Analysis

  • max time kernel
    152s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 14:25

General

  • Target

    4b883d14fbcd30cf896006a67a760ac9_JaffaCakes118.exe

  • Size

    648KB

  • MD5

    4b883d14fbcd30cf896006a67a760ac9

  • SHA1

    a42f848f2b2de4257fbf774da17aeabe4761d284

  • SHA256

    9d723b807f5c210994cb957a0d80b86093f5826f4b8091a20337e94a61c63c29

  • SHA512

    4c185ef1442de628e816b115f99008bdf6ba7bea253fa7c68fa545ff58acc5acc17055d8f0e5d9db0e4348a62159648ea60b99b97b2fcbd62ac6011618f9e06c

  • SSDEEP

    6144:Q5mTEzUok+1NjIjODnupJnMZLrSPm4JZM1o7SVMVVadETPjSjCv4RgSNY5v6:Q5wEz3kEDnQdM9rEju0TH4l

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214062

Extracted

Family

gozi

Botnet

3189

C2

hfmjerrodo.com

w19jackyivah.com

l15uniquekylie.city

Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b883d14fbcd30cf896006a67a760ac9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4b883d14fbcd30cf896006a67a760ac9_JaffaCakes118.exe"
    1⤵
      PID:2200
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1412
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2416
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2476 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2600
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2172
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:2724
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:2
        2⤵
          PID:3004

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        3da83e92b4800e9ea73f3606a0f0ae14

        SHA1

        5724bc9d4d1fa64d7a21dc965c586b76c676f4bf

        SHA256

        2981e022f48e6bdd895ad7d1cc049df3e02d09c4eeb230ed9964abc99a4e9541

        SHA512

        e96cfa5dec13e2e02f7377fdc393d561d8976f3a82f51097e3bcfccb49cbfc6964fa3c91a97e24742ab3a4ac41c819e8e046dae7c4877021bea8aa92283fdbc7

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        6653a128b9dc5250b73578b42296d1a9

        SHA1

        87e937dad3346b87a008a79f321e0ed3ce6233ea

        SHA256

        b5cccc6859162f5b0878df50727bf502928e23004a0cdf17ebb4d8aa6692c7ae

        SHA512

        a63efab3d25b46dc3c78d7dc08ee9d1a0a6c852be59ab35f831238b435d21a791e522c30c62d3840440f273b9d25eb3c1e195726cd4893429fd9d29b35178c80

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        a6e5e54d9583d3010c101a335a41fea7

        SHA1

        9edb475e6d17e1b3c4a6018f2595fdafe4adfa6d

        SHA256

        694a37474f02f7c939ea703b96ea3f36507261c0a430901abb9e6b7948490347

        SHA512

        0c9c3ba1d7c33f447ec369a56007a8765ccf0aca030046f5472f2bc51b695b47d7a0bbd6ddb2bab7c05ee2f381205bd1f97296d71f87518be29c6d31f575db95

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        41ae803eebb4e52282548ae30885599e

        SHA1

        408ccc3348f904e4846123f1a287c8c8cff17a38

        SHA256

        4b3756bb0d7302339afccabedbca8a65916ff986cdda63984d2b3948d147ce6d

        SHA512

        1d367adbaaad78ba14c8fb9bf3548d8edbf860ce88efb82e291c938de6ff2674a69c07678e293ff47498e562644c1e58a67878ca7e87f64d321dfd75fa4f3fb8

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        4e3513fde3cf26b6ec839b60199797a7

        SHA1

        daeb1a030e6b96af78b2e09cdb0ab29772a2bd07

        SHA256

        1d0bdff2c113e800fb08d1590dd67723ad6c4290919e630bb49e07c79614653d

        SHA512

        f7a4e1489dcc59c429483340dc09763f755e8165c49608daa627c19428eaadecbb311eaa0c723cf349d3830203d66bbfbe4086b3a2f10528d3cfbcd27b4cf67a

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        bb80f8d0f65c8518649528dc0a0b2963

        SHA1

        72b45fffddf4365660772babd28d4ee6159f328f

        SHA256

        baae2178720ca043fd7e3ccc72ad545e79a7bca3cc3f035ee654cb06bce5ace4

        SHA512

        ecf8d200f422c1a91dd7951df9ba204364a8135db33bb8844b16d45acd49443c6dd1f9d217729cc0f9e0cf4d09277dd1cdf98160444f97509001959f4e300bf8

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        4055a39bc3e1ed7a9ba57fde32584721

        SHA1

        a113065d0033a849b05c81bc725b7dcd63075b94

        SHA256

        3283d1f70e25b70daa937ebc427cd0bc60081fb0730f4f12a9624ec24117d719

        SHA512

        79b6c2fb92eedba397190573c11c50bf6e4993c5f461bc672a9b8f7cbd6f3835d4b946d6996926f492dbb8078aac4f49a39c1991964c41d608018d9ce85b14d3

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        f6bdf5bafe698b04b9640430f4a8c1ad

        SHA1

        6c94d713da5f5476b1e967f2f6d8218b1c2a1b4b

        SHA256

        00f2bc8b0ad1673e1706cf083d8c780cef1da60a9b8d0590531b50d5d8e8d4b8

        SHA512

        b58b00da49146375b08fbda4ce390feba9011bef2bc6d1fc445af7929c0194b446f824ae7922c5f5bbc318e4435f49ba429bbfbf18bc06574a671adf5e65cf91

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        2d4ca6938d9cb297097d6ba3b2dd9d8a

        SHA1

        bbbbd832162969baad7290794e5f49adb08b99d3

        SHA256

        8254e8c2eb43ca808a70797e018088df4a7b9564c3530c31642a824b31ac0f14

        SHA512

        cfa90a8b2674cc5a49fb80f4253abebbd611ddd8d4039b7d21db70ab9e0c0b75f936d4447a5f2c02db25feb8536d4b1cc423ebd88510bf2411a78bd01b278187

      • C:\Users\Admin\AppData\Local\Temp\Cab4970.tmp

        Filesize

        65KB

        MD5

        ac05d27423a85adc1622c714f2cb6184

        SHA1

        b0fe2b1abddb97837ea0195be70ab2ff14d43198

        SHA256

        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

        SHA512

        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      • C:\Users\Admin\AppData\Local\Temp\Cab4A4E.tmp

        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      • C:\Users\Admin\AppData\Local\Temp\Tar4A82.tmp

        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      • C:\Users\Admin\AppData\Local\Temp\~DF96D491FB2B8D165F.TMP

        Filesize

        16KB

        MD5

        98a2ab0edd04143cddbd6df4674a9cdd

        SHA1

        6f90e7309781778c37c2a6ea64a1f3b5848446ef

        SHA256

        7dd296f2d05fd0e199cf03dc2377d5380e0d2780559189c0f5ceb78bc85f8a5b

        SHA512

        3e92771405c58638d11e4f7969e39d97946c598c93b224542f97dd16f2ef1859fbc67fc20b39027506d4e10f9e29f61a59b5394ba5fbf708cdd7b0470b4c8201

      • memory/2200-0-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/2200-7-0x0000000000540000-0x0000000000542000-memory.dmp

        Filesize

        8KB

      • memory/2200-3-0x0000000000270000-0x000000000028B000-memory.dmp

        Filesize

        108KB

      • memory/2200-2-0x0000000000240000-0x0000000000241000-memory.dmp

        Filesize

        4KB