Overview

overview

10

Static

static

3

bf5ccd1d79...18.dll

windows7-x64

10

bf5ccd1d79...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24-08-2024 20:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf5ccd1d790798d0ca032dd4679f3b6c_JaffaCakes118.dll

  • Size

    443KB

  • MD5

    bf5ccd1d790798d0ca032dd4679f3b6c

  • SHA1

    72da81141d16d09b4baf19d8d30f0e406e4b8d6a

  • SHA256

    dbc974edf66cf5689132154fcb3845df8cd89aa2f238086ee716cbcf4eb3cb5b

  • SHA512

    2c0b141fd6518883a681a2bb52b8b0fce8a9abb106730ba36e68f8954af3cbf756ff36ac448dd8af38330f34cf6efbdf4edb34efc8ce9588ffe188be5bbe8aa6

  • SSDEEP

    12288:KQOQLWQ7NJuL5rBl1VSvXAPXENg15OM0uzdqQHBVKhjOxbjg:1OEWQ7yjnVVyupqQHLKhjOB

Score
10/10
gozi2200bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

2200

C2

api10.laptok.at/api1

Attributes
  • build

    250155

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    730

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bf5ccd1d790798d0ca032dd4679f3b6c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\bf5ccd1d790798d0ca032dd4679f3b6c_JaffaCakes118.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2340
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2848
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:668679 /prefetch:2
      2⤵
        PID:1284
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1244
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1192
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2460 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1840
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2792

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      304B

      MD5

      adfa401227f7380d6c8328b52bcc3bfd

      SHA1

      e63ef0ed4a066fca0b75201e93fadb6e7f80b238

      SHA256

      86d93c24a579aa83cca50f34e4551db7e04bcd44d5825ce0676304a2caa1554c

      SHA512

      493d08d1523fae0251be6a49832e55b8adfa4721d099c2436f359ff811f571302de5e3ff0948adaa0a41ccfc90b8bfbcf4c8ffdf6503b03aa5bf35f1c60344c0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      304B

      MD5

      d8bb8219f467f6aa1e03be0ddb3e973c

      SHA1

      f654a9e87d7593b6bd6b321fc62abddf2b9e229d

      SHA256

      464dceca177d790d953967dc308157f6e9ade0625e49b60d2283b5c7769a38df

      SHA512

      b72470291b0e96d85917274a8d6bb1be6cfc4508237d4059c4077308400d51c7e617dff99e249eb058bb24a598a8a8305d2a29a3c00721c76e536424dd913a04

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      304B

      MD5

      da6d139ea92eaa43c4f24b91a4ee8460

      SHA1

      dba5ebdc48408c4ee1d6fcb8603c560a9343a102

      SHA256

      ce493ab79af065ffafc6b5cb3df750bd3fa81ac85406437b2ac4cb3a4a6b0158

      SHA512

      2ea778e026311ce6a6b1a7f9f7e99490bd9577cf74ea13a9501549f9111dc33b8eaec1269bee10868495fdedf9e597c4605aff9c31049ff7c91eb6f72c4e2c77

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      304B

      MD5

      dded2901ea3e9df5876c4d5f578decc9

      SHA1

      e40ac174b0597f763ce8ca376034f3d3d2337780

      SHA256

      83918fa037502ba02f81337d4bc2735b8e93548f71d1a4bbcb6ef37da86099de

      SHA512

      ab13d5735b236979f48f91033b2dc0c3240db180cd2fbb5a540af86161293181d3ee6033a6b0abdc416a1f41e9a2e8ef596868aef5cd93dea39930587295de50

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      304B

      MD5

      db94d0d904cf6ce0fa6204ce154c4dd7

      SHA1

      032a0e7e8fbeaa5fedd8f6c7f5154a711cc70fe1

      SHA256

      5af58ecca976fbc25915f3435ed2775c11f2d82ca9a051f42930cd0f07093dd7

      SHA512

      e0800f77ab0599fb04cd566e950ca94d751b57f5bfc7989c4718e730263735253f168af4bd434b2fcfde1e83a71773974715d1400d1e5107ad02afefeab3bc8f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      304B

      MD5

      f08624b731a15553bb825a42390ab95d

      SHA1

      519f3ff2f1a31af3fb5ea0a2543187518623e190

      SHA256

      fe5fa3778ea1314aa5f1497eab5334ef2a7c6abef0c9c9887b6de4eabd515642

      SHA512

      876ba7f8a03127997904d3abdf342c2c8b4682180213d019d72799dfe86ebc7933372724db808776d4fdc03f4587279fd3df2b5993959a7a3d9e22a8f0c65a39

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      304B

      MD5

      44c052fd10f7a133d2827942c6408006

      SHA1

      be955ed8124c800ec39eea29f3f1cef18728525d

      SHA256

      0f4a87d250395fcee34c34badce99a69e4a339f2deca37c0b1fc44351b5aea31

      SHA512

      fd630485308f03785d965eb01b8f00ec10381f2cedbebabcf6eca1e722cfab54af4cc730fc3187c7ce1494de03b1dba188aedc23d506e512599d3d6ff78ff21e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      304B

      MD5

      1f3ce5085bb4b19d22b77255dcf179a0

      SHA1

      945e5f8ca0bf1433366b603ecf6fe6b718fa4478

      SHA256

      72c180deea5a7a5ef5142998fe53799eb91dfe386341dd31759c7ecf1dd9c715

      SHA512

      8b1f21ce4d38ba9b3ce9d33d0a78d77b969c9845c6a6c5758db1fd045a9a095d083bff2a664750c2d75623dfa3693cc6c34aac73260e197d6d88f435783222d3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      304B

      MD5

      e1c6fa5956c78ea9e8b3ea946b15d607

      SHA1

      f41c30ae24948275af6de7af0415b4a4dbada97c

      SHA256

      3c4b7816b0e86be3d224eafc8764468ec1442a898963dac019a8140c17ef2398

      SHA512

      d4da73b7ac72e4f67730de83281e5eecf467672471e02e04ebc2f0dbc763ff84b0a7fedcd1c36ee447e57ea79a2278aaa018759a97f56440bf154b3f3d939add

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabD0D9.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarD188.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF1AC1C6161B58B76C.TMP
      Filesize

      16KB

      MD5

      fe4a30d8300b44e3c25e2a8ec313e270

      SHA1

      a0f80dd03c4ba5f89995e83f2a0b720cdaf128ee

      SHA256

      235390cb5f64d336574f3bd448bd60aa1124fc45c6282252f2ed73092badaca1

      SHA512

      96d4dc4825cae40efaaa37dcad2b56cd7cc2b9d3bd18c385600b22263bd066b7795ffe7a381e54d7427f5df6e8656ba9ea61ee30ab47492235de3f896945e7f0

      Download Submit

    • memory/2340-0-0x00000000741D5000-0x00000000741D9000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2340-8-0x0000000000260000-0x0000000000262000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2340-7-0x00000000741D5000-0x00000000741D9000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2340-6-0x0000000074170000-0x00000000746E7000-memory.dmp

      Filesize

      5.5MB

      Download

    • memory/2340-5-0x0000000074170000-0x00000000746E7000-memory.dmp

      Filesize

      5.5MB

      Download

    • memory/2340-2-0x00000000001A0000-0x00000000001B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2340-1-0x0000000074170000-0x00000000746E7000-memory.dmp

      Filesize

      5.5MB

      Download