Overview

overview

10

Static

static

3

4ed50bf68a...18.exe

windows7-x64

10

4ed50bf68a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2024 06:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ed50bf68ad482ea7f07d55b25049687_JaffaCakes118.exe

  • Size

    354KB

  • MD5

    4ed50bf68ad482ea7f07d55b25049687

  • SHA1

    1993bc0ce78744f35444760b073806d5b97bd35b

  • SHA256

    a9b3d32ed9f73a4cf67f5619c9d5820bb252cf1ee105868e2a85b551dcd88aa2

  • SHA512

    6cbd5312a908b1b6c2a68fa937921a47075117bd6f751eb96640eb24a4bc5b175f7615eaa1fd0e5630da59331ac776e205e8e5a343f8d85a0704837a0c706a73

  • SSDEEP

    6144:jQp7pQMOtvhiNyVyZHbzU5/JMi+xLus/AWQB9X:+pWhcyIZHnU5RPu4B9X

Score
10/10
gozi3177bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214062

Extracted

Family

gozi

Botnet

3177

C2

wgcjeremy11.band

skelsigabriella.fun

xelectauishanie.email
Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ed50bf68ad482ea7f07d55b25049687_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4ed50bf68ad482ea7f07d55b25049687_JaffaCakes118.exe"
    1⤵
      PID:2964
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2468
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1732
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2276 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2996
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:332
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:332 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1940
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2392

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      643201627b3a47ef897af11883d95263

      SHA1

      c7025b468d0a404eca4cacc4f6298a0959ba6d2c

      SHA256

      88c070cae5b5a3f6f31e78ce30e900b117d9adbcfa83e2d9348cb2ba6119f53f

      SHA512

      12753dbc6487b3936e22dd47ef065f11366c18fda7f3c970e048adc8742c9b381d213654dffb94311bb53b144023ac57d56a54e7321a4ae9e3465c1cc2891348

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3150c07fcecb3229a01c50db78b1d4af

      SHA1

      fa835707d4cbf1f49b724c711bbbb31cfa431cae

      SHA256

      39a3a1b6b9d8d4712a1529dca3524cf37c26b848d6b8d00a85df93a3ae12774c

      SHA512

      c9fd8aa4bbc589229ea829c3f7a1400fdced4b7aa0675afc309380b6f65c3ed0e2e9735fe2d06b3a0fa3d840de0bff38400bb2fae119ceef945db9870623e1f8

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      c9196e98eec1343d307e49443d7f6678

      SHA1

      4684d9fabfd0affdd9fedbec73211d6eba74b999

      SHA256

      9e969e39b9f2ba396c580fc8edb3b5cd4eb45ab1e37359653b78357efde5d6f2

      SHA512

      b45d6b0f8e47d638b41733d76078d669f06988c9cb87205edfcb763dae8a6e35d498dda366e3e5a03aa94a9898336734d013a58c1b7b14fd5dcc9b4c4abbd75a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      89bcf22efec4600da9a0beac8ee7dca7

      SHA1

      6a6cc81edd2bb1d0a9268b9443e3863d617d0c9e

      SHA256

      3b541fef82b8da29fe21bc62e0f4380e08c6606032416c7697030abab999a0aa

      SHA512

      5d5783cdf5d7d18c1f44decf444d51d2164973e1d8ee36630702f7eaeb6ccd35d1ee96372ff93c6f4d52003d4953135c4d0d99e184a490c8ef92fd68b225964f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b97d60cf6ef9316e7344bb7c610b992d

      SHA1

      1fea048f33b58c98b038fa647f1d7f5431d5dafe

      SHA256

      75e62ae5856a3860f73802f443c22d338dd726c885a301c0c1a23a44a461a2e4

      SHA512

      997d1a6fa41fee66d730bf7a355e0b58451e8e8444a261dad7108263e6db11ea565f7f35247356a99b2cd393ecae25fc128ac90125397d0362873340d918da71

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b32c8feb97870b445be80cf7c6978d27

