Overview

overview

10

Static

static

3

2da97d688a...18.exe

windows7-x64

10

2da97d688a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 05:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2da97d688a60eb489272a988b6a2f599_JaffaCakes118.exe

  • Size

    372KB

  • MD5

    2da97d688a60eb489272a988b6a2f599

  • SHA1

    f2dc8aaba9881559ea3f115548973fc77b903622

  • SHA256

    aabe2cd638f8de48485375116a3ec2fb22a21e26d2f69ff9d0161d96136534a0

  • SHA512

    06dfd818bf3ceaa81f4591f68cceaf58479d457faac773c77c172cc2cb3180ce1e3e4979b9788c2358bfde4adb48a36b96fcf4e7fe8898d0237882bd0bf7bbbd

  • SSDEEP

    6144:QfsvEug4/COMAIOVW3Uqz/HJpadR5FzmgF:QKEufaORxezE5Fz

Score
10/10
gozi3181bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214062

Extracted

Family

gozi

Botnet

3181

C2

bm25yp.com

xiivhaaou.email

m264591jasen.city
Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2da97d688a60eb489272a988b6a2f599_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2da97d688a60eb489272a988b6a2f599_JaffaCakes118.exe"
    1⤵
      PID:1836
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2456 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2400
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2876
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1496 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2596
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:108
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:108 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2112

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      006db8dce0d7abf3962b8c40e6e41d0c

      SHA1

      0bd99063423ca794dde91d66b527c567cf7e63dd

      SHA256

      27daa760c54498a1f437e2ca46b2131b6178f3d06a17679f3bfef0f98333ec3a

      SHA512

      4c7377447f9d5739ff6517fdb42e3224c93cdf23bc1f06f6bec37ff4ab81b0cf4904a98654631d24b25e67da0e5bb219579eaab7e3b99cd29bd045ecb20171f8

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      fe03f5722306be5d2c42807f6d356446

      SHA1

      53108dcd347f887da6db015505545124fb93cb8a

      SHA256

      6ed6ee940b08bc577ba563c7f25eb137d6f7f726387cda438ee2407f86fd2443

      SHA512

      fa88483f8cc918dc1d8aeb370081b22baf220dc947dec6f2415a2b823f57a22693c333fd163713283cb3c5daa62679d6509103e07e7dd8ac79c76136b904e07c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      4265da5dc867e7577be548e23756ba5b

      SHA1

      8a3a7c6cbcd19ecd0bf08f6f5299abf926fcb25d

      SHA256

      8c1373d4ec41f3d60fcd81a3db6f330e369921fbb397b3c5ccabe33bbcc73b75

      SHA512

      029a8905faafa4d61f5a513dcf3da2bbd4927ea612c9ed44f85603a42b4e31d813239722425bba56689d05aed0cfa4654b3b9509acf8d937b8c68b6d8fdce54a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      d31e58401cd3ff5f5362b9d804d6fb66

      SHA1

      781ddf153c27d1878eb8ed03b77233bdbe5189ab

      SHA256

      22c743069bf9db41a218d2164b2c360185d27c394a8b5a5ca28f013b28a4fb3a

      SHA512

      990eebc779bac63252804d68e9c94e6a399d8dee20187f833f78cffd3c6f871fb0424f8cec6118a35459a6a6f73d4f1b7a617f534e3801005118bda409a9017d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      7b6204cccf094647e000de19a1f436d9

      SHA1

      2fa1ae61dfef6fb3773324ad25e252bbaab8bbcd

      SHA256

      bcc2f0fb4e9c59b2af73175b0680f8e1a18d144ff0232c55f7e11c4eb7968f13

      SHA512

      daeb54f1f6020fcb22fca2f8c1936073b5407045fb90b0c3a5e54c94f3276eca8df5992388f32410ad14761598424400a9222025cf6def04b3f13b1247033dd5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      f7eba56e12a09188710e9ae8b97786d8

      SHA1

      95d92c8bdb0ee933678f676bdc840217ce295b8f

      SHA256

      bc47e720dd2721b317cb61a0addcd5c6fcb30c41cfd4c06c46b5355fe7c43a7f

      SHA512

      3e9df52b2f90e5cee5d02b55cd42439dedc5a6156b5de4689020bb3521c57f02b31cf8a3b28438a52e15edb5e9a8b03dd8bc80f99721f2ef531d08ca57511733

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      c65041550068374b8a783320849d8ef2

      SHA1

      29af13b890d799cc356978c4aa4dc89742a5a85b

      SHA256

      970a625966793a2ccc240fed6fc78b909db4133760329e03c688e8f5e184264e

      SHA512

      febeb09dd3ccef10b8af421b6377ce450cb2441a5deae68c3ade9c1f5a1018d138b590d54a38a1f7e62009edc15c8a3b9d8dc9522d569c7835c76d37a9d9da55

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      e5b83204f4250603f6e408054e1651d0

      SHA1

      ac8dc6760e4c80824fee1e20d69cd7e2f7856136

      SHA256

      da9db29d07e18b9d65438b96a7fee6279660570468260cd5a17b6ec3178f9f2d

      SHA512

      19574c33c6860913481f72b5ffe1f982c60c472282f351890cfb318316fe15a75d9acee30c7461d4bcd49021bb78bb1a68ff52e4908bbbeafe73fa0ab138649e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      d2ec6b3e70fe80564899b7d3dd28e436

      SHA1

      09be37bea7c1556b061d487f99bbe4aa3779f0d9

      SHA256

      183e618cfc5e068badd925c45576963800c6b648a60b1fe8379fe157184a9723

      SHA512

      4e6e75e4743e1d1fd81ccf2b702b3f50dcd44dbd7ac5a93feec8564b0f5f8a05965d60044dbf390500122098afb5516dde7ba66634fdc5db15c7fb81503e3231

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabC7B5.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarC887.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFCDA0B7BC6E06DDE4.TMP
      Filesize

      16KB

      MD5

      9b2ec961466eae9cd19f9ea54d8d7f77

      SHA1

      573b6a0a16598adb508a57f0417c4ddea60faf32

      SHA256

      862c629bab5fa13974c193602b39cfaddf2d395606a389867ae3af572f388534

      SHA512

      6adc81cdf3d7fad63a589c262ab98022558603d52f717cdabffa9d1639c0e4978a6bf92ec2ca07759a8159a934f08e13365e5b1a00e6f148b6d18d25df355d4b

      Download Submit

    • memory/1836-0-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/1836-6-0x00000000004E0000-0x00000000004E2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1836-2-0x00000000003C0000-0x00000000003DB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1836-1-0x0000000000290000-0x0000000000291000-memory.dmp

      Filesize

      4KB

      Download