Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 11:12

General

  • Target

    45e6b81fdfdfaf9a582da71ee8ecc31a_JaffaCakes118.exe

  • Size

    243KB

  • MD5

    45e6b81fdfdfaf9a582da71ee8ecc31a

  • SHA1

    4cf4ecf9f7ed6c679a56ba60ce2f31a641b7706a

  • SHA256

    7ec041d61421cad2722cc5af36301213f0503a97fdfe44c15d6ab736e019ea0a

  • SHA512

    94f235393a6fb2964e5254f187ce85daa72d2a77585af236e7064a0eb96da7154587a2fd83e53f3d3c5c3de78e3b9e455294304c3f8e4af4ad5eea2d28817ca7

  • SSDEEP

    6144:EDLKwp//Rucg4LF3LPqYRQfoF2Cdnd/H:ILK5e1qBfoFFdn

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214098

Extracted

Family

gozi

Botnet

3515

C2

google.com

gmail.com

v61nkkybd.com

dee12yadira43.com

ffhyyo51y.com

Attributes
  • build

    214098

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45e6b81fdfdfaf9a582da71ee8ecc31a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\45e6b81fdfdfaf9a582da71ee8ecc31a_JaffaCakes118.exe"
    1⤵
      PID:1176
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4940
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1912 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2952
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4952
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4952 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1680
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5076
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5076 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:624
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1484
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1484 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4832
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1604
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1604 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2456

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\googlelogo_color_150x54dp[1].png

        Filesize

        3KB

        MD5

        9d73b3aa30bce9d8f166de5178ae4338

        SHA1

        d0cbc46850d8ed54625a3b2b01a2c31f37977e75

        SHA256

        dbef5e5530003b7233e944856c23d1437902a2d3568cdfd2beaf2166e9ca9139

        SHA512

        8e55d1677cdbfe9db6700840041c815329a57df69e303adc1f994757c64100fe4a3a17e86ef4613f4243e29014517234debfbcee58dab9fc56c81dd147fdc058

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\robot[1].png

        Filesize

        6KB

        MD5

        4c9acf280b47cef7def3fc91a34c7ffe

        SHA1

        c32bb847daf52117ab93b723d7c57d8b1e75d36b

        SHA256

        5f9fc5b3fbddf0e72c5c56cdcfc81c6e10c617d70b1b93fbe1e4679a8797bff7

        SHA512

        369d5888e0d19b46cb998ea166d421f98703aec7d82a02dc7ae10409aec253a7ce099d208500b4e39779526219301c66c2fd59fe92170b324e70cf63ce2b429c

      • C:\Users\Admin\AppData\Local\Temp\~DF732948C4AF9621DA.TMP

        Filesize

        16KB

        MD5

        866fa7fb7c049a1002b6ea1d67788cb3

        SHA1

        76a076b92d79a6b7572f9c7d2a32cb8b855d3664

        SHA256

        d308963cdbef87ca66dd8f2eabdaad3968ea4ba1b6fded89a678acaab3ebfc38

        SHA512

        866d6afe09d96767ed835ad165a3e13b4456b0ce7a0cde929a0365b9ed0cd7b7575d076829bc15613293e8ee7f90284e7d5e377f3e0aa8116e58391e3650c809

      • memory/1176-0-0x0000000000A80000-0x0000000000BB8000-memory.dmp

        Filesize

        1.2MB

      • memory/1176-2-0x0000000000A80000-0x0000000000BB8000-memory.dmp

        Filesize

        1.2MB

      • memory/1176-1-0x0000000000ABC000-0x0000000000ABF000-memory.dmp

        Filesize

        12KB

      • memory/1176-3-0x0000000000A40000-0x0000000000A4F000-memory.dmp

        Filesize

        60KB

      • memory/1176-14-0x0000000000A80000-0x0000000000BB8000-memory.dmp

        Filesize

        1.2MB