      SHA1

      16a7073e44f2965b50c68d7aff2a5dc371041a9d

      SHA256

      aaa2ca44b6d4a65a03b8654f81de38467efe2b8a2e052e36d014563e02924872

      SHA512

      f5eca45e7ef7070e991a0c8513a886e89028e5d4cb04214269161c819f1c59674904049d2587dfe0a3e22f49c7c441089acdcb1c6916ed004a7e8c0229779cb9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      673a1da81a0d222cca3f93ce3102f8b3

      SHA1

      5d48c2caea7f173d0be7d41395d8ce673c1622f7

      SHA256

      583864b93b937abec02cb996b1328565f70b3355447ac47e97d1fa395ffa6f9d

      SHA512

      9fa96680739ccf771492f3c1e6793eef2dfc4930097211d7adb56b362740b3aff2263317c61e006d2de455ea7c2143c23af77fc8a35b1f2b5b7446950bc4dd3e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      e3e0d69b52deea1b323f49baa36d5fc2

      SHA1

      2406d7290a4d89d01dd681d6fe35a7fd1e58a06c

      SHA256

      bc052fa8a8b2b137095096dc283ca0454d641876b31913638cb853459de89278

      SHA512

      7db509819fd127c8c59ef2cee58c3714fd9a7c43762da25b903bf4f577ef009a35a7697a66c10a2c71799b0cf8acc3bd21e4d845dd1f5e8b64ca4f9c8b0df4b5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      0c918294f8115c5900d35dd3c3e9adf2

      SHA1

      5371ba73e6dcec59be3122ac23ea6a19b5f5725b

      SHA256

      39d128c4b5682a583d87cbe79999045cddba75d81cfeac1ed1c63a12ab97c93f

      SHA512

      29930320d71ac68c884212c6d31eca97427f10e80498f0f54309d043253018f91fdd6b2db6bdff5a96721d49a6910ecb599efeb094da05f2199d2748d34c0b35

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\dnserror[1]
      Filesize

      1KB

      MD5

      73c70b34b5f8f158d38a94b9d7766515

      SHA1

      e9eaa065bd6585a1b176e13615fd7e6ef96230a9

      SHA256

      3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

      SHA512

      927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\errorPageStrings[1]
      Filesize

      2KB

      MD5

      e3e4a98353f119b80b323302f26b78fa

      SHA1

      20ee35a370cdd3a8a7d04b506410300fd0a6a864

      SHA256

      9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

      SHA512

      d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\NewErrorPageTemplate[1]
      Filesize

      1KB

      MD5

      cdf81e591d9cbfb47a7f97a2bcdb70b9

      SHA1

      8f12010dfaacdecad77b70a3e781c707cf328496

      SHA256

      204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

      SHA512

      977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\httpErrorPagesScripts[2]
      Filesize

      8KB

      MD5

      3f57b781cb3ef114dd0b665151571b7b

      SHA1

      ce6a63f996df3a1cccb81720e21204b825e0238c

      SHA256

      46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

      SHA512

      8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab8DC1.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab8E9E.tmp
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar8EB3.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF240F99239F10E024.TMP
      Filesize

      16KB

      MD5

      bb3059b4b74cc37290bcf2cbec58da51

      SHA1

      f127f2ed98e48c780b45c6c01ff6df32c0b202b8

      SHA256

      e4adec288fcc1ee6e0baba15d5a345beeb1673664096ec0cf365ee3581ab71ef

      SHA512

      b9ba13191948b6db36ce01b137948a6a03bef0f986181e1b44ac42d5303c06e6ecfd53e0f1d38f0cc35029db454961578d021c19d88272adef31466cb2175914

      Download Submit

    • memory/2964-0-0x0000000000400000-0x0000000000465000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2964-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2964-2-0x00000000003A0000-0x00000000003BB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2964-6-0x0000000000560000-0x0000000000562000-memory.dmp

      Filesize

      8KB

      Download