Overview

overview

10

Static

static

3

9b844705ae...18.exe

windows7-x64

10

9b844705ae...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 17:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b844705ae1df6c6012708dd806ec953_JaffaCakes118.exe

  • Size

    372KB

  • MD5

    9b844705ae1df6c6012708dd806ec953

  • SHA1

    9fe73e85081a3d2b0d6172afea6c121f6c7d884b

  • SHA256

    699e3b175caf3f673fc0dae574c2e6a358cd2133f57c891f872bf3f00414f810

  • SHA512

    7602a3cfe78bbf51b2a1a38513b60faa5f56600fa165cf643d0a10c2203cf958a6ed55e23477e81e8b0daaa4ee0c9599675173988d360abf54a2845b2f4f29cc

  • SSDEEP

    6144:QfsvEug4/COMAIOVW3Uqz/HJpadR5FzrgF:QKEufaORxezE5Fz

Score
10/10
gozi3181bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214062

Extracted

Family

gozi

Botnet

3181

C2

bm25yp.com

xiivhaaou.email

m264591jasen.city
Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b844705ae1df6c6012708dd806ec953_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9b844705ae1df6c6012708dd806ec953_JaffaCakes118.exe"
    1⤵
      PID:2676
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2580
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1144
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1144 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1452
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2540
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:344
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:540

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      96106d4726333a66ad1620f463ca6588

      SHA1

      9f9fa92674e11c96b9a0fe52e8281ee5e04a9cca

      SHA256

      01874a039286d30bd39519e4c45563a48d1e83db38b9790054b6aa8fb89f30f8

      SHA512

      008db301ca23992ee6848bcbe397a1f0630b187882e8aaf3e16736291bd96d3ee28500ae8984c3e378a2b2a8753f1f802ac59fb2791ccb3eba808c30686d54c4

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      023f91adf66ed4f98d5075c128383f6e

      SHA1

      e36c9d94625384564dfbbf291499480aa089dd3a

      SHA256

      f9e8c523befefc33f0933b4a47739e23db1f86df64ec70682051a6e6f64443d8

      SHA512

      85d5aeb6859d564571a6220a16e74120baec438efe11b5d1d49d75e84cf97987cc607e8f063b9a4317f8b04631dd9f55706b784992cf5fac09fea74ea0f4fe21

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      cd8992a6cf983aaa9b79999a48e17a08

      SHA1

      4038c25fd271da356f2700ddf60cc033c7ce524c

      SHA256

      03190e09eaefcce1fc62e4491257b124017103d834b633529466962a73d80cf8

      SHA512

      d876f09eddc162aa750d3da247214fc833e101ffd648f1b5d8620d6fab1e89cc0bbcc89ff0bf2ca8834c65a0f650d69b936205fe26c87d5d52e9577fd48db017

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      27bfc5860687b52df0ab2d8a55b55eb7

      SHA1

      1fabf01944c6c2b43c73576c36fc9ab012769c95

      SHA256

      a715086ebf5202d2e3cd40a86851415e5f09abaae0154925eb4ea371c18ca3d6

      SHA512

      826e1720dfdd6c01c18dd36ca789b3e627ec3142882c76a75ee9aea08a3e72d7cbe5c20793d8084103c45aa925f21d33b87b50135ecde7ab773e03b86e3f814b

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      49085f2da130303102fc550a6365bee0

      SHA1

      49667c8d1b76b3d4318855e6bc1338b73b4f4783

      SHA256

      41434ecf128a96b60c24f99de1852553164df5ae57512870cf3d83dfa75ce9aa

      SHA512

      339118138d838ff8d307d88b226a4aa012c24665541f1e6bbb7b45a888686c94b777f2a1c4cdad542ed80b434d3cac15bb12cc20d22197d238fce92fb5be5ea2

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      7c4592a84de3aeb5e59f862e81de251b

      SHA1

      1fb0abf8919eeaf34a46cc56e7fb043d26914cb1

      SHA256

      40b16c67ce06ae7999d89efe355e7060c8bfcdbf789e4a9ca7fe949f48bde14f

      SHA512

      f0431f2b18690ef819d2bb64135e203dcbe4d52eab33721be756b377731bc3f7ea98e4fbdd721f51d6a413eeb8a053cda531c0d0febb031076c646010e114e2d

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f910bc3d5ba384ffd99c6ee9b61d4364

      SHA1

      0a2c3fd474ffb77f4f89b4300d9dc10f051a772e

      SHA256

      cc5daf2d7ecbf3cc9f2d4e5d0cee80b26ece31e70e52ab33e5befa7cb6b65d81

      SHA512

      25fd9ec8e7152c6303cf9f6f9eec5c255c92ea44be0035cfe4f50addf737c518f9d5694e122d5ef810897e710932685c94324a00cf7f5c9aceaf06b8e7ea8d36

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e070b977e449a958a0cffd75b27b92e5

      SHA1

      3f6a79f02e20e8c2fdee5c006a346b787f292060

      SHA256

      d6e377d472fc798fb4293d692b5a0f68b9aff4ce6320437ad707a68a3d9d36c9

      SHA512

      fe26088f98e2da6400d69319a3ba1991e48832ed5f4c17a0df905aa5e661657fa9b16f2786e76f4eb1a422ffd5663921006d1e766d120ba64962407eb5e087f9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\CabE8CA.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TarE9FE.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~DFEA0AAEA6316E71F0.TMP
      Filesize

      16KB

      MD5

      afb23f0427801e5a6dbd775637e55387

      SHA1

      3b8ea11fa98513814e751cf7cde5ad6a0d28d8ef

      SHA256

      47765957eae270b8b9eab3a158c388e43e2dd2a21d520da90bec661793451cc6

      SHA512

      8412c2e66426fe301c0ca8fb11d1df975e693316b76e27cfcc42e464d1502b8efaf98c021679950d2f26c1696df83271f11bc490007bb2962ed1aa8bf944aa79

      Download Submit
    • memory/2676-6-0x0000000000310000-0x0000000000312000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2676-2-0x00000000002C0000-0x00000000002DB000-memory.dmp
      Filesize

      108KB

      Download
    • memory/2676-1-0x0000000000280000-0x0000000000281000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2676-0-0x0000000000400000-0x000000000046D000-memory.dmp
      Filesize

      436KB

      Download