Overview

overview

10

Static

static

3

64550f6691...18.exe

windows7-x64

10

64550f6691...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64550f6691030dd771b5b96efcdc7df8_JaffaCakes118.exe

  • Size

    372KB

  • MD5

    64550f6691030dd771b5b96efcdc7df8

  • SHA1

    7cc5ebe466b0d0332fbe2db42525c89c42ab575a

  • SHA256

    f4bb0a4f8ec94b5bea35dd9d193c5fba0c283c5ac701830108bd462c6501b82c

  • SHA512

    1f886807b777babb6ff9755b6e3903f002ebac3a6a360c9efe6de99a4d4d6f4c3d96899d36552fe33ec3a8951e01db1ec5bee023242ad5e412c6219828f8fc0e

  • SSDEEP

    6144:QfsvEug4/COMAIOVW3Uqz/HJpadR5FzogF:QKEufaORxezE5Fz

Score
10/10
gozi3181bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214062

Extracted

Family

gozi

Botnet

3181

C2

bm25yp.com

xiivhaaou.email

m264591jasen.city
Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64550f6691030dd771b5b96efcdc7df8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\64550f6691030dd771b5b96efcdc7df8_JaffaCakes118.exe"
    1⤵
      PID:1624
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1496
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2976
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:284
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:284 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2700
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1676

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      7c61f9aaaa53239ee766f84adee6c595

      SHA1

      5341530b2b6f203146570a0f063cafed3faf046f

      SHA256

      2e41879359fe8ece3a235de546baacf443ed6eaeaae914b774b90b8b01cd9332

      SHA512

      2230616d89a5e7fef263e81bacf81a34b45b8f158adabd2a2ae22f765910ba8b41033485f2e5fcfaf3534da3760669b41f2a0f1eb665a061bb6a0df74ddd57dc

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      ef931e02debea95815fb2b219870fd72

      SHA1

      884a810946195785ac19a514dc60b5e4a4da0f7d

      SHA256

      b9706a8c3819704d88a768dca39f1a695512a8e8478c8f9469d03b28195f5a1a

      SHA512

      2dd8b109b2ea32e75ee9eb71d522b5fd2e0fcf6b83f5f44a0076c39b7e9c2827f3fbaff7623c34ec6b4d8eb3d619a8de76d01cfca340ae202b791bed88d7e52c

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b69a316f52b566cea85d227c079a3f67

      SHA1

      7465510c6862a4e94aa02e426649168c01f2441a

      SHA256

      d7054302e61f505421e8af785c05bdedaeb3b471723bd3172257a65b1b1259ad

      SHA512

      25464ef6e1677b931b85fbb44c7162968e89092bf0c58da67676e9d14042d6a12abfd76f88a14404bb04eb4c7fc8b3b658c8834aae60cf273ee4cf9555d2a549

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b5ee3fbc3a6a1d37de7f987d9e0dba79

      SHA1

      3df6c929c5fe5caf88772956d81382e0f0a9cdcd

      SHA256

      1c5eae843ca00e1c28dc4225dbe23b2f5ea5cfad26e9dfb70c444ec5f0949afb

      SHA512

      f5068ad5de5cd2ad6276404088f64ca8608df14937fcb8a0b358a626049a5168faa2609194bd642fa0f4991808008a6c8d24156d9ac9edc9703a3bb0b7b099b7

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      8f9b02bd9d2975aab29e8ed808f0af43

      SHA1

      d0e831426fe26d22287d668fa753e560b1388cdf

      SHA256

      8442371369cebe278d1227df2c92470e3497a1298be143263200883467934846

      SHA512

      28f4285039217e5e3a704d8833819f6e8efcfab1f2715ebe1a12d393bade0dc1bfa349c0c2b58ecc1b2c1e210cb71e4fb87687acdf52f99ec10b0ad14a308cff

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      833b6db77db12c47f8f5bef529d2001e

      SHA1

      05df4dd89e9325e49da186873563d2bab5bc4b8a

      SHA256

      54ae5a8a3788130b88c357568af3d9315e99f8ab2af192312dea2ea759e44f2e

      SHA512

      de5e7e3c32ff4f8b0f6002fff3146e468205ec9133e894cf806fc79a160dd6f8f9c1df4b3707bc1b6b00700840a1a59f276e9579fdc25d8aa27115f56c2c81f3

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      9bb61eec6532c7c42ab6109836fa140f

      SHA1

      91f3c5e0b1550b89ca05c9bc20dd3935cfb04a97

      SHA256

      9ab58b8b0e9bc8e2079aa81501a90f8fdfe36d5d08e76fe21dc994d362dab6ef

      SHA512

      67992ed275918fa36634aae969c42402a286ad0eb99df95b5bc8578a84ba1fdd9f16c1bed175b07b3e6cd065345ac1d47eb10272406443914294474705e241a8

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3436cf992844c88776ff248a93c80c58

      SHA1

      e9f80acfef50b3ae2662c0baacfc744d40d5ee11

      SHA256

      931a1f22c0186303a52163dfafd13ee9cca9d319297c285eb9e3e1a8f4c9ed1f

      SHA512

      c4a1b80d021720e64d0d67a3249d47dd7610c0d626ecee78e6464175a60fba97f1bf615907484e39c127a08b3de0788a2351c0f241a595fd8327361e1376fbd2

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      bd2f7b4265c4b3a713e6137e9354d324

      SHA1

      547a7f0044a699b3f776c9b5eb2c22906eee730f

      SHA256

      26d24b1405e12a37eeb7a51dd72ee7f1f78581829cdd3b0b98b0c2f906936935

      SHA512

      711fa057f772c60951344cba33b3fc82ba5536c381066bcef5284e3df1567f01406ab7b12f617d53db624557bb051aa4464140f450db0b086124d9317d694dab

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Cab71F8.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar7308.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~DF09E7C18D59FF606A.TMP
      Filesize

      16KB

      MD5

      ce64af7c144d20865bba0be9941bca0d

      SHA1

      839cce025068a8ebdb2f2be01f4f6f5072d39ed8

      SHA256

      23791a2f91a4294a7c3f534c5bd15d5bc7fac77c35b16f7d6c0963cdd81fc3fe

      SHA512

      2138abae237fe3fd86c5cbd3cf16fd53ec51a52cc8c82769a193366a8f7b2ad3bc223bfbe2b809752a288b7e1b495a6ff5ef4a025a64b63af45325d3e4ef7436

      Download Submit
    • memory/1624-6-0x0000000000360000-0x0000000000362000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1624-2-0x0000000000320000-0x000000000033B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1624-1-0x0000000000260000-0x0000000000261000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1624-0-0x0000000000400000-0x000000000046D000-memory.dmp
      Filesize

      436KB

      Download