Overview

overview

10

Static

static

3

3f42856db2...18.exe

windows7-x64

10

3f42856db2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f42856db23e3a13137000d97c98676f_JaffaCakes118.exe

  • Size

    269KB

  • MD5

    3f42856db23e3a13137000d97c98676f

  • SHA1

    fde468396db07317d04a8f3aaa30d4bd4e9547db

  • SHA256

    a7f0d9394f40fffcdce6875a613bff3a11e8d8811d3ec413ac0316498b2bf4d8

  • SHA512

    4891aef3213a686d31a9bc2384ce634d355167ed9321663297630e3cf6347ca7315dc2aae8a12ed26f29b7381d483b31084b3b38a1c9ce15b801a012b4aeaeba

  • SSDEEP

    6144:LVfmmDgASD5W/adCxsT4/YFqBcIsBGOhN/35:LVfjDmtW/adCC4/UIsBhN/5

Score
10/10
gozi3151bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215165

Extracted

Family

gozi

Botnet

3151

C2

zardinglog.com

sycingshbo.com

imminesenc.com
Attributes
  • build

    215165

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f42856db23e3a13137000d97c98676f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3f42856db23e3a13137000d97c98676f_JaffaCakes118.exe"
    1⤵
      PID:1688
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2540

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      fe0dd4ad8a9a3f26499e32412d00bbd0

      SHA1

      edf151b207e8773f38e841c5164f65ce5cbad868

      SHA256

      7fb1764bd50c007051935696a6cddb5923ab4757a52ccde818054d2f48304887

      SHA512

      b715c55ad34b77aeaf7bc808c660031e4d8e4b22df8048aba23e8152c55bd231d5608960a596c79e00d31fd300695793186bdddbe5500724e49cbe23d962a3ce

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      f6b784e52c9417c67dc80e38c0609b26

      SHA1

      7dcc1441cfad26b3c3e17d8dd26aa42da65cee3b

      SHA256

      7445d67cf5af5c4858bfecc4f29f2e55fc5ca11f78b941178a7533f98eda8ae6

      SHA512

      6107b83f3f6c4d8699e1ccc166cd63bd5bae09482f164be4e49b9f98216296e206b069b7ca77ff0dd858204436d87521e3b731eba783f68771b9de02fdfacd4d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      cc1036b5b75612fde0f3097668070567

      SHA1

      342d4b04d21c52c1f78fcc75ed46341281545452

      SHA256

      1856b29b34caa8b0a706f5319de60b36e8fc80f1ed78b22ea72711905123d98b

      SHA512

      4ca29fc354120f31d62f093b9cd46e6ded3c6c15cd81411c534d8d57d92d61a64c12d5953e94d66a2dfa4058ff39aa0e236d3e0412ba98ed087aac15edd972a3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      cefc02119296d1a48dc562c32482c80f

      SHA1

      bd5e2c278bace7ec5a7321c17e62a159389896d0

      SHA256

      0a92c25c4a48bfde3f171c6b3071cf02295e0d8c1ef657211af835a290b67b7c

      SHA512

      451694f7dd923231b817f5250d6fd166b10bf679009918ffc45c9e835d34396ef7975be9c3f0bd32ff505ec2005be494b641107ddbf2ebd93e035cf2cdbac4f1

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      39e46036c82601cd4306391e3c2e558d

      SHA1

      b03914529bc575f70588d3142072c4b9b142e6e2

      SHA256

      4685f950939801fbd8c0c9702f0ba738eaa8d1c97ca2b4710ddc38a229ecbb02

      SHA512

      b5c5f68866dc17fb75ecf6b8a639d9cf2fff1d9cfe42ab13eb511ce6713f8fab69ef41cf30639f1ec692e0cb67ea34ea0dbf46843e890f15b3809f88a53e06c2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      ceadadf85688e5c90e4584e0360bcb79

      SHA1

      38bad2a7c350bdf5a3292949c7a5768a3c60d471

      SHA256

      713cd5f893e1cf9af744dc3c92ab54e491dd41f4bbf34f8fb160d1aca7079131

      SHA512

      9d55f6c1d547c8b9589994016b981e22f384eb1ed5c6c4dda22163f278a520304564138e8c474933dc60dc751988ab9a7c00a1ad34b87e3345ec5937d7fdae60

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabA892.tmp
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarA8F2.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • memory/1688-0-0x0000000001070000-0x00000000010C3000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1688-1-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1688-2-0x0000000000280000-0x000000000029B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1688-6-0x0000000000410000-0x0000000000412000-memory.dmp

      Filesize

      8KB

      Download