Overview

overview

10

Static

static

3

6695e787f1...18.exe

windows7-x64

10

6695e787f1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 08:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6695e787f16834aba9284a71dbb79820_JaffaCakes118.exe

  • Size

    245KB

  • MD5

    6695e787f16834aba9284a71dbb79820

  • SHA1

    e6e8ec98c4461a9b30ef88a8ef62912558ecb79a

  • SHA256

    9b615cbd7e76bd7ba8eb200282d80eeb80acf6d7093b91eb539b61fe5f56f94d

  • SHA512

    54d70f84b4f5380afd7e06ae9fd159bb31b6eae426ab36e362b41621b96c8759cf8282b8e9f44c494d06de2406a915d9cb886e053f0d30b33715f5145aa41f1e

  • SSDEEP

    6144:9UE++GgnpJVavnLXjcKvgNclkJh5aY3+mr1:9zZGgdavnVvc5aYumr

Score
10/10
gozi1000bankerisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

goliathuz.com

musicvideoporntip3s.ru
Attributes
  • exe_type

    worker

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6695e787f16834aba9284a71dbb79820_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6695e787f16834aba9284a71dbb79820_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Users\Admin\AppData\Local\Temp\6695e787f16834aba9284a71dbb79820_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\6695e787f16834aba9284a71dbb79820_JaffaCakes118.exe"
      2⤵
        PID:2440
      • C:\Users\Admin\AppData\Local\Temp\6695e787f16834aba9284a71dbb79820_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\6695e787f16834aba9284a71dbb79820_JaffaCakes118.exe"
        2⤵
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2456
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          3⤵
          • Modifies Installed Components in the registry
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:2744
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\259399024.bat" "C:\Users\Admin\AppData\Local\Temp\6695e787f16834aba9284a71dbb79820_JaffaCakes118.exe""
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Windows\SysWOW64\attrib.exe
            attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\6695e787f16834aba9284a71dbb79820_JaffaCakes118.exe"
            4⤵
            • Views/modifies file attributes
            PID:2544

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\259399024.bat
      Filesize

      76B

      MD5

      5f42423c0e6a05599643785d0f565530

      SHA1

      fe601297daa97a18075c68acf6967a4e6ccb83d7

      SHA256

      759e56cd4b1e7faf1b423fc2663b44c55f65d539b1ec6aafabaa26030de57e8a

      SHA512

      3b79d053ec99832f251fadfbf2b5f7ccce72526bf5a9c03406f0cf90a105d4c59f87009dc447972ecc9280dec7a5321c2ff81758cefc800493e5f73ce8325458

      Download Submit
    • memory/1752-15-0x0000000074360000-0x000000007490B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1752-1-0x0000000074360000-0x000000007490B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1752-2-0x0000000074360000-0x000000007490B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1752-0-0x0000000074361000-0x0000000074362000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1752-20-0x0000000074360000-0x000000007490B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2456-19-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2456-43-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2456-11-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2456-9-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2456-7-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2456-18-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2456-21-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2456-13-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2456-3-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2456-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2456-5-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2744-30-0x0000000001FC0000-0x0000000002032000-memory.dmp
      Filesize

      456KB

      Download
    • memory/2744-25-0x0000000001FC0000-0x0000000002032000-memory.dmp
      Filesize

      456KB

      Download
    • memory/2744-34-0x0000000001FC0000-0x0000000002032000-memory.dmp
      Filesize

      456KB

      Download
    • memory/2744-33-0x0000000001FC0000-0x0000000002032000-memory.dmp
      Filesize

      456KB

      Download
    • memory/2744-32-0x0000000001FC0000-0x0000000002032000-memory.dmp
      Filesize

      456KB

      Download
    • memory/2744-31-0x0000000001FC0000-0x0000000002032000-memory.dmp
      Filesize

      456KB

      Download
    • memory/2744-29-0x0000000001ED0000-0x0000000001ED1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2744-23-0x0000000001ED0000-0x0000000001ED1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2744-46-0x0000000001FC0000-0x0000000002032000-memory.dmp
      Filesize

      456KB

      Download
    • memory/2744-45-0x0000000001FC0000-0x0000000002032000-memory.dmp
      Filesize

      456KB

      Download
    • memory/2744-24-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2744-52-0x0000000001FC0000-0x0000000002032000-memory.dmp
      Filesize

      456KB

      Download
    • memory/2744-55-0x0000000002990000-0x00000000029A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2744-56-0x0000000001FC0000-0x0000000002032000-memory.dmp
      Filesize

      456KB

      Download