Analysis

  • max time kernel
    140s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 18:10

General

  • Target

    4c640f826205255714a7a5ad0eac1758_JaffaCakes118.exe

  • Size

    231KB

  • MD5

    4c640f826205255714a7a5ad0eac1758

  • SHA1

    d67e245559f2bfdf412b8a2bbd50cd9895297265

  • SHA256

    7c16f59fc9c7134435996ebd1658d9e11f7951c5245ee6dcc176794fe8f94e58

  • SHA512

    cbf629ca740a4f56a81625e676666ce9434b7daebb3cb43c549e021442e2a4dddef57cea0fa8084ee87e3cccd6ece50756b268bf93b403493104d2c912d8572a

  • SSDEEP

    6144:RGcba3NwVhrBWUyAhCFvIA+Ed9h1RLMxn6Igquv0:RG4a9wTrB8OCJIrU9h1RLMxnVm0

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214085

Extracted

Family

gozi

Botnet

3485

C2

google.com

gmail.com

s39aihzlia.com

hqrya64peyton.com

l58er.com

Attributes
  • build

    214085

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c640f826205255714a7a5ad0eac1758_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4c640f826205255714a7a5ad0eac1758_JaffaCakes118.exe"
    1⤵
      PID:2200
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3032 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2616
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2512
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2068
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2120 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1304

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

      Filesize

      914B

      MD5

      e4a68ac854ac5242460afd72481b2a44

      SHA1

      df3c24f9bfd666761b268073fe06d1cc8d4f82a4

      SHA256

      cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

      SHA512

      5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

      Filesize

      252B

      MD5

      d12eb40f7d25957faae9406b716d94f0

      SHA1

      74697c01a5d148703335d155a08b2e213aaaf223

      SHA256

      43bf47fa88bdb66338d5caa634635ee545e2884bb9183a6ea82f310eb2d250a0

      SHA512

      f13cd0a7eefc669bcd9a1f82b940df1af202d64a60769de2c94aa65355a1ff8862a7273d89be3eb9a9b4943ddb70ff3f1b803bfc045e6c8552a7a5b311359f24

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      604796dee5bc8fcc9a8b0c185e7bfb98

      SHA1

      f76332075609985598896500841807b8eede5ba9

      SHA256

      b1f092604bf92b6a47c97096c18ae3a5bfda7caf23872d1a0dd60ff47050dabb

      SHA512

      2a49dde43e1f2582d3da80813347f888138462f7e2d744218ce9c529d93144a38588a587f4e84bb469c6a5dd7dbe5e600bff6ee33bc7eab2c1cebb84003591a4

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      eb9a7ed5fc5ff9fda7790f19542164d7

      SHA1

      7f630c62dc57212c2f5b95a7a9b3e14f8701e7f6

      SHA256

      583eacd1db96ebdd0efed3a5a8605b1cdc784b3bc0945dcba72678143c74fe32

      SHA512

      5c1f6b8745523e400d68c2ec06c3b694cc889ae6f61d1aa4ec7c236369852e65867e0b293043b21b526ee48f43e5d791a8b3570624aae988376a66d7b7c1079b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      a0190d6fab33b1159b438c791ce84504

      SHA1

      a146ba58b7fa4184e322d32bd340b662c6aa5229

      SHA256

      e96907990e3b68ee14dc4002265f10af25359c48e07e2e2eba4ace034add8249

      SHA512

      76f20f50b00140539663c80126e62cfb427ee7436a28b18e5d364a598190fc20c9e90772c296060868fd6194f83f50097ee5ac516aba8c029ef6f7ec766704dc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      62c218d08b8a91e1f4510d9dba4ef097

      SHA1

      05dd3ff997a645619680633a7ba4e5c68694c448

      SHA256

      55ea6caf7d8bdd19056d92880a87a0a3e4537c65855874258804eb894f2f7c2d

      SHA512

      80deff213df349b5a95435376be34172b441ef538bddbc7cc0db400690ec9d1b8b39f007ea59c2dae81d4b9fe630e454faa15a4288f0f47194cba56578b93be4

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      e8936736bbd1cc6239013aed13458ec9

