Overview

overview

10

Static

static

9

91f8ab2d1c...18.exe

windows7-x64

10

91f8ab2d1c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91f8ab2d1c10ae16706ee3c25cf0558b_JaffaCakes118.exe

  • Size

    908KB

  • MD5

    91f8ab2d1c10ae16706ee3c25cf0558b

  • SHA1

    4490fd41459cff0accdf6d286c3a1668bbef0cbb

  • SHA256

    a184f2ee20d223067e3816d065972f19ba8e5fe70b3ce4eb88216039c0ca66e2

  • SHA512

    231dd9f89a3edd351ced610a8e449aa407d047b180c4a6a8f410b098ed617270975ff85ea2cb544dacdf9f00bc929c36905154aed4be98abb5772fe5138f1a45

  • SSDEEP

    1536:tV7RSS9YSCSISCShSCSxAGzsCTXYtFBo45GQG770gSvc1RIVLmyLmRgRLuLkutb+:JuAGBTYzGHsNv6xgRK4VljQaeA

Score
10/10
gozi202004141bankerrm3trojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    300854

Extracted

Family

gozi

Botnet

202004141

C2

https://devicelease.xyz

Attributes
  • build

    300854

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91f8ab2d1c10ae16706ee3c25cf0558b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\91f8ab2d1c10ae16706ee3c25cf0558b_JaffaCakes118.exe"
    1⤵
      PID:1612
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2660 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2752
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2660 CREDAT:1979399 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:848
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3008 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1900
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:880
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:724
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2524 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2840

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a47abdb6986d5d321940c8b2ff3885ca

      SHA1

      9f8f083af67fccace09bb7bbb3f64317ebef8a61

      SHA256

      5b6f6bb62492e2d495fca6a4af1b6de6494c1e4abd34a44415c021abfc64ea88

      SHA512

      608e177123133c06a8b394ed8c7e245a687cd02dee097556b112583cda1af4976640118db1f8c425b82d705d47228fbe0dae7769bb078444d2d0b81fcfb52518

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1d58c0568859d428a6658f69c7f0c926

      SHA1

      e9c50ed5029a28baa5d18793b5f53b11b1b6dd5d

      SHA256

      f7587bb7ec13f9db400793a4f7598db3a9d6bc5e115eb6dbeae2cdd9b553ee63

      SHA512

      34f8fba29415ee4a52b9871727a609067c7c63906cf54d372f7ea032f1fb72628dc26b70b0361fe452934c520cdf59c4cfa8d624c31d8e8e3352d56bb0f01ecc

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      57111ae5e217cef362df7d15c6bd9a08

      SHA1

      1abdd639ed05ef6498f64ec9fc21c2b4495b13eb

      SHA256

      56d2aff9920dc7ae4e8b432b5d49c8f420e17cc7f039b1420613cf8d3e898d34

      SHA512

      e87ee80e4c28e5e5614829431e3a47f633d02b35a11273da9ebb4c4c193c2fb7ab912182b73a75e96bd2e665c1e3d540a66a39f7fc9e04733c407bc5fd4c854a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      7fef86babc68519e0773e15521e4cb3c

      SHA1

      6d9b82dcf8193222f841e19476402009a157939f

      SHA256

      d05edc1efb52ca88a960a0dca3a1212daa055fc0300510a71cf8ea76509e9f6d

      SHA512

      9d5da3318279011d46e4ba94cf0b83c2b836fa6c9fd8110b276af882af7dcf0ea4fff49834bba662c7f60020f7dd6c2bd50fd878239b745158a1262eaffebe65

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      eedcb6eb81192a75da20fd73b14c0116

      SHA1

      e4168b9c224eeb6fc94fa4808b28e5cbde0797c3

      SHA256

      701ab386e643ae3638c40c146331def82c6517fee89fb6a58b88ce787e6acfe7

      SHA512

      0d6df569dafeeeedcf3a1856b5bfba18add9cc897121921bf67c0930bc5639513b31a88a375e129da25c24e21c043078e41ab243b16a9ec0d857d1ff8545d4fc

