Overview

overview

10

Static

static

3

864edaf062...18.exe

windows7-x64

10

864edaf062...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 07:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    864edaf062dd947ceb1a0ed4dbb320b6_JaffaCakes118.exe

  • Size

    372KB

  • MD5

    864edaf062dd947ceb1a0ed4dbb320b6

  • SHA1

    1bc8c35738d41daba02d42c7e83fd8bf50c9678d

  • SHA256

    edfe8ba1d4a1384b6d1028d3db5cf0e700b7d15a2af1513882086ecf4d81c5f4

  • SHA512

    21e3cdc07ffd06324f91bfb695831493d65e71107d1eaaaf914ad5d3b0306ea90fb75b2ee3eda6374c9ac98e0cbfd67d35cea617c692f35617aee83ed1a99c61

  • SSDEEP

    6144:QfsvEug4/COMAIOVW3Uqz/HJpadR5FzugF:QKEufaORxezE5Fz

Score
10/10
gozi3181bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214062

Extracted

Family

gozi

Botnet

3181

C2

bm25yp.com

xiivhaaou.email

m264591jasen.city
Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\864edaf062dd947ceb1a0ed4dbb320b6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\864edaf062dd947ceb1a0ed4dbb320b6_JaffaCakes118.exe"
    1⤵
      PID:1964
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2568 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2440
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2880
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1568 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2500
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2316 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2332

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      47f6ef1de5583fa736f0573107d717a4

      SHA1

      23016a01b2bc86108dcc55ee219fbe0461aab7dc

      SHA256

      54563760bae71cc5ee4d54ff27db16058aff67cd593db24629980385a7def9eb

      SHA512

      341ed4dae469110e3a0624d2ee4ad0fea32f668e50da4398dafb82105e8c4fd25315488e36274d53f6479cc64f9ee9d79cc93258cdf42f05bb22961adcfb5556

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      6d7de173907b568c0dc54c8c2a8cbac3

      SHA1

      4c965510022619ebf04d342ed73cabc60a58f205

      SHA256

      7414c2934cee5caf8f3e0bc27b5dda9ee1ede1d23b0617fd248a2ac17980de66

      SHA512

      c450333ae3c4b860f9a57299839865e5c8c6e05c3b764c6a1997ff418f70cd38ee42b0bb1c8cd2d95e19d904ba9a31459d984b8126f3fb9ff9c3b6107c4e39b4

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ace4f7f46dc45fe534bd454f9ec9d2ab

      SHA1

      a98384e7b6bb8a19a4aa15f69349d91382719159

      SHA256

      5f8bfc16645246c4791270b01db5263ca510ceaca51cdee0b61d66afc7138e92

      SHA512

      040eede71c7bff5dfbbbe9ccb2e12a905ff39645261e44e65f7d1d04a305d61194d7d83d433d3382189b86a695a09b4c9c4c5e9ad2873f94e2e32e9bab921c1d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c227ce1afef93205aa949d6c8b48261d

      SHA1

      5b7708e8a9c224bf508c95a974895107eb0dd784

      SHA256

      0ad1994e459cc0247c322b7f3a29ebdb93ecec19c44520ebe419c1da34a04cc6

      SHA512

      744c6a3ba04836acfa6d41b0439790a2931e213b6d7ce9340af7007af9e8caef4c0b1961a4bc381583e4841620f2febdead5d87c06b27c903413797e07f256d5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      9580f3ffc0e80977fd0d7c0ce71e28be

      SHA1

      df358a291de4c8e174a37d34b880073e126ec142

      SHA256

      ca02e8d9d0cef029d9fd08d4c9f623737176be881c83eebcbf466a047a80937b

      SHA512

      454e78f670e916327c8f070760e7edfadcd62fcfb5dbfd280a482c13560120654cb6e52f4c2066d79933640cf6ac64ad5b8d07dfab7ff47d3537cb3a93e93e17

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ee950638f6335a5a1af84e437e28430d

      SHA1

      ef50dd6123782bca82e0f2d083df3b47860c73fb

      SHA256

      774b77081cac5432aa803fbf94b6d400fd26ca187ba4f0cc11b9dd3d2b99e96c

      SHA512

      26a86fb92b68340b2241ca4ca4b6a2537d5a246835214415911d245a105d7d05fe1b1f526484588ac19fead714087677a673d139d478665ffec5f63c5ad14cd9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      83f469fbf52bad60ec8bc0403a17af3a

      SHA1

      4b9f2d972c6756028d3355f1c40c31e27506c5b9

      SHA256

      8f948b717c14de6c5138b4627f125dd59cc39c0b6deb95d62b5084d44c4a80cf

      SHA512

      d024c4a995865d6f1712228dc98a7098325b8fd2dab9e2b58d93135b9d51c6878a7957b9ceaf4eb5d54f2a5b9b9608ac638d65785721100090ebc7257e52b0f9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      754254d9e027b1cf53ef64be63c7a78f

      SHA1

      2c2a4d47e46a98673e75edf9ff99aa45c85a66e7

      SHA256

      6cc234a4e6cc64ff2e396cbd8461bb7e99ea5e82452f6889ad474dfca7a22cba

      SHA512

      ffe14f45030565a0ea3b9726492065d882fcdd3c8c55404db66ead47b9925a5b43e5c3ca66c70110cfec33fdd7c42387e8cb9b77d9cbfea028c7790c5859656a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabBED0.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarBFA1.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF38C4F6D65A17F70D.TMP
      Filesize

      16KB

      MD5

      6bd9ed4b37c46041d2679c47bf0a47ac

      SHA1

      c6ed26f8f9718ae3420a1b472115b99d37a83169

      SHA256

      7658b5e5aa607b38eb1b107597a58840aece4d35b37b088c08b7fcddb870bb2f

      SHA512

      b558e08690ab32c0cf149272b53eddf4a975727dc2645364d3d41b92e744b67fd04eae601b8b637ecdf1800808821b0b393d9144a1d1fbe9c8ca0bf70e111bdf

      Download Submit

    • memory/1964-0-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/1964-6-0x00000000003D0000-0x00000000003D2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1964-2-0x0000000000330000-0x000000000034B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1964-1-0x0000000000300000-0x0000000000301000-memory.dmp

      Filesize

      4KB

      Download