Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
02-06-2024 12:54
General
-
Target
8e2474a8802e99e5628e547e3c54a1d1_JaffaCakes118.exe
-
Size
264KB
-
MD5
8e2474a8802e99e5628e547e3c54a1d1
-
SHA1
d1f78a844ca336d53bca545f49c19bc15fe43139
-
SHA256
31800f72d5064decba0418c0373cdffed2c79e40f2132be47e68f55bf73ed6a2
-
SHA512
dcb4fb40043d088a43f9973f7ed37c6206d92462c76d1fc0f8be22e56a64fc0a7ffe24735b67cc8dba25bac81e340d82ab7e9522e55baafc90f8999048725160
-
SSDEEP
3072:5fmYfcsfDfKaWVFEYyMp3cKAArDZz4N9GhbkENEkwt:shEWf9pxyN90vETt
Malware Config
Extracted
gozi
3468
google.com
gmail.com
majavontehm.com
bstacyr79ea.com
scandace79yy.com
-
build
214085
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
loader
-
server_id
12
Signatures
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SetWindowsHookEx 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e2474a8802e99e5628e547e3c54a1d1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e2474a8802e99e5628e547e3c54a1d1_JaffaCakes118.exe"1⤵
- Suspicious use of UnmapMainImage
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2956 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2892 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2688 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:844 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:908 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2316 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5bd06646c0c0ca1ca76e0c6a1df4ac762
SHA13bc8ea6441b7c4133651a04adfab8d0960a3539d
SHA2569c91536468a552805339fcdc67c03eb49332423746b12212b5c133c631038fda
SHA512d29771768fd84d1292ad42ce3e5c18a39034d920c8d6fa6bf42ebd8edb908e797cdd6f5a024bbcccd13cd1f7e74f2de47cdd24fe07d31af5c81b49a6160eccfe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ebd0c68eb2480c47bf9e0dc991eb8ec0
SHA15282dc061bfef6b4f51f2a5785530f815c798bd8
SHA256124b2b250e19095ecf55507ec7f8fdb3710d393941487c28a36b49cc47786e20
SHA512836bdfded7d481ef656261a828894d099eb8040ad9e90fb3ac21be536e42ff3071aca1f71d9fcd3bde5eed40f9aa76c205cfe61afacb2c7148345d685881d1eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5592bfd11cbebc184b2def5af82c354f1
SHA14a51d532d2dcfc0dd27c3f5388cf03fd870f126c
SHA256ab561850fd3f489b2a4df975664018ddb59d7759303b636f0612ff924fa0a26d
SHA51206fb1e15c623e5a82f33b4505133f667129c6d28e4257729527c93eb7e765fc67ea52c682e11c0b8a618b2e287883178ebad2a0dd8d829f47a05a72e2174ce99
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD59ef023012953a20d694da37edeec5f58
SHA1ebb4e592422d526e90e47651299eb514aeffc77b
SHA25655dc5f9a9ef12ad75fb323ab2cf05a25bda2bcdfb4a22e99b78d6034765cd69f
SHA51207c0a7074fb98a8d66b935f3911906a035c8d10bb356f0b9e629aae6aaae94b96ab74ed9dc8a132135d971ab2e274ac7685183d5d030706047fb4789fa323683
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5e1ef012fd513d35d982884747ea38b8f
SHA1bd505b6ea2417a788a99755a728b31b9c26bf0aa
SHA2560f1107b957747b49b25f92344403a48ba5216ee69e1908fa46920e15db3ecf5b
SHA512b772c2b5f18b0cc0a1cba62571058a237248cbfa93fbe6fa2578d01bbf4f044ae3fbf035b3e7fffd53fba5ecae6c7bc21fd8a6fc642066c6db70569c63d12ae5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5f594f8e5ae8861104c2543fdd0ad63eb
SHA18ddcb3924c28cdcf2d9cddfa8957cffcb5ca2463
SHA256e9b75f8c4518e76b031bba4db640eef6ccc4d46bc396726c1fd795b8a9fd80ac
SHA51233b733ae8bb86deb33e957b7c31e91ef7390fce68a00ba663a9e8c61e0ae7bd65d37f1fc13b40a3aa283bf41032c33b00086335ef1088e60e7a1dde290fa756d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD53ef240ee8d4c163e9eb5da3aa3bae4d0
SHA10f5771bf65a69f1264c7f9a381deb72eab388efe
SHA256c93ed6ff217d2ae0d30ca4507f9fc4758e467324f75947f5ffa0705e56591824
SHA5125b6c7e790fbb93113c49cb5e35fdaae32e6f33c34875a1128e42cd2e5addbddc413a71958d287524d244f0d89bd1f6225f0e6d50b14fbfcac296435c3f1bc0a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD543c1a38d668bd8532df4b337d7822f6e
SHA1d69c99f8341f84eeba374bc149f05846c0366965
SHA256f41a325a3a2e1075a4594b20d1f87af77532b40e305f25a8b1ee8cc6a8f7d7c2
SHA5126fffcd360cc7024b6522138e8fb4ab7c548d235c51e941ca1af464d650ca4cf234de3916a474ba056d8b8b44a7a5f6f9548f70a20c09d26b50f3b6fbc82dd920
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\robot[1].pngFilesize
6KB
MD54c9acf280b47cef7def3fc91a34c7ffe
SHA1c32bb847daf52117ab93b723d7c57d8b1e75d36b
SHA2565f9fc5b3fbddf0e72c5c56cdcfc81c6e10c617d70b1b93fbe1e4679a8797bff7
SHA512369d5888e0d19b46cb998ea166d421f98703aec7d82a02dc7ae10409aec253a7ce099d208500b4e39779526219301c66c2fd59fe92170b324e70cf63ce2b429c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\googlelogo_color_150x54dp[1].pngFilesize
3KB
MD59d73b3aa30bce9d8f166de5178ae4338
SHA1d0cbc46850d8ed54625a3b2b01a2c31f37977e75
SHA256dbef5e5530003b7233e944856c23d1437902a2d3568cdfd2beaf2166e9ca9139
SHA5128e55d1677cdbfe9db6700840041c815329a57df69e303adc1f994757c64100fe4a3a17e86ef4613f4243e29014517234debfbcee58dab9fc56c81dd147fdc058
-
C:\Users\Admin\AppData\Local\Temp\Cab59E4.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\Cab5A65.tmpFilesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\Tar5A89.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\~DF87ED1E6F6C357541.TMPFilesize
16KB
MD51b5b433448017956597f7ff747f264ba
SHA1ce5fbe5827c8701c653b2121ec36caf619441a3c
SHA256ad34f1a8e2ca50d98954fa060509d49d2a415a917ec6fcf1cfc735b12cf50fe5
SHA5129ce7472ef5fe76f14d414c983c99ee519ab8c6d89b04b888ddf8bf623f994df7e809284789feedfa8d2265b7f2cc0bfb659fb0fd176c3ac2886d211a6bab67bb
-
memory/1728-0-0x00000000005A0000-0x00000000005AB000-memory.dmpFilesize
44KB
-
memory/1728-8-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/1728-487-0x00000000005A0000-0x00000000005AB000-memory.dmpFilesize
44KB
-
memory/1728-488-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1728-2-0x0000000000410000-0x000000000041F000-memory.dmpFilesize
60KB
-
memory/1728-1-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
