Overview

overview

10

Static

static

3

6cdc9bc464...18.exe

windows7-x64

10

6cdc9bc464...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6cdc9bc464176a92ea382fddfff20648_JaffaCakes118.exe

  • Size

    648KB

  • MD5

    6cdc9bc464176a92ea382fddfff20648

  • SHA1

    027aab932f5a31b3bfcfedfb231a4a85f9e1acc6

  • SHA256

    8a5da5d3712b51c43c274a0f6d71a26d0516a519772723a526304ae75222c099

  • SHA512

    ea1f8d5f642e015b6f5ebc368158ce26310cea0bb19c4d6b3f2bc9fc85586996e35c639acb48a3de2da80aeded619ca002e1594e36e4b39741a664197b1cbedf

  • SSDEEP

    6144:Q5mTExUok+1NjIjODnupJnMZLrSPm4JZM1o7SVMVVadETPjSjCv4RgSNY5v6:Q5wEx3kEDnQdM9rEju0TH4l

Score
10/10
gozi3189bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214062

Extracted

Family

gozi

Botnet

3189

C2

hfmjerrodo.com

w19jackyivah.com

l15uniquekylie.city
Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6cdc9bc464176a92ea382fddfff20648_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6cdc9bc464176a92ea382fddfff20648_JaffaCakes118.exe"
    1⤵
      PID:1952
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2232
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1240
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2216
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2200
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:360
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:360 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1964

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      1d0f6a18f9313c79333eb6d79ae462ef

      SHA1

      41efa955cc180bece82e04fb9293015718daefb5

      SHA256

      f134789575cf78116b316b2466702db2f84033ed75cc933d392d5b0c94f08aa7

      SHA512

      56f45b6d771ac03f1df1214414e95044302e6b7b12ffae858bfaef2136a1aec214734d35e6cde4ddf913a21d0fdbe5861271ab479397af2566792946184941bb

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      2d29c13cbf17a450b6560e0ef09c8c96

      SHA1

      873c5579cfdd96d1ee09a2d4b2dab92d69b485ef

      SHA256

      7a2cc1e1e89b0fe3c81613a02296883c9fbf3f4f62cd76c73600605a5c0cd4bc

      SHA512

      53abc33f3fd9583cf6bb21b1530f51e085c041a45bd3effd170734b9ce88ba5a093f71b5cd922c0382b35aeca7a574f5fc8287f266243002411c9a6ff102fa5c

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      ab35126ab9b0e1bbad90b4f4bef1cfe3

      SHA1

      9cf5feb6ee4287800ac76e077ee71c47d31e16bb

      SHA256

      eb4f8a639722ad0ed4840ea33662f7ea775e7021ebce81e7610541b63b87d142

      SHA512

      6e6a50e4cf2854f671753d4ea36d5bb6f8451331a348872dab8815458e3c23285a5117c2a80391a3d0212c7c9ccc54ace17975e8251790341f812a24cd6a3c81

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      33c3737527f5b99b7e2b256515b2ec8d

      SHA1

      0d4f820833a9d1d47371b8da01e544c3e78f2f0d

      SHA256

      c8063d60f4ccaae3af408bbc2d9c14f877798be30452c2ee35601c31242a44ff

      SHA512

      d377101ddc836cb25591e28035c006e01411ee573c69438f9e3f9eee3076c7939d5a9766b1d812fcccb8de2a81ad726cbaa593d5c20946789fe424a5975c0819

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      6e900d928e5a518e34da1d9af22baa88

      SHA1

      665fa6869c846947e4f9860d299eb10171ebe680

      SHA256

      e2664c8d9744d961b2da8c9ac716ceb5ce543dfc634e9f50cdf681a577a9b180

      SHA512

      346263a1519c14308a3428156ece3aa5167c07ce131156faa641c9be52d252fc64026e266d2d6ec81146e6646d4d9f5fc0350b766103041981f24fa77d219fc3

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      c1ce759b79cdac80090ebd19b6e8b3d5

      SHA1

      d7e365b41a2ba816ca2d80b5235350e265c60ea1

      SHA256

      6081f35e38013b36958b5b4baabe54c0d3df3911d685a2e6cd91ca6ffbda4ba6

      SHA512

      4589116c41e26704f4a691aee8b742f1c4c7b2cfd435fcef13e0abc03ebd3b8df25cc59f931f8288c0b422fffc9fc3b7a269eafb725e023252b8aca02126db3d

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      8df270d4c560342691e5cf7d31605bd1

      SHA1

      ef49d30a8c06021627f72a424b95aebe043c3636

      SHA256

      067cd3448e710a8d9861472cc0286a6228e978a59a27248d622ced9f893bad2e

      SHA512

      5369e4ffa6018d56fa1ab68704316165bd1358c6338d5f172fe876c73a694ad5b1e37c8eacb9f8b745175a158d2b19e8c65cc27b3485a97bb5262f5cedcbed14

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      f80b2ae0be81b16a7e9278cbbf476f09

      SHA1

      96a2f535ff148dfe7e80b3732b1a2af714f850b2

      SHA256

      e8d99fa199833adf3c3cd13fff1855f4e4052092307384af56ad2669c950d44c

      SHA512

      92465f94c88df6bd68b8346340f950a677d35f0810c9760fddbee0bcf11e53f21a8e732f2a3620ab06a39e3f7d2211274b1dcd78603fd73a329cf2d0122ebc7d

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\errorPageStrings[1]
      Filesize

      2KB

      MD5

      e3e4a98353f119b80b323302f26b78fa

      SHA1

      20ee35a370cdd3a8a7d04b506410300fd0a6a864

      SHA256

      9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

      SHA512

      d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\NewErrorPageTemplate[1]
      Filesize

      1KB

      MD5

      cdf81e591d9cbfb47a7f97a2bcdb70b9

      SHA1

      8f12010dfaacdecad77b70a3e781c707cf328496

      SHA256

      204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

      SHA512

      977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\httpErrorPagesScripts[2]
      Filesize

      8KB

      MD5

      3f57b781cb3ef114dd0b665151571b7b

      SHA1

      ce6a63f996df3a1cccb81720e21204b825e0238c

      SHA256

      46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

      SHA512

      8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\dnserror[1]
      Filesize

      1KB

      MD5

      73c70b34b5f8f158d38a94b9d7766515

      SHA1

      e9eaa065bd6585a1b176e13615fd7e6ef96230a9

      SHA256

      3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

      SHA512

      927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\CabB694.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\CabB772.tmp
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TarB787.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~DF4DB1087313264500.TMP
      Filesize

      16KB

      MD5

      5ee657103b2f82ea1e7b92655cb0a354

      SHA1

      e1e17e17cd876c1a4e46e1a1f06e438b39068140

      SHA256

      71b1a1126f2a7f025f2c9112c2c0d99a8fd81d549900fb35f35e0197f460e3a2

      SHA512

      d4eb01483e17cb3cff845e361dde60d10abfbbee35784f62d230691861cdb31277857dfee915dc36d542ab9f5ae6ef30937736f2340a8511f8c9d28af68c2f3b

      Download Submit
    • memory/1952-0-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1952-6-0x00000000002D0000-0x00000000002D2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1952-2-0x0000000000290000-0x00000000002AB000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1952-1-0x00000000001E0000-0x00000000001E1000-memory.dmp
      Filesize

      4KB

      Download