Overview

overview

10

Static

static

3

4b6231e3a1...18.exe

windows7-x64

10

4b6231e3a1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 13:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b6231e3a1ac05228c4985cb41d6e307_JaffaCakes118.exe

  • Size

    485KB

  • MD5

    4b6231e3a1ac05228c4985cb41d6e307

  • SHA1

    288c3017211c15a6f3165d36df104441bc283183

  • SHA256

    0be6b83bd43ea4dd75e061b4cde95c564a0bb6296400b1b32326323c6d1849cb

  • SHA512

    ef215a2688270d6237ff3b4daf77cb67830cad55501bf2aa5db31754bbddf74518442c5ea441dc7820bd38a634a231574b8c7a5c46f962697e4ccc4a2a0d48ff

  • SSDEEP

    12288:mD9UDevpMtdoe83GWLh6iVMGP1tYLwqYZy4e:hiq/H8hh6O91tqHYZS

Score
10/10
gozi3140bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215165

Extracted

Family

gozi

Botnet

3140

C2

isatawatag.com

bosototsuy.com

atamekihok.com
Attributes
  • build

    215165

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b6231e3a1ac05228c4985cb41d6e307_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4b6231e3a1ac05228c4985cb41d6e307_JaffaCakes118.exe"
    1⤵
      PID:2476
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2692 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2284
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:768 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1444
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2332 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2576
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2280 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2348

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      549aba5b9682a732685755c7b12d47a6

      SHA1

      e16523bf776f78a0df207b1845f33d3efe1967a3

      SHA256

      c416c0ac1fb804fed75d223164cc5cfebbe3f9a5619ac954d49636604ed7cdf3

      SHA512

      2e1beabdf2fc22e0e8c10283e62ab5e79d3a4801dbb402caf694353c49e4cfec0ca7375502b02d1aa8e6609f0998eab4946ad3dceca3424522e8c01571bea72e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      92745dc75b3fa4124bbb770759caa0d1

      SHA1

      d4019b3caa99c72505f0b09740ce95511568e37e

      SHA256

      cedb0100c801907e825da631c9c5f3ff254bfe8bfb73a6b4be87dd70ae993fce

      SHA512

      eea894aafd6bbdac0a78a47fd13392453745ff7a79fbeefda2d041716da87a448471e49b40f921f7e5dfa325d31539af3b421d5a8ba4fe7489f7739d08f0e8f7

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      d7a65aa090ca1a551955ea81c15b5339

      SHA1

      315606a98b531327c7884121413ec07456c01d55

      SHA256

      33d4bc5ca1ed472eb98da3eb7466d5e5968d36b50a625e1644f515b835d3f0c1

      SHA512

      55da1f7111413a2102a68e45b0f3643bc94d08657308f599669a0d38c77620b2d4f2af32913bddaf69ea568c081b01cf3e63825a7fe17190ed58d25da0e35d2a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      2fdda83645696f3f5a30cbe4bff7838c

      SHA1

      d1d5bfe8ad168c378a60c60538bfe1bb537d5703

      SHA256

      567b01d1b7036eb6df2476a3dd72c377f57ad687a82c916eb059253d8171a109

      SHA512

      305be98825e95eebd7ad97a147d5195092cb336e685d243256c734ed033c082ce19c9b3a2099ceb5b77afc179db0b7622dbc8b93ebc517e9a7783586e5951cee

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      108f2a9d606585a76b56917120b53338

      SHA1

      85b8c7bf05194b1ac7def4ab1bef10ccbfa7d4fb

      SHA256

      61b4f5f0670aa03ff1780dd1d713ffc3062cb87bafd8cf24016677af38bd9d72

      SHA512

      de58e86b7a6851fae2f55d6a2373729d95c22d78a7a09fe625aa6d071a1e472a7f7d77b0f09a24c0173f0ea8ba6b908fe1f0a5ae0e5610511c3140690e283972

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      019f222941fe83b31e046b578fad99c4

      SHA1

      b019e529de2e8ea38750c8e29d6d9bc0fb3d6da8

      SHA256

      001151b69092ed7d7df765fb3030f1a0e628cb09bad5bdc2c8e07645cd7dea39

      SHA512

      c860b69ec2422f947e8313b30d32e6dbecfda2a3da02c68dc92dc30f484750ee52301e2bc49e5ca07deb8cdb974f0d18101e6ec9447d486977482ee585d53edf

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      653fa6eb8219c7f2f3b3b86fa70e19c9

      SHA1

      8f620b3d8ce2df121b96b92d1623cadb67e328fb

      SHA256

      cefd7f061d1285e83a021da240ef47a7137c024d1083839b4a84971dd90a5c8e

      SHA512

      2a612a1933037b2786baa27c8f7474a6977b92db91e49e737a362a1d7ca753669a27a1c03dc58f2fb533f982b428b08eb3ad7f3e7e04d08eaad9bd8d619cbd01

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      fc2dd0a9b449b7e47486678ea36c587c

      SHA1

      8ed328163c4042e226f9a2dd1d554570f83c7978

      SHA256

      f0afeb683e863f30450bb85f0f6745e331aa03c88e333fd3c439f9e3d4ef6768

      SHA512

      80cff47133f5b6cdbb53bea33f1a4401a1391ea1921e7004501f7c0525518a323639a12fca6596a81489462edae590b00f7a5a333c428adbe636a9e1fa793bfc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabA508.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabA5F5.tmp
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarA619.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF12188752B552434E.TMP
      Filesize

      16KB

      MD5

      2dbc4451110f735be8a0af1e6fc70714

      SHA1

      7a4e371a43812e4b614cd308f04475895ee91156

      SHA256

      ce7bf56f9f46cfe570eb4682e6d9adf8433a025e26ffe3afcafb065d75e62e98

      SHA512

      67741de3f9168c9656ccaefa4fb65e58b68ecf093c750c717f6a469e408aa5606c5c05d91f8902cb03fd2835c6b129a71e9c68435f436b4bf412417b0fcdcd8b

      Download Submit

    • memory/2476-0-0x0000000000DB0000-0x0000000000E34000-memory.dmp

      Filesize

      528KB

      Download

    • memory/2476-6-0x0000000000160000-0x0000000000162000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2476-2-0x0000000000120000-0x000000000013B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2476-1-0x00000000000F0000-0x00000000000F1000-memory.dmp

      Filesize

      4KB

      Download