Overview

overview

10

Static

static

3

68435e31d4...18.exe

windows7-x64

10

68435e31d4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 18:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68435e31d4782dbcebd3f2cd32c1bec2_JaffaCakes118.exe

  • Size

    376KB

  • MD5

    68435e31d4782dbcebd3f2cd32c1bec2

  • SHA1

    36e3744744ddaac1f24c6e07951ff88570757654

  • SHA256

    246f9c1e770dd0da69bb4850892f826c0b8a72f3ec28a25da33a92b78fcf80f6

  • SHA512

    550a20e0d75bd2579d14c3b9e708a4a0c4924c2fbf36fcc22812a00a7a69450e8f3498cc0e55453a907e3fb3e010b5e4620f16f7d3323767139258b1ed4e1034

  • SSDEEP

    3072:hkyrSmefi8xQRv00gDg4JmUrQrY17hJHe0KuVuPi6d+YShwaqz+UQc/uGkn3dK:hkal2i8WjgDYY9hhFxTyUOaMkN

Score
10/10
gozi3195bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Botnet

3195

C2

nsyblefgg.city

m25lni11528.com

dgrover.band
Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68435e31d4782dbcebd3f2cd32c1bec2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\68435e31d4782dbcebd3f2cd32c1bec2_JaffaCakes118.exe"
    1⤵
      PID:1596
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2556
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:548
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3060 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1336
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2948

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b10d358f4baeb2c32e75e29edbdd0441

      SHA1

      a7563f1d64118300f305c1e304dced32a124806a

      SHA256

      240af692edfe86cc223cc1fc3a48dfeed498e3fe00f5dcacd445765d70c97d13

      SHA512

      fb54fcf2968a2729ae86405b934583e1a8b660635cb0dbc07b930455b1e4920f03a67305d94d2ae150f82e29046953262503946dac8a8640ece11e1dfbc101ab

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      acc0550d738c5a65c233dd98336aacc7

      SHA1

      229eb3d210dc6467619d71f5f1c4c106c0e1694f

      SHA256

      04358348d12be99240b297da6e11eeef63f842fd597e3c4350ce041fecf77847

      SHA512

      0fff5fdfba05c302def09f3b9e6514030dfd9b6d6cc6a7893bc82b68d93ce3750b79cc74ceee915df8942a069f818551de48f4993380f8ba793ac403f48d957d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      dae938c3352229eea7248b906505602e

      SHA1

      2ec8f6d327e4e84cae4cfcc93956926446ac929f

      SHA256

      b354cfaf0e9b2a50ea7ad1aee02eecc217ec4184d7d948f9e2601503c8949b02

      SHA512

      4f12ee61081058e33e18912041269af97cae78d04ae9e770476781ef2afbc146e8075df7451692cbbd87615c3787ea7a0f9f4cc209805280d3b25514fa8a65e0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      97a57d5b9df9c455f26c472951ce3c5d

      SHA1

      44198f8888e526651bb35580723983ed2d3e64cc

      SHA256

      f0386216fd9e538d73679f3f89fbf13746ad4734c8468fd1481306fbe59e2a52

      SHA512

      74acbc6380155a52d99699aad69ff5b7a93e6acf3113e0e475fcbc3a6b055bc9f6536757ee0d3e043d3a51019301f2537de65e13d68e7629b60fc5b7723b73c2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      f7087d12749e03e30644238893538f7c

      SHA1

      ded689e184c4021fef297798bbc436f4e3b6cc98

      SHA256

      ccc47afb03d3957ed16ab9c5a90742d32f166237a7e693927604d6613b26d277

      SHA512

      a8d290b118bc4bce992297557cc335adc7eb6604fe06402892e76e40cfbe638a56964e8dd43d541b8287a370ad3987147839115c542758cc7a286e99955e7f8c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      91054eceab27f9e36f5642b9708ddf34

      SHA1

      92c1770c0a1323144eabea9db0765d54d6ebaab4

      SHA256

      06eb8a053e9d3966dc4cfc43667a80333c84319070fb71f83ae06bf4664efce4

      SHA512

      cc5c15b685bbc6f4ca2af86fc379dec74080a224c567de565f9d69b756e3ae12943378f7bb1bbeeffe7a144a1b9c57105dfd7e6b885e317745bbcae15ddea4f7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabCB3E.tmp
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarCB90.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF8661433D3F560004.TMP
      Filesize

      16KB

      MD5

      2f6aabe4eaa29aafbcdd655acd20b292

      SHA1

      107a87fea37014cbb21c4b3143a0624e929bab7e

      SHA256

      b130061de35503a51e0ec4d7cca8416e6fde799151c9d02514fffcea3f86dc45

      SHA512

      5f1e463c1385eaa5aea558f2c5ca29aba75dad79d93766fb61968204a817b59a7f05792a63e9160778423bca863b6ca22d5b031251efb3765c72c22417fccab2

      Download Submit

    • memory/1596-0-0x0000000000100000-0x000000000016F000-memory.dmp

      Filesize

      444KB

      Download

    • memory/1596-6-0x0000000000270000-0x0000000000272000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1596-2-0x00000000001F0000-0x000000000020B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1596-1-0x0000000000170000-0x0000000000171000-memory.dmp

      Filesize

      4KB

      Download