Overview

overview

10

Static

static

3

631770628a...18.exe

windows7-x64

10

631770628a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 11:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    631770628aa69be9bad3c6673f7d4f8e_JaffaCakes118.exe

  • Size

    338KB

  • MD5

    631770628aa69be9bad3c6673f7d4f8e

  • SHA1

    f9f366cc011565a8006ce44e1ec3586b71395b42

  • SHA256

    3761af66c1309d720dddbb33b272a77981d5843abc04334d9e7c7817021dd2f4

  • SHA512

    87c0089ebe45ed8e752fb693d4bd0ce4ada5690fe22ca68ef2feb00093dede9c620ffb4f0630c4cace10d835d0c2d29fe496b89566630d6b8350c1d94d4e2e6d

  • SSDEEP

    6144:eBH6A5dMkv9c5dgzyIKJ7hZWeG4HjApFiXDmT:+9dHqHNpJ7hZWfEqFsmT

Score
10/10
gozi3191bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214062

Extracted

Family

gozi

Botnet

3191

C2

grtyrrodfto.com

wenyjactvvfat.com

egwnwetgwoiiie.city
Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\631770628aa69be9bad3c6673f7d4f8e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\631770628aa69be9bad3c6673f7d4f8e_JaffaCakes118.exe"
    1⤵
      PID:2220
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2692
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2124 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2472
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2092
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2808
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1448 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2608

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      5ea574480c564639379b8dffedaef106

      SHA1

      403a3415920cb02b6309be5a30d9e69fb6a62bfe

      SHA256

      cb13dd1ef7a64888116f92fcadade3cde4b474e5146b94649cc4c96b1ac1a7f2

      SHA512

      6fe39033517b1ac285255a4e08f65a46d6be4954c9bd74103feabd4028ebbb03462b8c0e62f217cd00bc65f5bd2cdf5f01fa82a83cf65ac9e9bc1dc39c0c915f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      9513ff989fafa39ec6ea6161b82bc8e3

      SHA1

      680df9bbd3fd74e25f52994fce509f0a8bb76b03

      SHA256

      bb0cce39be1fc6cce18acdf71b2f264589fc0e3cb2ca672aab1983545b1a1b28

      SHA512

      a16bee1bcf10ea0c8d9212849f228d0ba0aac1eaf87bb4f74db963629952c96b02eb0b660f0314b0e40880f003edae1766688d2cf604709e1f44d4017057627c

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      e334118cbe082c91fc693ec97580b460

      SHA1

      f35841a7f24bb4a583b15482ddd01ea5fc5ef2f8

      SHA256

      0fd16fcc30598eac236055d1d8c00cbb4496abcd722077cf938e9c305a032786

      SHA512

      1bcb4eb8b64d2c4d8de28a9bcfbd5599480a9ab88bcc38bcc24e1f3b4923e229ee566d82e5b37ed00105444d51af2ae55c1490b038ba563d1a88e3aca2c4d613

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      1bd5af05a8a182e0928217597f4340e6

      SHA1

      9bf3a1bfdcd2cccd1d0ce1ef940d209fd7881f51

      SHA256

      8bd9b85a63bcb64262975c58ab85df5ba21b3b1310d1a91fcc9bd747a32aa40c

      SHA512

      7eb19801409985025b345f6cea274ab8bb05db4dd21e6e848ac796254be4385c18c0ba266781da8858c6188fc94fadf3275d969f91d40c631e8589bd23b91924

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      4cac744fc209decd032cf8ddcefe75f3

      SHA1

      b2f5ca344a93c19160fa248521520d94e37591e6

      SHA256

      2b09ce2ae2d88ca51fbc0ad9c0ff4fe1ee480058fd00711b2c4b955e6d00971d

      SHA512

      035a299f69a857c6c3c7acc2adcc668fdc7b0733bc3cfa40452b402a3f7ccb76e99f3b7f99281ea6580de7ffc90aa46afeb367c2bd74f94b1ad80e311b27c68d

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      79ca917a9497950f3cbe3c733bdc417d