      SHA1

      79d097749d317e741d2ec37b346b29f058d4ab33

      SHA256

      679eb51641858c4341bc332a96d98591fc773f1194ae2de0823702bc7f96ee91

      SHA512

      ec3252c9aedf5fcec22df0b2f20aead6b5252258788612631471ea6228ab872aee65ff98bf79863d9bc5d58cff004f4311134363459923649b5dfd660117e71c

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      a76f698b23a16bda38d603ffb8654d46

      SHA1

      c4bdfcef5d74cd39e72bfb6de86d28c790719e7b

      SHA256

      a8350cc0db00d8efc2a365eea7d776bd76708357ae996885480ec8ec7408e6b9

      SHA512

      bb45beec97f2838790813e8d5594ea4819be077d48c82b2af3c42fca88c95c45a56068913c76af1ad096e6d3f37652aeb27cc2b0cefa32c76cebd605a8177037

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      9d07407b0a9d43643dc504f718d2aa25

      SHA1

      f68d890f2269aff42a0592a706f22b08b6fd309e

      SHA256

      f3715e10bf47cc4d50b82210a40684d8758aec58b1997de5940571f8f6d5874a

      SHA512

      9cee7605d31312c119773a2a9de9242677c60ac4be6eb178dbc6c888c73e533b37fbfdf92de391b55522c0e34df066191990b2c2c78daa3bb9e5beb03d4f2f2d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      5636b9229c46ae31950647cad614099c

      SHA1

      186828d73fcdcfb46c2ab3a388429b986e9dbb92

      SHA256

      ef52f1ad993dec2fca79c4899d5c1edfe905c77c6ee8b2b2771a61da2fd5af35

      SHA512

      736a709a88f889ede5c347ab82506376d05a9a4c8b91939e96bb4f0ffa274265235f9b916fb0fcad598312b2f2372503c11f82333401ee5b62a8b32127ed7c51

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      76c35b088d3620f10e2541098eb547de

      SHA1

      40a16d13fa7f2fc939f2d478ebc4e8c2a693cf7b

      SHA256

      c58864b8250c16997f069a7300c2ec8e400b885b19c0b24c8657b78c623166b8

      SHA512

      b6da294c799adb1932158dba92895fb6da32e2a37e789c9b7403cc2704722b75c6183508e35dac737802d718a1c345e4af03bbb2b0a68f2138e0d5aa4b320d74

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      242B

      MD5

      a9e4563799ac1b872fa1e9dd37b1f0be

      SHA1

      a46bbd9ba3dc2628ed7354adf2eca73827e9b177

      SHA256

      67db4b8d53d283ecbb63c1cfa19e2fe52cfeb6c6c2fb9f954922bf679e8795ab

      SHA512

      49b6fa7953fd2296ca86dc38c979bc06e44a9e768c269008ae315352fe375bb790128365bcb0b9a0cb5c56432d22535af7a601e48293ad4f4456c612afd9f27f

    • C:\Users\Admin\AppData\Local\Temp\TarAC3D.tmp

      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    • C:\Users\Admin\AppData\Local\Temp\~DF40E6256E5BCF5832.TMP

      Filesize

      16KB

      MD5

      93951bbf473bf7f983526a8f8ed80524

      SHA1

      ff8e75ccfe3447e24b011bbb501d1907e9fcb3d3

      SHA256

      099e6c2b18a7cd957753b652b6652e6978b08ff3195403f6753aebbe433cbc58

      SHA512

      e0c885fc12289f8a13b8389afc34ada58980ab74b5017705ee3b46ea251961736c32852a88461305c9c4a276f8ce4c98b01e26a5f46a9c44396eb9b1df4ee3e3

    • memory/2200-0-0x00000000001E0000-0x0000000000339000-memory.dmp

      Filesize

      1.3MB

    • memory/2200-11-0x0000000000140000-0x0000000000142000-memory.dmp

      Filesize

      8KB

    • memory/2200-4-0x0000000000100000-0x000000000010F000-memory.dmp

      Filesize

      60KB

    • memory/2200-2-0x000000000021A000-0x000000000021F000-memory.dmp

      Filesize

      20KB

    • memory/2200-3-0x00000000001E0000-0x0000000000339000-memory.dmp

      Filesize

      1.3MB

    • memory/2200-1-0x00000000001E0000-0x0000000000339000-memory.dmp

      Filesize

      1.3MB