Overview

overview

10

Static

static

3

95f3b9b1e5...18.exe

windows7-x64

10

95f3b9b1e5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95f3b9b1e5b61fb464b230ecf1d7460c_JaffaCakes118.exe

  • Size

    485KB

  • MD5

    95f3b9b1e5b61fb464b230ecf1d7460c

  • SHA1

    acaeae790062cd29b0a6becf43a335c85a256830

  • SHA256

    60dbe14b2e1d09d05caa3119170ebaed8f66b115ada3054ecab4db4396a66a31

  • SHA512

    b551dec9be7c23d781b789474acea71caea8783477d65f60d6868cf3765aeb1149dca10a1d08e5d5f72a675f011db418fe2ccc8518426b0c52fe77be23ab374c

  • SSDEEP

    12288:mD9UDevpMtdoe83GWLh6iVMGPQtYLwqYZy4e:hiq/H8hh6O9QtqHYZS

Score
10/10
gozi3140bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215165

Extracted

Family

gozi

Botnet

3140

C2

isatawatag.com

bosototsuy.com

atamekihok.com
Attributes
  • build

    215165

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95f3b9b1e5b61fb464b230ecf1d7460c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\95f3b9b1e5b61fb464b230ecf1d7460c_JaffaCakes118.exe"
    1⤵
      PID:2172
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2392
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:568
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:240
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1176

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      aed1b15f67ab5b6ff6a989b3d6098595

      SHA1

      260a8354da5f30cfdc9e725eecf7298282e5ee55

      SHA256

      6b88e83d66d5e71c896eeb25213297fc280c10d94ffe6d0c8609e8be7505873b

      SHA512

      4dfc951519332b1d3e634737b2fa1eaa7baa2d9aae6cd31b257a8e66188f43f6b0a325610146875a25e6c8086fbb9974677cfee149b99c5e6ea3ebbb24e3c60c

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      77173ec63279beefc3dc719f81ea5038

      SHA1

      30e96e0841017dba2167064171bceaa21a5dd1e5

      SHA256

      e47a0105d6c7bb85328027e0afad3e171ffb09ef170042ee82b6eab8f7b6f5b0

      SHA512

      31dbfa41e03d36d5a2f0d6cce6546c652d2dc96883ae60ce9999a63c44c762fd6f35f3485e405197301f77b0712ab238cab7161431a28178d2ea3dbcc10a3627

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      737922a373ce8795689198c3cc910c78

      SHA1

      cd49c3c072feeca0a97ca701d0066b5fae33b78f

      SHA256

      e3a678bad90b5ce1596b3922bdacd556e78fada847a72c87110edcf4007afb10

      SHA512

      2cb1be321aa26a70a4794a5fa0ecf03676b453a247fa328fd923edd4705021ef97841a5f2d72b2a7b78acdf278b8681ba793ae43bd6e0fccf12620f9da7401af

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1f799a47a5a3465aed368eaf2dfd9216

      SHA1

      fba25ae940d154382b803aa7092e42a3b25e254c

      SHA256

      bc7198cf8a54d81c22bfadf2af83819d54fbd475f27d27f850636eefa471de3c

      SHA512

      ed8f73a8b014a3b159a6daae0503eef68a7f83d38c499410b242592839ae80f63c449b7595aa39000328211494e0bffe91c018bec5900aa2b7019807c366c48e

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      94cf59e68b0bd33d5f1cda78a1b46c69

      SHA1

      5155eb77e74388017ad03cbdc759de125a6c8f2c

      SHA256

      5686e476878e897633bc8e36e2424a0eca03bd945aa9a4eed7d1ede58b515620

      SHA512

      46730d045617efe9b366f0123f28ed03421c2f1c98a5271998e9c4f27c893ee05632f13531410d0e9eee95d222909ca2be9f86244d93228f473677769407060a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      233ca80d0541fe8eb45bad121345661b

      SHA1

      504f971dae42e2dca171862e7a92ca25522eae78

      SHA256

      ae809a2a9007c9546455dab85a2b7c222174a4e4e25c246c917e14a07f306558

      SHA512

      55853a520af0d9ab6fa2132609239e8038422bd7d9daef903bc9968464ae8897ad79b30a7d0436070b2d524c1696ebbc56ee84c18cb09bffd3b24fc4606f8b80

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      13d683b619867c0eae5fc00fb733aad2

      SHA1

      b2e52560ce38e98f5eb4887ed82e9f41f30c668a

      SHA256

      d4417a265007143916c3791f13ae363cea9f80f18cad1eebf2032b45210b3ebd

      SHA512

      2668d74f1d741ccc1106b8a9e68c4a025b4ccca4bc630a7f91b18072ec21b095f91287d90a65f2d923637791389a7f2e39654b151db5b3733d5eb39fc42f45c8

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      8ad4a88a82fbb3875ca787e0013001d0

      SHA1

      46c4e706f57c388045e168189846a53a43e6275f

      SHA256

      2b92b515c7b1051823824cf4da8f130c8dfa562c2b264a8a098cfe774a644efb

      SHA512

      db4be6c5df0ad183660a3ea3c4b67991c08ba662b9b7ec06df3047212add1edda083a81ca406299699364a429cd420964960638f7b37e3ed002464dd2189a700

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      14949b1ceb81a08cb14022ce2c389dfd

      SHA1

      531e7cb3d1edfc00cefc15dcafe0fb4ba761880a

      SHA256

      f78386d609407c238268f7922d095e7d0d6840f2c926eb1105d0bb1f29efd0b9

      SHA512

      e34e0fef2e5154d84e6c1bfdee0ae1476c94e3adbe52b367cad9701476048930cd6f121fc45070c9ea3b49dae5629110307f36fdd6b2be7e6832c71840cc0f2f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Cab2731.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar2833.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~DFFEE340015E62A9C2.TMP
      Filesize

      16KB

      MD5

      7cee3039b0129afc2e6d857a1aad8223

      SHA1

      0322a65755b61dd72e2ca6e57d98a1ba0eeb542f

      SHA256

      461bd550379a7b2df65e0cd103de922613e17f55bbd854a92be602facd29df15

      SHA512

      94378fe035ee59eee9a929a8bc1c9eff0eae90a8bb6961ce85ebd25670b7d1c96f8ea015fd9fc673f218d30740088a7edb0a2e197ea720ca33049af3c2d75df1

      Download Submit
    • memory/2172-98-0x0000000000080000-0x0000000000081000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2172-0-0x0000000000080000-0x0000000000081000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2172-6-0x00000000002A0000-0x00000000002A2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2172-3-0x0000000000160000-0x000000000017B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/2172-1-0x0000000000F70000-0x0000000000FF4000-memory.dmp
      Filesize

      528KB

      Download