Overview

overview

10

Static

static

3

a942bab59d...18.exe

windows7-x64

10

a942bab59d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a942bab59da20af633ef31181f1461b9_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    a942bab59da20af633ef31181f1461b9

  • SHA1

    62d83462a712b57da09d38b6fbec011791699c3e

  • SHA256

    7bed588748563cc4a16bf05bb7e04b951a5c3422e9798af129586d484c087c49

  • SHA512

    08e8840d07f75a466cc722ead1c649040a8e515cc214d3476b066591435fb97433b77cc39119cf7f6efd15399fb07811b6e68af3ac6d188e7d38d80213cc9a9c

  • SSDEEP

    49152:iB9NjHLDKvHd5GY++tqg2FsYmWVvP+FeBG+VBSaL12xN//Gag8:iBzHLDKV5GCtqgGsYmWVvP+FeA+H0xNn

Score
10/10
gozi3531bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214107

Extracted

Family

gozi

Botnet

3531

C2

gmail.com

google.com

k55gaisi.com

leinwqoa.com

bon11ljgarry.com
Attributes
  • build

    214107

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a942bab59da20af633ef31181f1461b9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a942bab59da20af633ef31181f1461b9_JaffaCakes118.exe"
    1⤵
      PID:644
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4488
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3208
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3208 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4856
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:624
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:624 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3320
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4284
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4284 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3096
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3100
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4572
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4572 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:5104

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
        Filesize

        1KB

        MD5

        5eaa9902dd28d9f691e7047b2aef4f4c

        SHA1

        8041448f3ae60fc2a27d4e679a98e381cc1bc54d

        SHA256

        ae964a6edefed2e02ef6481b9d263bf474ab11b8207c0250a69c0aefea4617d1

        SHA512

        24200cca9f70e0c6535d1bb1a0214174ee3cfd1e841ad4269989fb848380d42a8b0f8d50f423beb975b594e4a246be4e59bc5429abfad3b535c92ce1f37fb223

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_DED764EA9DDA5AD0962FA05282F27527
        Filesize

        471B

        MD5

        a1c622aa67c36bcdd539a069c186974c

        SHA1

        09107b978bde4946ed6d26b3fa71fd5c64b1a795

        SHA256

        6292ebd4b8899037e02026e8466bf24e435dea80d61e4720e31f9d5d0a944a2c

        SHA512

        0a9bbba2d018aeabe16862ba693de9f148bbdfc1ad2509d99938c329678c83d7ea6274ee14b09fb691c2988f7f34519a6e911e2803b5e00a70f630856ed47033

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
        Filesize

        724B

        MD5

        ac89a852c2aaa3d389b2d2dd312ad367

        SHA1

        8f421dd6493c61dbda6b839e2debb7b50a20c930

        SHA256

        0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

        SHA512

        c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
        Filesize

        410B

        MD5

        755886a72b83429cd6ef0025e215c17b

        SHA1

        d181f171b39aa0869e4ac981a63969e40679bf4a

        SHA256

        bb94a6f71583eeeb58072375de2692da1328c2f5770a439e896dd55d66da71f7

        SHA512

        8b4fb8f3ef234a70dbbb9644c74bcca52e5c36df3e8650edd59f33fa0d9f6f91961410e02bc5810542ab50ddbfc0f71da96fb4ead081ed0a41f80cd8b4f32894

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_DED764EA9DDA5AD0962FA05282F27527
        Filesize

        406B

        MD5

        fd260d1dee977a4dc6472c8f9baf86a3

        SHA1

        e669da5e1fe60baddf2177333ee13f3f3c15310b

        SHA256

        7f3ddf6e4b286ea37d421bbf6fd7388eedeca7400a586345ffdfa14946d4118c

        SHA512

        6ca0d474a387f179d2dccef2f04774f265f15fdb71eb78654c3df2ee366fb650d898b13491735bcd1a5cfd0ce28e881341d7a1602715d9ae91ff6bc8f811b9c4

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
        Filesize

        392B

        MD5

        0cb880eadb7a427df87b90c3c0897b02

        SHA1

        e7dfd916b1ae08da8b50acc1b19a8b228782a543

        SHA256

        599a87e088bf54bcdc4bfc053c7d1c4d87dcf014527722a51560c3b232f3b9f4

        SHA512

        13a6155d04d8e1ad57c4c433da8c5c1cfa8eba7c8b2eff1bbca13cdf774d355949a51463970a2323a0a3ca62e45a84d788230402b9209fdbf30e172f9e3accc7

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NNUT9QBP\robot[1].png
        Filesize

        6KB

        MD5

        4c9acf280b47cef7def3fc91a34c7ffe

        SHA1

        c32bb847daf52117ab93b723d7c57d8b1e75d36b

        SHA256

        5f9fc5b3fbddf0e72c5c56cdcfc81c6e10c617d70b1b93fbe1e4679a8797bff7

        SHA512

        369d5888e0d19b46cb998ea166d421f98703aec7d82a02dc7ae10409aec253a7ce099d208500b4e39779526219301c66c2fd59fe92170b324e70cf63ce2b429c

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUGBEKKF\googlelogo_color_150x54dp[1].png
        Filesize

        3KB

        MD5

        9d73b3aa30bce9d8f166de5178ae4338

        SHA1

        d0cbc46850d8ed54625a3b2b01a2c31f37977e75

        SHA256

        dbef5e5530003b7233e944856c23d1437902a2d3568cdfd2beaf2166e9ca9139

        SHA512

        8e55d1677cdbfe9db6700840041c815329a57df69e303adc1f994757c64100fe4a3a17e86ef4613f4243e29014517234debfbcee58dab9fc56c81dd147fdc058

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\~DF709D76F65891B051.TMP
        Filesize

        16KB

        MD5

        f95f3f543a841ec54fe5dbf9e01a7a68

        SHA1

        33c836b9b8dc128df6a9d0c8e835ddbe9440ebe2

        SHA256

        d15570308e117a9ef4440a540425898884d64f2057f65ba58131ce0b711bac71

        SHA512

        b7d6864c0521b5de665c835898f385bb1b30b9f32a3bbd1f0541660f76ca86dd2a9b15e0eb80813926083313cf0346f73e910e15d47dfacbce2adbb980ddece1

        Download Submit
      • memory/644-3-0x00000000022B0000-0x00000000022BF000-memory.dmp
        Filesize

        60KB

        Download
      • memory/644-27-0x0000000000720000-0x00000000008C8000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/644-1-0x0000000000892000-0x0000000000895000-memory.dmp
        Filesize

        12KB

        Download
      • memory/644-2-0x0000000000720000-0x00000000008C8000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/644-0-0x0000000000720000-0x00000000008C8000-memory.dmp
        Filesize

        1.7MB

        Download