Overview

overview

10

Static

static

3

4f9fc7ffc4...18.exe

windows7-x64

10

4f9fc7ffc4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2024 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f9fc7ffc48e4051b8eb52a5f113ba1c_JaffaCakes118.exe

  • Size

    571KB

  • MD5

    4f9fc7ffc48e4051b8eb52a5f113ba1c

  • SHA1

    082179f858d5de656280d0347684af0f97bd4062

  • SHA256

    6bb7ad593e18dc28620551328658c9d986ac7afe44aaf5cacb140fa6fe686bca

  • SHA512

    9d09c11642ac53ef4bbf66691b37f94a557e2e0018b4c2a8f0e1a98aae377fa6b0b2e1133d1033d8a63d655e5a0d3af19ced4416b31ea8ca14cabaa65c990f97

  • SSDEEP

    12288:CT7JDjN1yH6HE3P1xU5eJX/5rlprfxRVj7ELrUMI6L:CTu6qxUU9FhWUMd

Score
10/10
gozi3381bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214082

Extracted

Family

gozi

Botnet

3381

C2

microsoft.com

update.microsoft.com

avast.com

f4859della.info

z89p68modesta.top

g54fz534ci.xyz
Attributes
  • build

    214082

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f9fc7ffc48e4051b8eb52a5f113ba1c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4f9fc7ffc48e4051b8eb52a5f113ba1c_JaffaCakes118.exe"
    1⤵
      PID:5052
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:2616
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1044
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1044 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:544
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1004
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1536
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:212
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4980
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4980 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:2052
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5028
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5028 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2844

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        f646488e081a5c175ce1fb03ba482264

        SHA1

        27f7ff92f2b9808c9b998f87ad5b03057ebab12c

        SHA256

        e6312e65983df0745340cf492de216be2cf14f34ceba56a53b26a5f196c31f8f

        SHA512

        2cf3f2f8b2858a66c1eba71235fa0349c3335af4c18967951e086e9e9c87ba4028b1c1bde4c5657deda07d2f4e0cc2cf7ac5c965d8b3a35aed8f18e2beb5676a

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
        Filesize

        471B

        MD5

        102c59efafbf6d59da6d256bfdd7a829

        SHA1

        48f9f758805fa34a8356a1386672007d4e1d637f

        SHA256

        d0d9a1571cbc6bc45de58b4cb30ced39684ee19848ff5ebbc814ac4e9db9d609

        SHA512

        f59d0d8ab47a665bd3ec662319ea1ec49e08941823138513e3be24b7c95df780801adffb8749c3bc00657e0f60928db81c8b4307ad7c673c8b514fdf1c8086ab

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        f93911cedd62ef2e6a51e613c19adef3

        SHA1

        eff6d34e9cc51260de019f3f8e4b6c8a0943192c

        SHA256

        8a64314bbce79095944fb211a5389bc26a989a58e8850bbd233454e3c94317ce

        SHA512

        0f31cbcee7a22452ef62cfd311bb7ab9ba928776d1c6cfa06c515387003f4927e400a775a023bb4fc816f35619543be59129570b67bae03b71a06c1473b550bf

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
        Filesize

        400B

        MD5

        4773acc1a6adcc68caaa350ce0bc6ee5

        SHA1

        1cb787f9186ee989eb49706b3bb461d72ff0f86e

        SHA256

        a067cf75414000380c330226be5dbf0989dd7c0f04dffe970cd0c5a2f2afac06

        SHA512

        446c114d55da1ddcd6beb4f645ddfe9b1c935eae4003fd1e5e6cfd8d8ecc1a57a3b2dde14c73c54d6ae16928b8bf78a062cc71a9f53c518e171efd9ed8f93a97

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3qb0obk\imagestore.dat
        Filesize

        8KB

        MD5

        b04e763b21c19dd2336ec99460895e86

        SHA1

        7a8a3ec2d7f79bcf4e3cd18abbe988f71103be86

        SHA256

        990874c05689a00034e4202118197b452259f752d398008498ddcead60b6333e

        SHA512

        d9119ec11ff79809ff11f132085d93022c5b1a29cb184780632e10b93a35d87dac478a3ea7b2537965d14de41923784d2a80e86e45daa1a3958430e49d9c9456

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GO42234Z\favicon[1].ico
        Filesize

        7KB

        MD5

        be87fd81ff4e82e7ed57b0c8951c66d0

        SHA1

        4a918234d3225b585dffb7b6d587acb3fbb39618

        SHA256

        637b67152dba0b0b33c8aadb38ea7c86b7a12b37366c7183f898c36c222b04fd

        SHA512

        87ec908135335b4074d412b04188bf05d00f468400d2837ba2ca1c77440b6f2f15ba648f2a8f42b1301d77df54bf2a00e59416942807ccd90e36f59431638de7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\~DF3BC57508BC4BAEDC.TMP
        Filesize

        16KB

        MD5

        6e46041fb31418622ccabe10b2ba5bee

        SHA1

        f547c8a0457371729def7998d6facb7eb527b047

        SHA256

        0277e65eb5a47deb0d3201289d796523a41e2264256cec00f200e32b9d31d653

        SHA512

        83bc3e81359d8540a0c3a0c48e35e85cb72e8c32ee7a18474662efe5bc659b23ce98a3a38a4e9c1bfd0627847828323676051fd11a960afefaa03501e3f6202c

        Download Submit
      • memory/5052-4-0x0000000000E40000-0x0000000000E4F000-memory.dmp
        Filesize

        60KB

        Download
      • memory/5052-50-0x0000000000E60000-0x0000000000F04000-memory.dmp
        Filesize

        656KB

        Download
      • memory/5052-2-0x0000000000EC5000-0x0000000000ECA000-memory.dmp
        Filesize

        20KB

        Download
      • memory/5052-3-0x0000000000E60000-0x0000000000F04000-memory.dmp
        Filesize

        656KB

        Download
      • memory/5052-0-0x0000000000E60000-0x0000000000F04000-memory.dmp
        Filesize

        656KB

        Download
      • memory/5052-1-0x0000000000E60000-0x0000000000F04000-memory.dmp
        Filesize

        656KB

        Download