Overview

overview

10

Static

static

9

ac34e785da...18.exe

windows7-x64

10

ac34e785da...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac34e785daccade32f152a760bf27236_JaffaCakes118.exe

  • Size

    908KB

  • MD5

    ac34e785daccade32f152a760bf27236

  • SHA1

    403e478985ae1da11fcbddc12348ed6ff24ac282

  • SHA256

    812d0a87ea330ef9a8a4efcc5c87d23b6ad8b1484286c3eb4c12f2ead0917c0f

  • SHA512

    2542bef1450fd24d0e8321b77920ae62e8dd072736f33fbd67eece97386b403ee302e324b3f22eb3814d23afadbd30c0f11bc6c2e50bcf728724bea0a67ceb31

  • SSDEEP

    1536:tV7RSS9YSCSISCShSCSxAGzsCTXYtFBo45GQG770gSvc1RIVLmyLmRgRLuLkutb+:JuAGBTYzGHsNv6xgRK4VljQaeA

Score
10/10
gozi202004141bankerrm3trojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    300854

Extracted

Family

gozi

Botnet

202004141

C2

https://devicelease.xyz

Attributes
  • build

    300854

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac34e785daccade32f152a760bf27236_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ac34e785daccade32f152a760bf27236_JaffaCakes118.exe"
    1⤵
      PID:2440
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
      1⤵
        PID:816
      • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
        "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
        1⤵
          PID:1536
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1424
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1424 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2564
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1424 CREDAT:17416 /prefetch:2
            2⤵
            • Suspicious use of SetWindowsHookEx
            PID:456
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1824
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2744
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3020
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3020 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:432
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4476
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4476 CREDAT:17410 /prefetch:2
            2⤵
            • Suspicious use of SetWindowsHookEx
            PID:1440
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1216
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1216 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3184
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1360
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1360 CREDAT:17410 /prefetch:2
            2⤵
            • Suspicious use of SetWindowsHookEx
            PID:3888

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FUP7PRY6\NewErrorPageTemplate[1]
          Filesize

          1KB

          MD5

          dfeabde84792228093a5a270352395b6

          SHA1

          e41258c9576721025926326f76063c2305586f76

          SHA256

          77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

          SHA512

          e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QZRYTBAT\down[1]
          Filesize

          748B

          MD5

          c4f558c4c8b56858f15c09037cd6625a

          SHA1

          ee497cc061d6a7a59bb66defea65f9a8145ba240

          SHA256

          39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

          SHA512

          d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QZRYTBAT\errorPageStrings[1]
          Filesize

          4KB

          MD5

          d65ec06f21c379c87040b83cc1abac6b

          SHA1

          208d0a0bb775661758394be7e4afb18357e46c8b

          SHA256

          a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

          SHA512

          8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RD8M0ENG\dnserror[1]
          Filesize

          2KB

          MD5

          2dc61eb461da1436f5d22bce51425660

          SHA1

          e1b79bcab0f073868079d807faec669596dc46c1

          SHA256

          acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

          SHA512

          a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SYNNS6ZU\httpErrorPagesScripts[1]
          Filesize

          11KB

          MD5

          9234071287e637f85d721463c488704c

          SHA1

          cca09b1e0fba38ba29d3972ed8dcecefdef8c152

          SHA256

          65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

          SHA512

          87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\~DFC67EA3053E29CFD1.TMP
          Filesize

          16KB

          MD5

          2d1a91580527c6a9ebeea8a1e94892d7

          SHA1

          1b86a14f14f94ba5a2e875e2265fc76ae2d2cbf3

          SHA256

          92f0dd4ec9593667cdbee67f82a7249e555fa7dae180d1d85da45c9bedd46af0

          SHA512

          fc7cbba281a66054b848afc9c76b03798b8296884530ece2578efe8db868954d00723ea86098d8685cc36c13505137118a9ca5e6f7b66f6973833a9b1948d428

          Download Submit
        • memory/2440-0-0x0000000000610000-0x000000000061C000-memory.dmp
          Filesize

          48KB

          Download
        • memory/2440-1-0x0000000000400000-0x000000000040F000-memory.dmp
          Filesize

          60KB

          Download
        • memory/2440-2-0x0000000002110000-0x0000000002121000-memory.dmp
          Filesize

          68KB

          Download
        • memory/2440-13-0x0000000000400000-0x00000000004E5000-memory.dmp
          Filesize

          916KB

          Download
        • memory/2440-24-0x0000000000400000-0x000000000040F000-memory.dmp
          Filesize

          60KB

          Download