Overview

overview

10

Static

static

1

856c9d9c2b...18.exe

windows7-x64

10

856c9d9c2b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 00:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    856c9d9c2b9242cdf2628fff86c2ca36_JaffaCakes118.exe

  • Size

    619KB

  • MD5

    856c9d9c2b9242cdf2628fff86c2ca36

  • SHA1

    578b1e772213dc4a75b0a46dd741b696825ebcfc

  • SHA256

    2ed935e2467bc6328f823151f104f52abc3ad9de772e7a0623c9e370816cf6ba

  • SHA512

    bbba44363e6d77708eb67a336adc485868b7461d66eea1c1cbdad44947938830b8cb94d10abe3f6e5715d723732e5719710d0b12336e660fe98005d9bc2940e2

  • SSDEEP

    6144:ZFApUH6tEtEtEtEtEtEtEtEtEtEtzeMnMrvwgLdbxAfYAK7zf:2eeeeeeeeeezqrxLYfY9z

Score
10/10
gozi90020242bankerrm3trojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    300900

Extracted

Family

gozi

Botnet

90020242

C2

https://vrhgroups.xyz

Attributes
  • build

    300900

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\856c9d9c2b9242cdf2628fff86c2ca36_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\856c9d9c2b9242cdf2628fff86c2ca36_JaffaCakes118.exe"
    1⤵
      PID:2196
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2740
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:840
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:632
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1988
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2300 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1880
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2744
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2072

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      32f6198ef28b8933b2900c5c2fef5af6

      SHA1

      c59cdf6d3e43267fa341b504260f6749d705fe11

      SHA256

      8c3f31a9c84fb4e48a06f9bc744044a450fad5c84a3b086190c7aa4388232960

      SHA512

      fa63c2a6012175ba3af3a3e2fccce97693734775b874422b1341da0aeda475eebbd50908a2acb77a8d9f6ffd9407af57f14dad8e843a59ae5c944039322ac42b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      501fcf897b6e23d8cc0dc0013a80071e

      SHA1

      be4f136710ed44fd7531dbbf0f3203feaa18fd7f

      SHA256

      dcb1b4d1a091ca9b82364b099dad88f39b682fcd8a2de653dd648de55c8689f2

      SHA512

      33a0161880dee2f44dd0f59739858e827b3702dd64ec2efafa0eb51d32497d5c0744a32dcf97b2e80a259bccf3f291feed3c76c8c574cf869983803abe1d30ce

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      18f22dfda6efa891b569debdf15b2033

      SHA1

      08fbbe709cbeef55b5de1ac2c4e85fc5e11da229

      SHA256

      e97c4f276a844d30db6be912c182e2b56122eb70a431641a0a06182a5f77592f

      SHA512

      835e3f7ba50b5fd8bb38c73d9087a147e5e912a474c16f972891503119463c1c42105d17962f5531de2eedb9c49d9539de21efc939e8def3a76e7079ba120db8

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1146c6c38fea62ac7faba5ff3dacb314

      SHA1

      67be4eba06dba7abe3193df64fe91ea623c9f0f4

      SHA256

      66ebdf5db63919cb65c84b00451fc3482b33cd68a06434fb0a83a80a2562443d

      SHA512

      2b7e18d4b052f72e0c10ebbaf8de832189eef6d2363d4c3ed738bb801678ea1e27b3f44b3991f68e1a84d168b65faa66dede21eab6571aee8562e00dcfc3c94a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      6280f4e0d953276eb4c2f74bd27878a5

      SHA1

      7e1872da9b6b6aa8821f6bb83300b5077d096aae

      SHA256

      7d2b407ba7bd6bbe3e47814ed236e69c4f40aa75c9848937007d568a5cbb9ebf

      SHA512

      15f8afb961be0e3b2b7613807ccbc2691cd58da1b4dc38779f8f47ff1c6228b63a7a2554f2c69d03b8b116a4018346471901f3ef5bd0c31539ea082ac66f9c4d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f03f53ccac612cfd50ee4867d482b75c

