Overview

overview

10

Static

static

3

6399c19bbf...18.exe

windows7-x64

10

6399c19bbf...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6399c19bbf98516a818557c0085415f7_JaffaCakes118.exe

  • Size

    319KB

  • MD5

    6399c19bbf98516a818557c0085415f7

  • SHA1

    3f463ce6cbafe5f3b6fd9a1cd32ff7dfb38ec2c9

  • SHA256

    48c9bb4bc3bb10aecf225e018aa9af107b37cf873013acefec0522faa393382f

  • SHA512

    b4122f960646048a76bfde5138260145c60e42c33b47e5f456c1d6a46d85db1a39fc40111d1609a3fcd6a0e06aabb8d0f055c1af7618ba60d21a0f454cccaacf

  • SSDEEP

    6144:oLxiC/F2w2jz2Kb5UpSjcl5yp0F70dAVePaTctCjD3JNEfJj:oLxiC/Foz2KeyGZVEsD3JNEfJj

Score
10/10
gozi3453bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214085

Extracted

Family

gozi

Botnet

3453

C2

google.com

gmail.com

gyvmogabriel.club

t161ramiro.club

rfztobydbgii.com
Attributes
  • build

    214085

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6399c19bbf98516a818557c0085415f7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6399c19bbf98516a818557c0085415f7_JaffaCakes118.exe"
    1⤵
      PID:3420
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4284
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:952 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3700
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3440
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3440 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:544
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4552
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4684
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4684 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:4544
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3460

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\robot[1].png
        Filesize

        6KB

        MD5

        4c9acf280b47cef7def3fc91a34c7ffe

        SHA1

        c32bb847daf52117ab93b723d7c57d8b1e75d36b

        SHA256

        5f9fc5b3fbddf0e72c5c56cdcfc81c6e10c617d70b1b93fbe1e4679a8797bff7

        SHA512

        369d5888e0d19b46cb998ea166d421f98703aec7d82a02dc7ae10409aec253a7ce099d208500b4e39779526219301c66c2fd59fe92170b324e70cf63ce2b429c

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\googlelogo_color_150x54dp[1].png
        Filesize

        3KB

        MD5

        9d73b3aa30bce9d8f166de5178ae4338

        SHA1

        d0cbc46850d8ed54625a3b2b01a2c31f37977e75

        SHA256

        dbef5e5530003b7233e944856c23d1437902a2d3568cdfd2beaf2166e9ca9139

        SHA512

        8e55d1677cdbfe9db6700840041c815329a57df69e303adc1f994757c64100fe4a3a17e86ef4613f4243e29014517234debfbcee58dab9fc56c81dd147fdc058

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\~DF43E692BDC0D44CBA.TMP
        Filesize

        16KB

        MD5

        65f6bf56a10ede9b1014937e8fec6d10

        SHA1

        ce8639c4a0742234ca4db0eb0f0f0ee37cdc0e96

        SHA256

        e808ca34efa76687e57175511970c32023eacfac61b0ce455c943163a0fef482

        SHA512

        51bf03a947a2dfa55902ce02fa5a7fb1a522fb47549d84d4bf6c389d38643627599d13cf05c706756cd300e67b89f6d8f364f3d18807d99fab6df808b70b8c13

        Download Submit
      • memory/3420-0-0x0000000000400000-0x00000000004F6000-memory.dmp
        Filesize

        984KB

        Download
      • memory/3420-1-0x0000000000590000-0x0000000000591000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3420-2-0x00000000005B0000-0x00000000005BF000-memory.dmp
        Filesize

        60KB

        Download