Overview

overview

10

Static

static

3

8917246255...18.dll

windows7-x64

10

8917246255...18.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    141s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 02:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8917246255464c041babe1b821d2441a_JaffaCakes118.dll

  • Size

    161KB

  • MD5

    8917246255464c041babe1b821d2441a

  • SHA1

    304f9514972fdc3106f0e95b5a7bbeac51eb1fde

  • SHA256

    1f489fc6703dd57a5d322a920c98c60b0a9be1168147e3ab1f0db8fa2ba03dae

  • SHA512

    9be13397919b74912670837c72c239ea04939f9366fddbdd4a27f1c9f75e0141fdd7c3e3c07baa9ec4824ca68411a2589d20a6beb7981d6498a2d5553232dd97

  • SSDEEP

    3072:7yZq5YskO4qMeR6Xi38vWp3ZzYvlH6lf3FAz8MubyrO:7LYskDQAT+Yvla3M

Score
10/10
gozi7225bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Botnet

7225

C2

porp53334.yahoo.com

web.plainfielddentalcare.com
Attributes
  • build

    250154

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8917246255464c041babe1b821d2441a_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\8917246255464c041babe1b821d2441a_JaffaCakes118.dll
      2⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2228
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1412
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:864 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1600
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2452 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2648
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3ad0f25c84b614c41cfee063dab6a4d9

    SHA1

    889138dd08819621e56163d6d8b070ed359c6ab0

    SHA256

    819010b3049e28a8c61d5bdedee2dcc7814c21bd0efa99fedd582bb45c61df1e

    SHA512

    2010d0da544f52bd06d245ceb06d198fdd6f4eb32e0b32adfcf7714ad9853309891edca6052239d6f868c57136c7dc5c83b2edd8bc870d47e4d149dab6f021ae

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c5b40d96fea648ff89010fd170792b6e

    SHA1

    e4399b0773623cd041a496cc553c902f87b9c6ae

    SHA256

    2e7388f8804b06c07f398b837a366f41da6b3cd50443598b795273f169ee5876

    SHA512

    dc939b79f0ec91e59191852df014a0c57fd589709faf5e8991f87b00fc605088ef31790bb97bbdce588a8fbe74ac264614eb18dd4e919b3dc3512099ea4899c3

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2043bdc595757aa23b03cade690d5e10

    SHA1

    b01c0d6734d11f7107f753d6f48a39f1718de3a2

    SHA256

    6b415c0a4834a489f1d6ad0f06ca772bbaac0560340497deedfece418e7c8dbc

    SHA512

    09992475aef273d53f66dd896cf0f87854f752dc23e87bea4265ca211fbe69c35871804e6a26d925b7c68a7579d115e7f0b93d141b2f40657d1ca49ba36e9591

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f828316784f468fd86d3563b2129ace4

    SHA1

    7eb36e155c0f806b3ceadef620c6cecb47f450b0

    SHA256

    7edf6bd7f3a32724e2eb080773deecc3f442756f4c9ae95e9ad93782f47de205

    SHA512

    05629c8b2fecad123aba58d1ec84fc090542f38a7f34d98391c2a38986a7bb64d381173677d87dc3c2e5ed49a672df60e2a71a133a4d0d60a20e0914eb4e56cc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ec3a09aa44b126c5f10ff27ff032d882

    SHA1

    1aa7a308bf6335f46fc241837c5140756870065e

    SHA256

    533d500f5a256ff81ba1a510ee60dd628003fb89ed0d8cc28768e6f28f44f7e2

    SHA512

    ec93adf51a63bc34cb8249e7b3f7bb993f5b66f26d0828383b8e2670ce558d5b4c6214fdf8330ddde89b00a4264019dec35aa3245d118bf464fc553a1e8979f7

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f4774233beef20af31f32fb019b78f44

    SHA1

    8645819b778937145e548e95d372309b7e097e1b

    SHA256

    bb8057930305f30ba1faa7b339b51ba2d8df7321420c178782204d4efde9d438

    SHA512

    7c5aa20d275f1430f6aa70e801c0756e80ad997de3069c3a8ae4116d00e5ac00a3b5a58d17950f0c4aa68e32c418c67539ba8347b0d10c60a6d78be69a438697

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4984308656e10c3277ce330cd54a514c

    SHA1

    74a5bf7fc9ea532b19ddf2fef0687ae6b0dd9108

    SHA256

    10df7b7860d2636ce06085078918865ce0ae6209c392bbb7726ae8a4017eef3f

    SHA512

    ba312e44d193d8231e2c2345c4f17fd42dab19bfe8616cc62eaf6ebb69736e9f6439022b07425db41a55531ec4e303919d2f29aa0e4e827952dbe6402bd57690

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5aa07e2561b741e317411a58e676ed44

    SHA1

    c8998f6022c9b785968c4d4a2ad3db9dd5467977

    SHA256

    8653ae3e142eac454a1e71c5e20b043855e476674c4bc16cb0f001242b1e19ec

    SHA512

    2cf1d03af14e28efcd31cc9d74e0d07c858d9d9e0c245ea7e12bf1fb648195a15b0fa9dece1ce513af45382540194efc3fbf30d090a66803163c2cc200c11247

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c8b5928ac4c2298a55a58be7eb68730f

    SHA1

    d559a8faddedc4151deef5e098e4d083ddf8fdd3

    SHA256

    2585ef7bb9498410d16c042b6c31cf2e3838a2aa244cffc1d10fc6345e3e474f

    SHA512

    d9d1985519ac8a61b8b8a960819d3e76d53c6ec946c359ffd5d001293a62b4119bc97ebbed126a678916e76458d6390404849fd8fe3d15e58bb058639e16dd10

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cab9A4.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TarA96.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\~DF2D7415EE13E307C9.TMP
    Filesize

    16KB

    MD5

    63a5532fe4a4260949ba20ad8bfdee47

    SHA1

    7427d92c771d77c7ea6940a994b4ab53c2303587

    SHA256

    7c5a3593ef234a7df6aec6cb678b0cad375b7567a9d4819067669925d83ff887

    SHA512

    b2ad605a61e2c66128c7da87657f19b7cb370b853ab9c65760131d8ac33eb0cad6f2e4ebed0774f8af9096e99e811f3a67caa932c80fe8828e7f66be2a6403fc

    Download Submit
  • memory/2228-0-0x0000000000260000-0x000000000029B000-memory.dmp
    Filesize

    236KB

    Download
  • memory/2228-6-0x0000000002650000-0x0000000002652000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2228-5-0x0000000000260000-0x000000000029B000-memory.dmp
    Filesize

    236KB

    Download
  • memory/2228-1-0x0000000002630000-0x0000000002640000-memory.dmp
    Filesize

    64KB

    Download