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      7569c11d688bcc4f893d5d3250362402

      SHA1

      2bb836da0e0a4688cd16a88d5eb88581df5222f4

      SHA256

      fb5553122ffd82afe043c4ae04a82d3c432f80b29df1fc140e3cfa8ca1db97f7

      SHA512

      6d932a061e0e61978585fe4f5a436593758db9108ab663e8880c02c6a857e5ba71ac6cfd38b53f0961885bd722e966886635105325f41f7cf57be278f8f1622e

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      0d3d1dd778f8487a2346339e969723ae

      SHA1

      1f4f0b4ae6017ec8179a4b331ffb5cf1a1ce7769

      SHA256

      9d07c6c46789f29f88f85a476836966442eae9f8c1d818bcaaec59a1d948cd17

      SHA512

      d4af06134e3b1a030042f94bec7ac785eaa9813e4e0956130623fb44f4e7720e96ebbaab95b4ead4e8ccf918b462940fcd1b609b24f5ff4a7f8542c3584619bc

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      442a3453e07ef1d2916ae6970c76d2d4

      SHA1

      26776672181bdc28c269665541948acd03251f74

      SHA256

      c8e117c808f60099d2d24bc71ba8e431955e4b6a8b605f67601c966b30ddad7b

      SHA512

      a59bb1691732b3152a9f287a8b605498e8894d4bb04dfd5ebf331be224271224a31e27733e8f3b2384954378d2ca05c2202dbc7f46e57e0ef4a56e6365b38903

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\52G8PVLC\NewErrorPageTemplate[1]
      Filesize

      1KB

      MD5

      cdf81e591d9cbfb47a7f97a2bcdb70b9

      SHA1

      8f12010dfaacdecad77b70a3e781c707cf328496

      SHA256

      204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

      SHA512

      977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\httpErrorPagesScripts[2]
      Filesize

      8KB

      MD5

      3f57b781cb3ef114dd0b665151571b7b

      SHA1

      ce6a63f996df3a1cccb81720e21204b825e0238c

      SHA256

      46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

      SHA512

      8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MEFTDE7Q\errorPageStrings[1]
      Filesize

      2KB

      MD5

      e3e4a98353f119b80b323302f26b78fa

      SHA1

      20ee35a370cdd3a8a7d04b506410300fd0a6a864

      SHA256

      9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

      SHA512

      d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\dnserror[1]
      Filesize

      1KB

      MD5

      73c70b34b5f8f158d38a94b9d7766515

      SHA1

      e9eaa065bd6585a1b176e13615fd7e6ef96230a9

      SHA256

      3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

      SHA512

      927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Cab5B1C.tmp
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar5BC1.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~DF20BCE41BE558A6B8.TMP
      Filesize

      16KB

      MD5

      6975648241ad9611a80a7675c57ee766

      SHA1

      22b35516940e52b8dacd7a63eddd78965515a240

      SHA256

      b5ada4679c271c6ac93536b8830cc5942d160733a6a462915399c30d4ed9349c

      SHA512

      30bbde68e106d417a72ddc4dd57da48ddff18a978da2e70a846bf2098c01501933ef5ec35a2aaa23de4dcd08a6973ae77c7643447045b65e4ff840b866cdac1d

      Download Submit
    • memory/1612-9-0x0000000000400000-0x00000000004E5000-memory.dmp
      Filesize

      916KB

      Download
    • memory/1612-497-0x0000000000400000-0x000000000040F000-memory.dmp
      Filesize

      60KB

      Download
    • memory/1612-1-0x0000000000400000-0x000000000040F000-memory.dmp
      Filesize

      60KB

      Download
    • memory/1612-0-0x0000000000220000-0x000000000022C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1612-2-0x0000000000240000-0x0000000000251000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1612-8-0x0000000000280000-0x0000000000282000-memory.dmp
      Filesize

      8KB

      Download