Overview

overview

10

Static

static

3

5333a80280...18.exe

windows7-x64

10

5333a80280...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2024 05:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5333a8028037aa7f930852656ebe1ef5_JaffaCakes118.exe

  • Size

    296KB

  • MD5

    5333a8028037aa7f930852656ebe1ef5

  • SHA1

    2ac783c46074084eef9d4709e6d988870d2923bd

  • SHA256

    664ea322e6547555932ef477e03fa5b953ec980a4ed4300fd91d8fd86a325e09

  • SHA512

    ace591f9dc7a1cb329c0c813e431f88e0f97644e252e81a1069ccde9592804247c444686d85cd71f3adbf1ac2b2d8d14d8129052991e5da0c524ec4a166f9ee2

  • SSDEEP

    3072:zbwmc9TBhxwFKZGWmk7XUzlvxHaQKA/2NND9vcJHCzSW2rSw+GAqYq:z3cxBoFPWZwxxansY0JiOraGZ

Score
10/10
gozi3537bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214107

Extracted

Family

gozi

Botnet

3537

C2

gmail.com

google.com

fjavieryvette94.com

wk1122roxanne.com

gs85elmoreobs.com
Attributes
  • build

    214107

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5333a8028037aa7f930852656ebe1ef5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5333a8028037aa7f930852656ebe1ef5_JaffaCakes118.exe"
    1⤵
      PID:5068
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4480
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4092
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4092 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1920
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4808
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3616
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3616 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1636
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4292
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4292 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1980
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4312
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4312 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4208

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
        Filesize

        1KB

        MD5

        f239d3b86b93fa461b08a22d16cee404

        SHA1

        df82135c6a1cf59848842ae7803ce0312c6f2fa7

        SHA256

        63ffe472fc06a86239c25089ba20f8e885e356163e3a14af4ef4a4de8cb61f79

        SHA512

        542750aa959bfde4f4184e53589b50111f46ff20e985ce793716ee8340d5c3905398dee12994bf34a323a92020f1a543baaea2f501db14218623158a7b80a336

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
        Filesize

        724B

        MD5

        ac89a852c2aaa3d389b2d2dd312ad367

        SHA1

        8f421dd6493c61dbda6b839e2debb7b50a20c930

        SHA256

        0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

        SHA512

        c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_B381A9DE1A99F00B76BC46CB1F8CCB60
        Filesize

        472B

        MD5

        284016b33a7b1b219f58f9f93512fb59

        SHA1

        8cbedeee459337071241371143b0e33c4798cb62

        SHA256

        f80c16ba20e4abec474b3e5c336255f4f8e3add5f0d11bd2049b5bb6c508da8b

        SHA512

        f8af7b6c34d3d3a39c58756ef687c389115eab07d68bb89546c38e13f760989945ed525d1ed8b0a1e113f570f8f1bbd5536ddcf19b1a228cccf2da918dec2729

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
        Filesize

        410B

        MD5

        815d13cf4223ee0b231c6f680b4e485b

        SHA1

        b98d50042193a7a71c1818904d69b9518cad7a7f

        SHA256

        533a8eacae0116b1c11fbf56881bdcc91d88c413550f3cc74c0695fe00acb3fc

        SHA512

        1c21155acbf100d95a5677ca6ec7a21921a7aad969700875524f27fc52506995f94f145412eb5a5b8e8395a591e0da2bd58741c42c88a99fed474df9a0ce201c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
        Filesize

        392B

        MD5

        755dee21e6cd813f6cf2e4e469ccd6d6

        SHA1

        0d14d2862080ee5669c2519440561289214a0b60

        SHA256

        1f12d5dd6d98f6a78e72aa5088fbb8bbe1da6309f69e4858a2468c604d55151c

        SHA512

        df374c1e4a39b6f343912da0bdb0f0ddc3418d90973a9a3323d88ed7dd73981bd4445ff1f0bfb65af38f555814b864061523a158b4e672d7d8ee408eb4f3c823

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_B381A9DE1A99F00B76BC46CB1F8CCB60
        Filesize

        402B

        MD5

        63fdd1fb6a54b6aa8d1499b8b9fb26b8

        SHA1

        4e9645eed3e0957b483787b96b594742bc7c3b5b

        SHA256

        fb51c5d19999bbe410e0686af9a7b1b8fc404cfcc446002e209e0edc8b1effd9

        SHA512

        fe94ea3feedffc1bda9f00587704e0140bb5b59c9dc8e5a50c9c207af9b9ff8f383f5a13a34b94a8eb3ec3bf87cc9a36ded49b06bf3e8d0c5e24a0038b7eb509

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6SQF6WJH\robot[1].png
        Filesize

        6KB

        MD5

        4c9acf280b47cef7def3fc91a34c7ffe

        SHA1

        c32bb847daf52117ab93b723d7c57d8b1e75d36b

        SHA256

        5f9fc5b3fbddf0e72c5c56cdcfc81c6e10c617d70b1b93fbe1e4679a8797bff7

        SHA512

        369d5888e0d19b46cb998ea166d421f98703aec7d82a02dc7ae10409aec253a7ce099d208500b4e39779526219301c66c2fd59fe92170b324e70cf63ce2b429c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ED9UQUDY\googlelogo_color_150x54dp[1].png
        Filesize

        3KB

        MD5

        9d73b3aa30bce9d8f166de5178ae4338

        SHA1

        d0cbc46850d8ed54625a3b2b01a2c31f37977e75

        SHA256

        dbef5e5530003b7233e944856c23d1437902a2d3568cdfd2beaf2166e9ca9139

        SHA512

        8e55d1677cdbfe9db6700840041c815329a57df69e303adc1f994757c64100fe4a3a17e86ef4613f4243e29014517234debfbcee58dab9fc56c81dd147fdc058

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\~DFC713D5B02C05EDAC.TMP
        Filesize

        16KB

        MD5

        ebca2943351aa515cc1ba9ba683f4fd8

        SHA1

        457fd58402b86001a7d328fb45b61d92fef4ebb1

        SHA256

        ba525d3f032fffc15a28b3b51e6c3acaa29a408c2081d3afabe5470cc972546f

        SHA512

        609a7502e9b77068c1da3a8ac785584841a60cf2ad820714cceb8426f6a08ae62b7e7a10acf9275ae2284794b291a9a1022516a6ebe4ac42764e27926619bfcf

        Download Submit

      • memory/5068-28-0x0000000000C90000-0x0000000001CE3000-memory.dmp

        Filesize

        16.3MB

        Download

      • memory/5068-3-0x0000000001CF0000-0x0000000001CFF000-memory.dmp

        Filesize

        60KB

        Download

      • memory/5068-1-0x0000000000CD0000-0x0000000000CD4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/5068-0-0x0000000000C90000-0x0000000001CE3000-memory.dmp

        Filesize

        16.3MB

        Download

      • memory/5068-2-0x0000000000C90000-0x0000000001CE3000-memory.dmp

        Filesize

        16.3MB

        Download