Overview

overview

10

Static

static

3

594ec09e59...18.exe

windows7-x64

10

594ec09e59...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 07:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    594ec09e59c4461ecd9167b5939e8d31_JaffaCakes118.exe

  • Size

    265KB

  • MD5

    594ec09e59c4461ecd9167b5939e8d31

  • SHA1

    1662b1192697ba1a15bd7f31156ce78eb293ec47

  • SHA256

    eeac3a56bb646b8b88fbd021faed46396190987435caebaf2f38f39d9e11b4f7

  • SHA512

    3c957218228417177cb562ee23c776acff1f2cef36fc5719d890cc453e002d96a600c04287204ef263e79f055cc907ac9e29304021a69bb7d96e8d49ef25ec5e

  • SSDEEP

    3072:4OU1H7tRFNhHm/4FBVlhmhvXsk/GYtnkAtc3MmJNz7YaoXryNnv0uLT+K/5XK3mL:y7t9hpHlIt/GYiJV7Yaq2nvNLT7/I3m

Score
10/10
gozi3170bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    217161

Extracted

Family

gozi

Botnet

3170

C2

oozoniteco.com

cetalischi.com

duvensteut.com
Attributes
  • build

    217161

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\594ec09e59c4461ecd9167b5939e8d31_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\594ec09e59c4461ecd9167b5939e8d31_JaffaCakes118.exe"
    1⤵
      PID:1680
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2404
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1948
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2624
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1616 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1456

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      492f3d6b3bb472a30f2bd3050ab285ec

      SHA1

      687698c759068f70128ca451de6f4def2bd01da9

      SHA256

      defd38e05a862d3fb5df518ebfcc4dd0e5c39bda6a50be70e6d7e1dcdb78aa01

      SHA512

      4d00738e5a574e23582f9eafc3221cac73343ecb128eed6d9eca97de3c976f74be68a34c2f8b0ada3a7580f79f7d1c4ed5697c4046380d3f8cf69cc6d9ca39ec

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      0502532a6b31326055b01e569f0ef314

      SHA1

      316556b7edacd8c0eff13a4a69d65f546381e730

      SHA256

      28b4728042721a7eccc77e2f3a1d38859a9234a36085afc82907ee7f84deef78

      SHA512

      09e1d669b7958675bd361cb0201ff2315c466573dd9244a93bdb2a395780bf1b36df6673a79365dce8c9ea53dc3e6aceb2dd18e92a8aa946bc18f20edb827d1d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      7637c9ff26a83a4069e9befaf4b0429c

      SHA1

      07d34058e9a287f037fbb8d682ddc6245c0d6603

      SHA256

      02f3d4c1430e3295894d71c6ecd566a162894d6df31681297799a892b8994ca4

      SHA512

      0c31669291343c9d05122435ea65cef782766dea42161499fc50c9829087306da1118edbc5ebd34e93cfbae60a29a56251feb2be94f9006e7689e13688ae1103

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b5246d2d87ce2f6ec4364af385416096

      SHA1

      7f8938bcb7cb18adf1badcd245f86ce1c061cc8c

      SHA256

      7f629ba9f98f37d6bb0a8967222b998cfda49bdc47677d2a92b339a408d6ab85

      SHA512

      678b437199b9611f95afbdfe5b528e774f11d57b068e7ca252c8e4bd2c8f73e29cbd026584547d05f62c9b2efe8479a982d080291d39201c552f09c1df626d5b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      92ea8444a3b4a4d250ff56e99d61c50c

      SHA1

      3bb74da6e094b565089beb9ae57392e5aa303b20

      SHA256

      7873fbb8326948fde1e9a766a941903c85e305986cd115d0b98853c468dce94b

      SHA512

      33e722effaacb3bd7679525069d1697b7f42f554efcce9da2fea723a0bc6bf399f7db395b2ffa3dfa9e3809cd2ef54ac0c68095b7771c373099144908e455d8f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab97B0.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar9CD6.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF3A943918804F5B3C.TMP
      Filesize

      16KB

      MD5

      73c108001c0b8e97872d3ef6e119145b

      SHA1

      7f08cabe4e9313a127adc19389e91e72528797af

      SHA256

      902431b74a4ea4919e82de7eec7b269895caba1a54a71b8876589c98644dcb2a

      SHA512

      f87bbaa4e4d9b3c3d55158f622e629771883c2fc3c5eb2655a44e6fd0c266123b60fa855a8e25c931eb37739281ebf1570417afebbe8d48d3f0dbac2deba06d9

      Download Submit

    • memory/1680-0-0x0000000000320000-0x0000000000376000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1680-6-0x00000000002B0000-0x00000000002B2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1680-2-0x0000000000290000-0x00000000002AB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1680-1-0x00000000000F0000-0x00000000000F1000-memory.dmp

      Filesize

      4KB

      Download