Overview

overview

10

Static

static

3

9f22f7eb24...18.exe

windows7-x64

10

9f22f7eb24...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f22f7eb24e53b538a21a5ebaccfb854_JaffaCakes118.exe

  • Size

    203KB

  • MD5

    9f22f7eb24e53b538a21a5ebaccfb854

  • SHA1

    7e200a13634ba61b647555f64e91d8d84a645ca2

  • SHA256

    f6b4227585fab1d5749dac5ee61b783fe682e2638f9877da9c9e0a85562f3676

  • SHA512

    9c75e8d3ad01cecf92aae870502a2f7865438bb2c922f52464f24ac730c4dbafaf7e0b759cfea4ebde11d1d18f342d19c507bbe01d94deb87da03c611ee5b481

  • SSDEEP

    3072:9Cji2dQ6v4uPXDNUj4jKBonzmLXlYVRLh0epEEZqkFBc4+uTqN76o:9Mdp4uPZzGonqXGXh0bluBc4GZ5

Score
10/10
gozi3162bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215165

Extracted

Family

gozi

Botnet

3162

C2

menehleibe.com

liemuteste.com

thulligend.com
Attributes
  • build

    215165

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f22f7eb24e53b538a21a5ebaccfb854_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9f22f7eb24e53b538a21a5ebaccfb854_JaffaCakes118.exe"
    1⤵
      PID:2872
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2608
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:964 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2524
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2244 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2464
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:320 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2324
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:608
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:608 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:824

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      8596bfb0378ee8d1c570a1ce486ab523

      SHA1

      1aaba71b86a5479420c0f61d65dc1bd7c4f8c7a5

      SHA256

      988c402ad1f00a53014e63a3b26acd7b16216971d21de2378d61c5a8a31579ee

      SHA512

      039c69db700b1bedfaa177fa49ec262b2a1866485f392b823de75b4c78d13bc0d1e1f13f659ebaaed77a38a72f771dedebd58b05df7d830d1caf50f7822d9edd

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      365c480a7cee58d2160beb26f3ce65fb

      SHA1

      e7f11d8e955a7374aa8e9fc8725e49a29b3a5fd2

      SHA256

      8e4c1394507fc03e935aeaed593124db4ac35b80d6e0299baf52c9ee9cbe400d

      SHA512

      584f2c8f513972a920229038987170d83d811e582eb1907cb04ffa7dfe21460f74a2f80d28ac2af07f8faea6c4c34c1bb8b0258d55e4b7ddc2c3dd26d78114c8

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ab60642f7207ca38c82e7c3ce6dc3613

      SHA1

      5fd75b6c8eab892018cd5f06bc87bb845a52947f

      SHA256

      6c1f705130a1a7a50a4940fbc448ca1f8f3c05908bac71a783c319e5cbb9d5a5

      SHA512

      f45676dbf6298bd75dcaec7c443f7bf4c15d26c6e3c79739e42490191ac88df4428e713e86f2d5ae1343b4dcf66c482eaef35fd0904b3aea27f842ecc067f180

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      89f4d8268c0466b62ed6c4fc32d92e2f

      SHA1

      ee34bd2405fb025fe980471236e3cf0bec08abab

      SHA256

      7a153e3cdd7bf31b15319d10b0fc87aa63e178cb742ea35567881b508f552215

      SHA512

      4e6280548ae25c93141572ea320a1b8442900a3779d8be98850f8d7ab9e3ad2cc646a65f46a4be88c94be47dc7b6d309aec82609504c5f3a01d5193412d07d0a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a6659d00648823157e9b992a1ab7c07d

      SHA1

      ebcbb6cf89cf17a316a4fb22720cc00808921f53

      SHA256

      54c7091ca613ae0b9a7de5df346a7f2b0177d29ed20808aed76acd5ec3afbda9

      SHA512

      5b3802c636418be40d74cbc3c2e700946381b1eac9cd9a81497e1f2dc8d922434cfddbd5b734102351cf5265b52302a8c0770ef147c538172fc1daa6223789b1

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      9dcf1f21d120e03293a0b9b9b3dd7bb1

      SHA1

      5dc7513846247396e90d17a9a2d6bc7ddfd7a350

      SHA256

      4da3d4bc1aa8a00325ef3b815233e627711bca75cc06921fee3607fa77a82cd0

      SHA512

      f08116baea47380ae49e78b3ee18fb36c0277de6ba1910b955e99d89ee7a996464bcecfc7fb25ef7aa1a225c27b0e611643813aca9b0e531e3e8e9e0f6aad37b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      5e27b4a88706593d8b0adc5449e79d57

      SHA1

      6c66c827284d1632ad974d98a979455ec6b5786b

      SHA256

      457232860127b33d74d0996f4de1773a3856a32f4190ceda3874f9bcd7205920

      SHA512

      1dddd3646dbf26518b1cbb09edfdaa3e0fdaf131275bcecfc8fd2cd34c9d300472ef3c22591c77a7ebf63c1117f477f8a92b692ddae0adf8823675d0718e0d50

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      fa8e38f8fb667598a03cba5f51d81557

      SHA1

      815cc9098116a059f02b0f8fa40a9e8ff86b87ba

      SHA256

      4bae9ff07b955895002f3c1d0b3f7643ce1f256138c1c5e05d4aacaaba8921b6

      SHA512

      0e71f49cedcb1ced8ea273e9d5696ae3b42dbe6a2ad1a4f5fe8de770898d07af7d5008aeb10a003ad765ff97b0072969dacfdb6a3cd5a248fe85f59f970d75d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab9D2C.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarA221.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF6879D6095029AED5.TMP
      Filesize

      16KB

      MD5

      d3d1a05842cb50a9a7593152de90ef05

      SHA1

      ce15f4d61fe5063db6f3e7e0b73d0745a42a0732

      SHA256

      bb2745eeb37726147e909c59c3f66e9fa0c653e42c2ae2fa56e55487d3668540

      SHA512

      df79e1593ee8d9f6e8bffffb049aaa7e307338024a4d73dc364097ea1c78ddc347fd238fefbbe36767c9b00161c92918147e829c40b0dd3345ce90092a575c34

      Download Submit

    • memory/2872-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2872-8-0x0000000000480000-0x0000000000482000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2872-4-0x0000000000300000-0x000000000031B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2872-2-0x0000000000435000-0x000000000043A000-memory.dmp

      Filesize

      20KB

      Download

    • memory/2872-3-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2872-1-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download