab08a8502e1fdebe177be_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2d87019dc99ab08a8502e1fdebe177be_JaffaCakes118.exe"
    1⤵
      PID:1044
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4332,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8
      1⤵
        PID:3156
      • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
        "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
        1⤵
          PID:1736
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4356
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4356 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:960
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1436
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1436 CREDAT:17410 /prefetch:2
            2⤵
            • Suspicious use of SetWindowsHookEx
            PID:5012
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3484
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3484 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1828
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:696
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:696 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3564
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4780
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4780 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2844

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7UY3WOJS\googlelogo_color_150x54dp[1].png

          Filesize

          3KB

          MD5

          9d73b3aa30bce9d8f166de5178ae4338

          SHA1

          d0cbc46850d8ed54625a3b2b01a2c31f37977e75

          SHA256

          dbef5e5530003b7233e944856c23d1437902a2d3568cdfd2beaf2166e9ca9139

          SHA512

          8e55d1677cdbfe9db6700840041c815329a57df69e303adc1f994757c64100fe4a3a17e86ef4613f4243e29014517234debfbcee58dab9fc56c81dd147fdc058

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\robot[1].png

          Filesize

          6KB

          MD5

          4c9acf280b47cef7def3fc91a34c7ffe

          SHA1

          c32bb847daf52117ab93b723d7c57d8b1e75d36b

          SHA256

          5f9fc5b3fbddf0e72c5c56cdcfc81c6e10c617d70b1b93fbe1e4679a8797bff7

          SHA512

          369d5888e0d19b46cb998ea166d421f98703aec7d82a02dc7ae10409aec253a7ce099d208500b4e39779526219301c66c2fd59fe92170b324e70cf63ce2b429c

        • C:\Users\Admin\AppData\Local\Temp\~DF5604CB321DBD5856.TMP

          Filesize

          16KB

          MD5

          47f6aa5634edacd8df77657f966cebca

          SHA1

          a80b83e410816def59fd0e110a1fd89e1d2d3a4e

          SHA256

          eeabc77dffa7fe76afa48fd7759fa91868dadbfd2c8303e67ff0ddfe0c445263

          SHA512

          2c0a5e155d8d3422a1a8d189fafb6ea30636cd99fbef1affaf1d52fcb9b6093d45d1c5b051e7bd5ba8dd91ba1d8ed184ea216285c15fca7f060bac0bcb1d907f

        • memory/1044-0-0x00000000007C0000-0x00000000008F8000-memory.dmp

          Filesize

          1.2MB

        • memory/1044-2-0x00000000007C0000-0x00000000008F8000-memory.dmp

          Filesize

          1.2MB

        • memory/1044-1-0x00000000007FC000-0x00000000007FF000-memory.dmp

          Filesize

          12KB

        • memory/1044-3-0x0000000000630000-0x000000000063F000-memory.dmp

          Filesize

          60KB

        • memory/1044-16-0x00000000007C0000-0x00000000008F8000-memory.dmp

          Filesize

          1.2MB