      SHA1

      4bd0db684bcc68f6b1ac3deba38d10a3b3d7fdbf

      SHA256

      d3f5ab7fcedea61d85c49eb89c9b6b58b95d767bba5b61b6cff86bba147b9ba2

      SHA512

      4c75d82da6a01a1d3608cc2791488f0cbae924f0dfaaa5292314ccf726122216bcc286731c88f3e27a642a6535e582e06796f365d0454bdd32e909fca47f26a0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      dfaee434930f5733dd94881ed1e0c689

      SHA1

      5f3e045c7c1538571050dbb2a816ec5358e1fb1d

      SHA256

      ef1b043c5dc819b6f28c2c7ddc36ff287b36c44a81189761d694b0651855736c

      SHA512

      186e669f67f0bc71e29216ebd8fa1b1a23709f3749c6df056416f87f300b055b544c9ca52b66c498814e51fd21055e6e2543958e5d1962ee3b5c872cf481672d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      7d3183d3686e11e6173e7f0f289584e3

      SHA1

      421a34e8f238426edbbd5e662bd02db62644bdb4

      SHA256

      75fdfed7438a6b1a01977947668bfe7b6df0566c61fe775885ddc13c79acae18

      SHA512

      243bd54c48abf9007ab282783d4cf90b3ce586d625f8a8cf0938bc7541eb3f2027c60b22e6a9959dc0f01a637ff7f88a6691b401f82a4aa76afdfddd03c09874

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      8d49a0dfcdf26a41e2ee54ecf7c4e5c2

      SHA1

      a991eb6b0df2b839c32a85b6e4ec1a03d6fbc3fb

      SHA256

      fa28f7b194e3216f231b0c28580e2422402f728f9206aef7dd1755966dcfacd2

      SHA512

      cc352604458033601070a65a8d54ef2964a47b6f8e073bebad6e174cf5af9706209a025d7af1a735bea05d43385b7c173fdf6ac3123288bfbe1bd6dc87ba03f6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\dnserror[1]
      Filesize

      1KB

      MD5

      73c70b34b5f8f158d38a94b9d7766515

      SHA1

      e9eaa065bd6585a1b176e13615fd7e6ef96230a9

      SHA256

      3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

      SHA512

      927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\errorPageStrings[1]
      Filesize

      2KB

      MD5

      e3e4a98353f119b80b323302f26b78fa

      SHA1

      20ee35a370cdd3a8a7d04b506410300fd0a6a864

      SHA256

      9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

      SHA512

      d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\NewErrorPageTemplate[1]
      Filesize

      1KB

      MD5

      cdf81e591d9cbfb47a7f97a2bcdb70b9

      SHA1

      8f12010dfaacdecad77b70a3e781c707cf328496

      SHA256

      204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

      SHA512

      977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\httpErrorPagesScripts[2]
      Filesize

      8KB

      MD5

      3f57b781cb3ef114dd0b665151571b7b

      SHA1

      ce6a63f996df3a1cccb81720e21204b825e0238c

      SHA256

      46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

      SHA512

      8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab6A0A.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar6B1C.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFF4B89E8F6E988918.TMP
      Filesize

      16KB

      MD5

      582f2260dc0edb71a22d9d2e57c48cbc

      SHA1

      7af4fefb8b479dea37752e90c6d43351d04de70f

      SHA256

      3ce3f72c4420b83caf9c55ff41923348a6767940caf93d0b595bb267e5a11e67

      SHA512

      ff7e55f6a9421966cfb8e675df5f5e9453013374dd44f036ab9ddabc50405a14ef2460a972d7c545d5057953bd90a32b7387fed6474d16bacc58155694de44e8

      Download Submit

    • memory/2196-9-0x0000000000400000-0x000000000049B000-memory.dmp

      Filesize

      620KB

      Download

    • memory/2196-491-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2196-0-0x0000000000220000-0x0000000000248000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2196-1-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2196-2-0x0000000000280000-0x0000000000296000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2196-8-0x0000000000340000-0x0000000000342000-memory.dmp

      Filesize

      8KB

      Download