Overview

overview

10

Static

static

3

b4c988a942...18.exe

windows7-x64

10

b4c988a942...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 19:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4c988a94242af0afe8b6b367f032a8d_JaffaCakes118.exe

  • Size

    203KB

  • MD5

    b4c988a94242af0afe8b6b367f032a8d

  • SHA1

    c576a66700914ea941f1cd8406a3f97d4ead0bd7

  • SHA256

    e7ea99b780111336c9a8c301c18e9d93ef7d13eace98fe3bb9d844b305736316

  • SHA512

    3fb5309d9f7e1547b7349cf241a9c3cb7cd0f934f751929d125d687467d5ea5fe180fbae1cd03e64502dca999e6b39e3f3a0b9be0782f4128fa96904e323d8e3

  • SSDEEP

    3072:90ji2dQ6v4uPXDNUj4jKBonzmLXlYVRLh0epEEZqkFBc4+uTqN76o:9+dp4uPZzGonqXGXh0bluBc4GZ5

Score
10/10
gozi3162bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215165

Extracted

Family

gozi

Botnet

3162

C2

menehleibe.com

liemuteste.com

thulligend.com
Attributes
  • build

    215165

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4c988a94242af0afe8b6b367f032a8d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b4c988a94242af0afe8b6b367f032a8d_JaffaCakes118.exe"
    1⤵
      PID:1896
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2408
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1964
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2580
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1572
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:640 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:592

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      86733734ab38cd74b4d86b5df40e953a

      SHA1

      99fa32c229826493a20540ef1cac64753c4754c4

      SHA256

      ef2eec43033f08869939281bdbf05413122efed5c70544e7140900afd9ef1ad9

      SHA512

      8e7a915107d425c5a0622353d67ae18bd9c66ab1c282899a9ed31d928a148fa145ddce6f96105dd65613de08dc273fd022feda8c31f42a6400b604b41b282aff

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      6b4cbfa9d0344f851451a1da53d20710

      SHA1

      59a6243ec1273272c071adc4d3bdfffcf34e289f

      SHA256

      5f2b654587554bc090cd049a8e1a69ef9f1a9f8cf3fe443f9255c8e98263b04f

      SHA512

      1e3a6bba08b74c82918409191395545ef0147d3b6565887bb7da8dcd4cde8372ecee12accbad327dd37616c1e79103dd3a366cd76341fe6f8a4836ee73cdc896

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f0b184d414ba8361aa358b754507d57c

      SHA1

      7222cf313a37bfd26e356e7601dad57f736ddeab

      SHA256

      a34db8bd569ca982f3117ddd17c3e8221cd95d0877514260a61de9e64d7fb470

      SHA512

      d65bf32fa407bcc0bff62a19466297c17ae95180490f1fc51f97952cafe2f2abe8bf7f2f161ea3d4cb11c48fdc4dd726791f21fc32fe53fdc155483ece835aeb

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      b7b89dffa090f52cdac4a2780adb1a62

      SHA1

      5412523f25a4bd7d9fabb3e7bb7289821cd1cb70

      SHA256

      5ed95ffd5e158e976a0d4e6999a6701288308e4f8748508df8c61377b520a3f7

      SHA512

      906ec2b66ba0dff06fa190919df28b89badf263ddd0e9941409184f5997852e6a4227ef907dbcb6ea04c2d0797cc9a3fd780d8d9ffc8e6fc9f288a864885675b

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a5f61b00035465dd485092abcb3ea794

      SHA1

      286f118438f97e14164155eff94e836e6cce355b

      SHA256

      7f35840cf94556009b241ff8895ab7966d6a2f4411922e9297924412005c0e4b

      SHA512

      9638b9511d3cab10bc321487b6bd4e402fd40ebf77c5ba49ac34dd413a04ecd790ebacd96cada229ed1aa60dcfa93fe2c3d034b14b8e422b513b6e7810b7e896

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      63e1f010df471db95952513c7f5ffdea

      SHA1

      e3dd71cf73baf159f82d0d58b0f45ac833acbc93

      SHA256

      6f4ab4b51636a652a585bd8fd867ac3ddbed095c2d4f5405b12630fb422694bc

      SHA512

      69ef292b87f1e7a10505d89414f62e21555b07a14887259c1c4e457f72f5e0fdee9c0d93d41833d3e72de272c45bfc0329f9df0489d85e21a46e724904534dd1

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      25d64124c73f834076dd980954bfbe03

      SHA1

      f8f93b920691d7916619ff392a28dfde7168ce7d

      SHA256

      f01d6766bb289214606ac71897761f4758d28d4aad656099ad1ecbd2204d2a8b

      SHA512

      4cd50dd8734f4e3328576ef2e502f64f6a352101dfd91095c5b9d9f2a8d46484506ba18e3ba888f8d91d7626e7ab4bee74ecd39d9d008d0e88a1d80c7a267932

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d809e99c790a4d200cd37ddd0cbb80dc

      SHA1

      057c7c8330b5b6e401829e471ebea490e41482a5

      SHA256

      9e4f8a7c89ae9c71c8f50ee16f5973e7908950f0cdb598e1a2abb39c46fc935f

      SHA512

      387422494b75e2adf03c57991c69ba8a4c7fb48a8237fe4943322378e6c49554afc3874e0ce51ee536c26122e16e5028882b0fb341bec7d60d54cd4badc4c213

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      2145c825a038d64c9b1bad74d774ba56

      SHA1

      7b6a51da71ded773c48e6941d9b460ad064f4dbb

      SHA256

      e01f0da9de2389c805f6cb9da76085519a2b3590afe57ae2775eab9f096d6019

      SHA512

      197cc26521f094571fdca3084952cd7b91fc58e9dd8f23f9f223255294fe8e374b7d3857c054b09ac409b7507bc473baacf4d76764f1751f33f1fd6d3373b7cb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\CabA798.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\CabA8A3.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TarA8B8.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~DFA099F69A905E15E3.TMP
      Filesize

      16KB

      MD5

      540c9b56ad748ff7510bf639feaf1280

      SHA1

      c5883730152dfc10c94342f6023ea073be17475a

      SHA256

      e5190fc6743d812b17bb3c51881bb28f8f67e1890bd708b2c666bacc37f21f03

      SHA512

      199d2208ef7b7b22c7c94928e9c64a726cfadc2ca878648b75b7801b0a575fe14b5028747b950d674387619f36a32000a655441ad094738dea2e9429df47120c

      Download Submit
    • memory/1896-0-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1896-8-0x00000000002A0000-0x00000000002A2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1896-4-0x0000000000270000-0x000000000028B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1896-3-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1896-2-0x0000000000435000-0x000000000043A000-memory.dmp
      Filesize

      20KB

      Download
    • memory/1896-1-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1896-490-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download