Overview

overview

10

Static

static

3

8541c3e5a2...18.exe

windows7-x64

10

8541c3e5a2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 23:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe

  • Size

    534KB

  • MD5

    8541c3e5a2fea353fab1657575993319

  • SHA1

    95383648af291e339dfa628a3950686e822e93d5

  • SHA256

    4897564a8c3fd201eb272b044f8c17a2518e6cc10fa6d1bbff806b4f012805ec

  • SHA512

    0ce82bf2397186e93d1f5f0f66576536dd66462d940b781a8e0f0e52041d3d3ca604dbfd15a3c4ee196780ecf23d9145edb997d9927a9f2261aaecb305ab7fe4

  • SSDEEP

    12288:8urQ2eY45lYMxuqLOjy9lmbCKyBXUe7S/kVpprgPs:nGlY8xheO/ke7SaR

Score
10/10
gozibankerisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215798

rsa_pubkey.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3448
    • C:\Users\Admin\AppData\Local\Temp\8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4436
      • C:\Users\Admin\AppData\Local\Temp\8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe"
        3⤵
          PID:868
        • C:\Users\Admin\AppData\Local\Temp\8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe"
          3⤵
            PID:4280
          • C:\Users\Admin\AppData\Local\Temp\8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe"
            3⤵
              PID:3568
            • C:\Users\Admin\AppData\Local\Temp\8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe"
              3⤵
              • Checks computer location settings
              • Adds Run key to start application
              • Checks SCSI registry key(s)
              • Suspicious use of WriteProcessMemory
              PID:4612
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7EB0\BF58.bat" "C:\Users\Admin\AppData\Roaming\appmmlib\btpaedui.exe" "C:\Users\Admin\AppData\Local\Temp\8541C3~1.EXE""
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4916
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /C ""C:\Users\Admin\AppData\Roaming\appmmlib\btpaedui.exe" "C:\Users\Admin\AppData\Local\Temp\8541C3~1.EXE""
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3932
                  • C:\Users\Admin\AppData\Roaming\appmmlib\btpaedui.exe
                    "C:\Users\Admin\AppData\Roaming\appmmlib\btpaedui.exe" "C:\Users\Admin\AppData\Local\Temp\8541C3~1.EXE"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious use of WriteProcessMemory
                    PID:2388
                    • C:\Users\Admin\AppData\Roaming\appmmlib\btpaedui.exe
                      "C:\Users\Admin\AppData\Roaming\appmmlib\btpaedui.exe"
                      7⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Checks SCSI registry key(s)
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of WriteProcessMemory
                      PID:4988
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe
                        8⤵
                        • Suspicious use of SetThreadContext
                        • Suspicious behavior: MapViewOfSection
                        • Suspicious use of WriteProcessMemory
                        PID:1664
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3952
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:3996
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:4544
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
                PID:3972
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                • Modifies registry class
                PID:5012

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Defense Evasion

              Modify Registry

              1
              T1112

              Credential Access

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              3
              T1082

              Peripheral Device Discovery

              1
              T1120

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\7EB0\BF58.bat
                Filesize

                112B

                MD5

                42824eca5725e606fb725c9a72a73071

                SHA1

                6fb87bd130e9990c96e841b73b98991f748a8dbf

                SHA256

                81b0826c73dfeba49da8e65ab691544a78af78a7f987fee2f5df391cebfcaece

                SHA512

                69355597dfa0f5edca7b0b23c9f14eec7a1b4465bfcc6abfe365f8f182528e5e6ba4339691061375414c4e2beec7bf7ceaa461616e06f24606046e10f18bebf8

                Download Submit
              • C:\Users\Admin\AppData\Roaming\appmmlib\btpaedui.exe
                Filesize

                534KB

                MD5

                8541c3e5a2fea353fab1657575993319

                SHA1

                95383648af291e339dfa628a3950686e822e93d5

                SHA256

                4897564a8c3fd201eb272b044f8c17a2518e6cc10fa6d1bbff806b4f012805ec

                SHA512

                0ce82bf2397186e93d1f5f0f66576536dd66462d940b781a8e0f0e52041d3d3ca604dbfd15a3c4ee196780ecf23d9145edb997d9927a9f2261aaecb305ab7fe4

                Download Submit
              • memory/1664-18-0x0000000000690000-0x0000000000794000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/1664-24-0x0000000000690000-0x0000000000794000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/1664-23-0x00000000007A0000-0x00000000007A1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1664-25-0x0000000000690000-0x0000000000794000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/3448-60-0x0000000008010000-0x0000000008114000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/3448-57-0x0000000008010000-0x0000000008114000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/3448-55-0x0000000008010000-0x0000000008114000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/3448-61-0x0000000008010000-0x0000000008114000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/3448-27-0x0000000008010000-0x0000000008114000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/3952-38-0x0000026DEB9F0000-0x0000026DEBAF4000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/3952-34-0x0000026DEB9F0000-0x0000026DEBAF4000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/3972-49-0x000001C048FB0000-0x000001C0490B4000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/3972-53-0x000001C048FB0000-0x000001C0490B4000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/3996-39-0x000001FC36D60000-0x000001FC36E64000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/3996-43-0x000001FC36D60000-0x000001FC36E64000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/4544-44-0x0000013EB4CF0000-0x0000013EB4DF4000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/4544-48-0x0000013EB4CF0000-0x0000013EB4DF4000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/4612-0-0x0000000000400000-0x0000000000466000-memory.dmp
                Filesize

                408KB

                Download
              • memory/4612-4-0x0000000000400000-0x0000000000466000-memory.dmp
                Filesize

                408KB

                Download
              • memory/4612-2-0x0000000000400000-0x0000000000466000-memory.dmp
                Filesize

                408KB

                Download
              • memory/4988-22-0x0000000000400000-0x0000000000466000-memory.dmp
                Filesize

                408KB

                Download
              • memory/4988-16-0x0000000000400000-0x0000000000466000-memory.dmp
                Filesize

                408KB

                Download
              • memory/5012-54-0x000001E3AC840000-0x000001E3AC944000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/5012-62-0x000001E3AC840000-0x000001E3AC944000-memory.dmp
                Filesize

                1.0MB

                Download