Analysis

  • max time kernel
    142s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 12:38

General

  • Target

    4b1b641e76241cd722de6b9280c99faa_JaffaCakes118.exe

  • Size

    385KB

  • MD5

    4b1b641e76241cd722de6b9280c99faa

  • SHA1

    e8f9fee8704fd646d0dca1cb76de025a161f06ca

  • SHA256

    4b28468978b805a13c8e774a29901d121218e2e0dccb0a20a913987852d94aab

  • SHA512

    5dea583b5b17b24f03a9e16cea1f6227ed42e64233ac082878e68831af09f622572c2d9b9af49a43744df49ab16dc542a84889f70ada8d7fb846636a9ead006c

  • SSDEEP

    6144:wuZbIVIRqTq+nfoeul6j5SuE/PB624EzWEydvkS+sTnGoPBJDm14LH6QriBi:wukq+nfAl6j5SXxKE0eknGoPHDXHW

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215165

Extracted

Family

gozi

Botnet

3159

C2

pulneselle.com

vivitempen.com

jewayelome.com

Attributes
  • build

    215165

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b1b641e76241cd722de6b9280c99faa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4b1b641e76241cd722de6b9280c99faa_JaffaCakes118.exe"
    1⤵
      PID:3012
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2404 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1640
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2184
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1128
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:868
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2116

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      6fef0af25caa128bfc79d8f06e6a8a25

      SHA1

      f36302e326151219165d8284a690ad4ef1e12ba7

      SHA256

      1b4ac5bbf2999499c25e859bb43e61b5814ba5dcc05b9deef6bef3f44c1fc0b9

      SHA512

      928eb6e30cbfbb03b2b01a71e1eeca2f601f5da5ad351e652aa2ff1ea5cdd5363a4ceddc056bb541ea959753de4a775f40c418323e7c541b4ae34dc60d86f912

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      3141f84a818f3b8cd22e65c33d99f37d

      SHA1

      3958dc2d22a0cd82a449a8cedeb11493daf4c67d

      SHA256

      3e23ea2de395f54cfe8cfc655e07dee39ab14bd935ab9f42381f25d6d01faaac

      SHA512

      9d2d849acf45b76cd9b9b3a64006086eab971ddccf63b43869951e780f03627401d5aa8896fc8a84763883d38bad7bb7513940706f22e36e5a8a0a800a1fa24e

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      761ff95c1a2846524a9518691f51512f

      SHA1

      97c967aa47ea80efb8436a6abf611d7a97b7e6e2

      SHA256

      d7986f41b884f907b239f434c2754e18ace9abdc8fb3fc618d5d8ad7e7b4cc79

      SHA512

      b75aece50cc5135169f17e021954e29d9530a9600fb57e5d681b2f545754bb31bedc4ae3076595d2f907fe8c218baca944f27a853b58b18bf0d2079b34c6ef4f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      9f1a0c142541f87229bbd113b7049418

      SHA1

      b7314828fd05f046e6cacd3e133b11787b705f30

      SHA256

      af336e026ae4c928d8350d0a419281159daea577653dc2315c6aa33e9121ee95

      SHA512

      ebf5b8a259c0c08e5f6dedcc860ce987ae5de02a5332975c0bc3d07d22bca6d9c1c9ac5bf210e6fa2a3593c68d0ae035d6f51462beebaa11e1c320d4d4b2e9e4

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      c5fdc09882ad580ae37fea05744fed93

      SHA1

      50d67bce1177d052c9d6154723ecf6590dc05d06

      SHA256

      b1db15f01e24938fa3f5bf4f6700e436682f05a373acd621f6a6e9fe19314422

      SHA512

      56969b6c7cbeaa7e5834f725634ce36567f30995725fbab7a2a9c159918c31a5a5dd5a8030ebf9dc98b6492f3c5598ab7ab242e4845aa641bd92c5179407c1e7

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      403d15f07b95481f7e31d8cf6fb7dc45

      SHA1

      75a254b8a71bc34afdf4a1449591f026cb06415d

      SHA256

      35ba7ed9d99da1169030834af3d2fbc22038a9c94d3610444ec10b85f2fef351

      SHA512

      7ccf2efe3289098c4336d992396e9ba3dcbd5d9dbe537b26c674163d5c088b906f9d26136c20c9dc58a5821651bd4194986384022a2255284c695a798c9a5341

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      e248dfdfccc021034dcc22fc99d8a646

      SHA1

      c9bdd0651a1f4725ca705f7cf5a322ea1317b84f

      SHA256

      eacfc5420e5c34eb318ca4ae72b7afb5cfc85e866a7c5e119edc79bedc688275

      SHA512

      1503696bfc0ca9c5866a2bfffd2669bf6a208e3a4487b3ae11415d2d5f31c6b4c59c8448bf23ca6459020e1c5fb54073861901e295bc4c5c4ddf97e85cc44ac7

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      e0dd19e9c7c0986727cf2a42d987d7b9

      SHA1

      8839f550bd5a14ab511b18c1c4910c8becd7782e

      SHA256

      eae19ca19cd3f5f2a3114e70570d472ba9dbcfc2eef2700af0a0015a3a774f08

      SHA512

      bce8abdb3d70b2abced76c93c16de8c85f58ccbd27f5c8ff8576e7b93950144c6dd00307602cd772fc87eec304cd24ddd1e4e7626e7b46b392ebf3de5b11009f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      4e2cc4e3c3dfd81febfc5a27f0d76f4f

      SHA1

      e31a117db0044a51a9a95382a018183567c4d98b

      SHA256

      b73f1fb9699653d5a5f5f5cc6358635f3157c4744d0e05519c4d7faa4cfdedc4

      SHA512

      67b86e70bf04a480ff24603ca70f7dd00ef184a03efe91b2173b477e615c80a9f2a417dc0f13268d9e4f11753a83efd90cfcbf7ea9a27e5c6f8328655549e5c4

    • C:\Users\Admin\AppData\Local\Temp\Cab1DC1.tmp

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • C:\Users\Admin\AppData\Local\Temp\Cab1E9D.tmp

      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\Local\Temp\Tar1EC1.tmp

      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    • C:\Users\Admin\AppData\Local\Temp\~DFF4461BA6B13ECD0F.TMP

      Filesize

      16KB

      MD5

      eda0f79b136c23086cc3677dd4415e18

      SHA1

      13802015342a2168e1b1cd8119cd65dc57376ba4

      SHA256

      9e9c66b80b7c23f357d4970a7d11a520fff5bc26df9fa2dc0a334f807b6a7e80

      SHA512

      dd449f306dcfe0f95e2e35dcbdf46e191b98e43a271b093e6fa07f478acff0e7d566d232226ca7a41e066d9ff99179f9eb4c8f3bd1f337dabbdeb72ae771e247

    • memory/3012-0-0x0000000000BE0000-0x0000000000C55000-memory.dmp

      Filesize

      468KB

    • memory/3012-6-0x00000000001C0000-0x00000000001C2000-memory.dmp

      Filesize

      8KB

    • memory/3012-2-0x0000000000130000-0x000000000014B000-memory.dmp

      Filesize

      108KB

    • memory/3012-1-0x0000000000100000-0x0000000000101000-memory.dmp

      Filesize

      4KB