      SHA1

      e605282fd9406c15359c1d97c6d307aad9f48cfc

      SHA256

      f8a45ad1d4d47b0bc22f5d50b73fe65399b0a62557a29b8d3f0df27a9ae42142

      SHA512

      6e5d7ef033c423533c9b767f2db76d0263ebeaffcb5f0a9d46cac42c1c6397fbb6aedea2798d815578b6b4750b97cbc9aa0436f4b5b23ed898ffc50f72335c5f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      6839f63408224a039d1f4077c12c4c00

      SHA1

      810a98001800641ba24e80c4149c2f660f953c2c

      SHA256

      8fe3a14a78dfd29f52364bc80d4df0296954fb93dc07f4ae427721d16af05fa9

      SHA512

      5e7998baef05d02b75b0eb437b4dca6853e010633a58f4e79ea28f89e9079ee71de34e21dc999f31b698d1b0a9ba72dd4efd9ce7793f90d962b2a882399bd241

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      6c535b9eb917adf94c2b421b45461791

      SHA1

      7a38c3c4b8dfb794381a30aa7a9fe83100b8229a

      SHA256

      2573faa0c704f81d30672df9e8b21167eba4a2ab76404b4a0ffb1516bd5bae50

      SHA512

      581d6961d69018c7e0053a41019278fdab61bfd9f43169cab981939d557dbe6434af6e7fb36d0ebcc8e8a2bed468e5a187da1ed7a30ff79b328737383251e7ae

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b807ecd2a7cde9db2cb494fe2be938a3

      SHA1

      88e2753a67f9e4503dd09439f20d8c2fd3233f3b

      SHA256

      77c194a3b9121612ee5bc646bd5e63b085ffb50fcea8def74d1dc89d8bc33ad0

      SHA512

      f333182337ed44d1ffb7a605e8cdb353b0936a7d45ba57d529678259c1e6f20465731236fc5c08b26590f1faf943e89d0858e266f5830887e33e5879cde705ef

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XHJXO3H\httpErrorPagesScripts[2]
      Filesize

      8KB

      MD5

      3f57b781cb3ef114dd0b665151571b7b

      SHA1

      ce6a63f996df3a1cccb81720e21204b825e0238c

      SHA256

      46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

      SHA512

      8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H09CVCL3\dnserror[1]
      Filesize

      1KB

      MD5

      73c70b34b5f8f158d38a94b9d7766515

      SHA1

      e9eaa065bd6585a1b176e13615fd7e6ef96230a9

      SHA256

      3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

      SHA512

      927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IW68H88T\errorPageStrings[1]
      Filesize

      2KB

      MD5

      e3e4a98353f119b80b323302f26b78fa

      SHA1

      20ee35a370cdd3a8a7d04b506410300fd0a6a864

      SHA256

      9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

      SHA512

      d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NVDR4C1U\NewErrorPageTemplate[1]
      Filesize

      1KB

      MD5

      cdf81e591d9cbfb47a7f97a2bcdb70b9

      SHA1

      8f12010dfaacdecad77b70a3e781c707cf328496

      SHA256

      204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

      SHA512

      977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\CabB37A.tmp
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TarB3CB.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~DF287969F0FFE45542.TMP
      Filesize

      16KB

      MD5

      64af22e33ee134a5f3b93aaf30df08a3

      SHA1

      6da5be6c3d8679c84d775d8b5328f6242b99874a

      SHA256

      5329642187c6b1c6e2d41837bdb3b1f944dceee4e2c2d8dbec8daa8328312a7e

      SHA512

      3450a4a56b2df4e33bbe76467c1d6b55e13250e66f111503519058fc4adbb107282a950de901cb99b2ab660a0eb3365a539bf35b980b12b03f2b23a4821f6597

      Download Submit
    • memory/2220-0-0x0000000000400000-0x0000000000463000-memory.dmp
      Filesize

      396KB

      Download
    • memory/2220-6-0x00000000002F0000-0x00000000002F2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2220-2-0x0000000000260000-0x000000000027B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/2220-1-0x0000000000230000-0x0000000000231000-memory.dmp
      Filesize

      4KB

      Download