Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 08:28

General

  • Target

    53d8ea164b490af24e043ef77ebe8712_JaffaCakes118.exe

  • Size

    1.8MB

  • MD5

    53d8ea164b490af24e043ef77ebe8712

  • SHA1

    41d9f4ab68ec198e024acbbdce8d91a9bddde8b9

  • SHA256

    c89b2727ab393f3fe219f43bfd150cf12a9dda5929086070ac87c8b0ecd362c5

  • SHA512

    abcd7af099cc3bce53a65e1fd3dd99a05d762f6a1762356cb141a8b9bebb3f65fa1a21afac0892f96be2c9e88dc0f677b862658ef95b1b531a5585930b5252d6

  • SSDEEP

    49152:4SuE3EtrqPKIO23Hlin6COYolnyJ2WR6wOHste0uIlCj790Lhf4xC0FyQ4L6nd:3L3wqPKIOson6Cslny8WR6wOHstehsC7

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214062

Extracted

Family

gozi

Botnet

3184

C2

qfelicialew.city

mzg4958lc.com

gxuxwnszau.band

Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53d8ea164b490af24e043ef77ebe8712_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\53d8ea164b490af24e043ef77ebe8712_JaffaCakes118.exe"
    1⤵
      PID:1516
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      83d53e6078303834a15f452550b3870f

      SHA1

      13cee9153ecf240b6e84d15bf6a8e1d4f0529c15

      SHA256

      ab8f14d470c5f84a4ae8fc1d8803ecfc4ef5e0f4207786d8c3883d496c953c1b

      SHA512

      7c76c89e4382a800aafa3a217b5f4ae6729bc1e75bac40ec48b22caf5b775373b6a8e9598c7819a9183d3e5ffcf9b6c34d3d5ba5a0f0a7eccb7f99bc8f7d7c46

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      d2f1fbcb907d505a09e75383c7b6d038

      SHA1

      7e196385d060cfbb82157f5d8af6310b89ec0b84

      SHA256

      51bc304100b02c848c73f96ba5c870fe78e46cce08460b120c461b7f87a79d2b

      SHA512

      eb8e2589ab89dc3e8f98b4eed4afe5c08fd1c6e42b05d0891e829e2ed67d67f52c42e2400dc3adb11abc5fc624fe774da85544f3c11f997b500490b795c5758d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      3e681708ea47e16bdeb8bbc52cf8e4f7

      SHA1

      6543e2c2982fea827757a874dafe95f6ff44660c

      SHA256

      9cda4c2ecb79d232cf0f0742e3c2dcd7daf8458a91730b9f875c5bbe18bb21be

      SHA512

      9e635eefe3d8e68e953e4dfbd685b114d09818266626ac5ffa86169a9a7803330d3f72309e560d424bf4aac32b6813f782cfc7bd4f19c928515893a32c05467d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      193f747e75a75ce5b3184a4b1c998b8d

      SHA1

      1481782f43ecc1d9bf4488d1f909a01cc9845e78

      SHA256

      1ba662a56ecbfd70a2cb7d7880be16b0de70f30ffbd442730aaf9e736e335d56

      SHA512

      d1174600093bd03122d1312258009debe81a722998f8ff32828b255ee9270e8585e04d8af67b01fab62451c147c8b3e5cb602062c0cbb2779dfb0a9ba2b5dcb2

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      f10edd1dd0a9d025608e9854ab33504b

      SHA1

      e18c38c59ae094c79e9c88e94bf385f619eb8e2c

      SHA256

      3b1ea187fb0d14b7d385811fb1e4feeac67a5d38fdde7b449b28a1155edef40a

      SHA512

      0695c8029ebaeaf79caaeb01261220a3f9d9c08df865a8f13e335929d092436535394b336ab8496e77049a40aee4c7c48e7fa8c7d762cc0ec09f6b002d8c6612

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      7e22f49602cbb22e9af89d5f800a7ae2

      SHA1

      28d70a91635556a2813a0b8b1d1b61d33c3bdf62

      SHA256

      547e46a80cda665288d928aa6108795a8d03adfbe4faf603bf344d66d8023813

      SHA512

      7e5f6d6bdbab4a6b8f4a67de236c0f35dca19a83bf14c888fa535a4c95d606204295f44f1b392bf117a75982d0bfcc59ba540446cab15dfd42b4d0c4d3fcba37

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      33092e8d44d43b389d7119d6ada5c027

      SHA1

      a581f5cc48c7812a434209fa046aae54992653d3

      SHA256

      97edb575f81b91a65f346a15ffb42d3a73b83392e7c7fce1d451103b013e2000

      SHA512

      3d2edc46785747bc73b487c8bdc83e8e7419ec70b83df6eaef399f4cfa9f43e941efc3687b3458d951e30121c9499a3eb3aa634e10a6cf27f069c376fe521048

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      d73c5c3942f61b9605a87793a99af608

      SHA1

      55e0263161644fde34730df9bfa67c60a69eddc0

      SHA256

      bd30ddd7fd9d5f25f6245379b3708985fff38849fc7381d4ecb209b665ba50c3

      SHA512

      1d9960e4fb6a1d378e6a7f3ac47a95509e3fa8f1698e4f7575b81cd02bec542abbd4b80fb5cb0746a1e7433ab74829a09fe310de8f224f4c6ce0bc3b370b47cf

    • C:\Users\Admin\AppData\Local\Temp\Cab9A7E.tmp

      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\Local\Temp\Tar9B0D.tmp

      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    • memory/1516-0-0x0000000000400000-0x00000000005E8000-memory.dmp

      Filesize

      1.9MB

    • memory/1516-13-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

    • memory/1516-7-0x00000000003F0000-0x00000000003F2000-memory.dmp

      Filesize

      8KB

    • memory/1516-4-0x0000000000370000-0x000000000038B000-memory.dmp

      Filesize

      108KB

    • memory/1516-3-0x0000000000400000-0x00000000005E8000-memory.dmp

      Filesize

      1.9MB

    • memory/1516-1-0x0000000000400000-0x00000000005E8000-memory.dmp

      Filesize

      1.9MB