Analysis

  • max time kernel
    130s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 13:46

General

  • Target

    4b6231e3a1ac05228c4985cb41d6e307_JaffaCakes118.exe

  • Size

    485KB

  • MD5

    4b6231e3a1ac05228c4985cb41d6e307

  • SHA1

    288c3017211c15a6f3165d36df104441bc283183

  • SHA256

    0be6b83bd43ea4dd75e061b4cde95c564a0bb6296400b1b32326323c6d1849cb

  • SHA512

    ef215a2688270d6237ff3b4daf77cb67830cad55501bf2aa5db31754bbddf74518442c5ea441dc7820bd38a634a231574b8c7a5c46f962697e4ccc4a2a0d48ff

  • SSDEEP

    12288:mD9UDevpMtdoe83GWLh6iVMGP1tYLwqYZy4e:hiq/H8hh6O91tqHYZS

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215165

Extracted

Family

gozi

Botnet

3140

C2

isatawatag.com

bosototsuy.com

atamekihok.com

Attributes
  • build

    215165

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b6231e3a1ac05228c4985cb41d6e307_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4b6231e3a1ac05228c4985cb41d6e307_JaffaCakes118.exe"
    1⤵
      PID:4220
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:1904
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2936
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3684
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3872
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3872 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3500
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1564
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2696
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:516
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:516 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:5104

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\~DF585F6ADEE6F57E3F.TMP

        Filesize

        16KB

        MD5

        8f7f9644cd1a1a41d3221d97e7469c1f

        SHA1

        72c0b0c5b0cc8a22f3b3ce6a3b021034afc33c06

        SHA256

        8d62605f1dded7549e8f3927fa1ee9bf6263d725ccd9b7d2207baa2d76be9c24

        SHA512

        c387b628cdc25c97f031b261aeb0e55fded849a22fb8cd1084a6ff4af1591a2ca33096d8cbef06b82807b748c95e46ec9a216998eaa26f7e6bef6c186c67a395

      • memory/4220-0-0x00000000009F0000-0x0000000000A74000-memory.dmp

        Filesize

        528KB

      • memory/4220-1-0x00000000009E0000-0x00000000009E1000-memory.dmp

        Filesize

        4KB

      • memory/4220-2-0x00000000025E0000-0x00000000025FB000-memory.dmp

        Filesize

        108KB