Analysis

  • max time kernel
    145s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-09-2024 06:28

General

  • Target

    cee291306818412f879ab3df22ad1126_JaffaCakes118.exe

  • Size

    908KB

  • MD5

    cee291306818412f879ab3df22ad1126

  • SHA1

    33f53bc68ece6e129dee0f7f1eb1db43070ff2d0

  • SHA256

    60e56ff40a3f53385faed68011dba9e70e63899a91e821527fed3ba8c79d3e4c

  • SHA512

    a6428e9a8838ce4e5958a64c531dd29b47adc575eb4f3415eeed261f7da43c6f60badd1d5c1bafd6c4fe2add11a30a13cc03d2d8575db5e85b19ca49bfff9596

  • SSDEEP

    1536:tV7RSS9YSCSISCShSCSxAGzsCTXYtFBo45GQG770gSvc1RIVLmyLmRgRLuLkutb+:JuAGBTYzGHsNv6xgRK4VljQaeA

Malware Config

Extracted

Family

gozi

Attributes
  • build

    300854

Extracted

Family

gozi

Botnet

202004141

C2

https://devicelease.xyz

Attributes
  • build

    300854

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cee291306818412f879ab3df22ad1126_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cee291306818412f879ab3df22ad1126_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1448
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2884
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:406541 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:556
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2276 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1072
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2248
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1828 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2968
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5bfc8d8cbcd864e9ebf3d5091311b9ac

    SHA1

    97190b10e5ecc21ebda843f87b08a90138a8b02e

    SHA256

    2b2b4425d640bfadb07404ed928a9bb69123f4f9d1289d3b833477bcad74bc63

    SHA512

    818bbe1bb056652731c5a17d98cf3045467c28670479d19de0631426321310daa89b8437f6c30fdcb1dce440a720b9e3b6896f3ccce5c44c2bf0f62a61089788

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5bb04ca1fec659af2aa9aae329ef8544

    SHA1

    167f8c01ee3ee11eefe94c19e94d3d9dcd8a05a5

    SHA256

    c3ab78174a3791145de4c9012205b9f74a93881a96b64d6d3e53c398bd53a3c2

    SHA512

    7d9f46f2d773df37e0bd1c76c3a1e330138cb141921d40e64e289e7434886cb2e72a2eddb3fb65978f2eebf2a2b0f402ab5b3cd1261a54745f87deef2d8505cd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3ca54b893f47451bcb81c8a3d44f9948

    SHA1

    4023d5ecca9ff97920846cdca81bccb83f71edc0

    SHA256

    ddae80c002ca4261a5be9d42217de410f73a8624142649c5ec548bb992f70f2f

    SHA512

    a55da6a59d96776196d26ec959a8c69dc54ce69ad365bfde0a173b008710108a2f1f928c6564e6dd8b1f09e47aa752c78d74ae004c0c57baf76ca537acf0534a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    06d7c87a19e871581a91c2c17af86421

    SHA1

    d36379069b34903479445898f99cfb9d73fb81c4

    SHA256

    19f424345ad96b2b1c0514fd7bd8d5b7c500bbfc825e015bcbef154f116fa1ed

    SHA512

    678087bc573cbb13c9a871ff2f0695708409360cfe7a366e87baa2a06065eb6b600fce74a2a31152a671a81131aad426dddd9f5f78a5489a205a992dcaf674d2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5ad3251e1639cef3065cbd24b03c08bc

    SHA1

    e3a30f4f793dcdde7bfadfead500804fac358c92

    SHA256

    599286813f3b4a5552a7724feb9eab7bba038f70b638d6d7c8e119dc3c57f5ca

    SHA512

    f268cf88265e30b66f53e2ed6fc33faf91f112ba30217ee150feb28cf68c6447c4ed41a1cc885642c34b0b6105046427b645011fe4010211400b44058a7175ea

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1a576e5cc0fc89746188bce6250d9116

    SHA1

    e130169b00abb9630205eff9de32f16c57653d12

    SHA256

    70608b2f12d1d46767106442b9a278f964610acf38ae99b85b1f7077aed6d3a5

    SHA512

    59057d6284c77641db904de445abd1662730cc1355d0a9cebb8ad73bb15d36f8d6c6c9af7d4604bedb56a812bd2e69e670a93a33fb5d1c51882f6b19a711c648

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    90c60122d0b6c91b46ba346ce3926e2a

    SHA1

    c614067bca54d4cc0a85aab90af46e8ce06023b4

    SHA256

    93157d9ab3539fdc7bccb550b1093c6364286ebf2581fc62c3bcd8b2dd2d5067

    SHA512

    4d8db34a93dc0328589dc3872d4b0fc20286c99f52c686dbf912ee2bebf5a519b481dcf66edd1e1ab9b5687ccdb4789e9e2a3cc0aa3a1305d3f0d6bd557a7259

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5762a624b551798c5405d9af8b0ae646

    SHA1

    7d84b7a00e5e1a66ca8c3984b3230ee271e3aa9d

    SHA256

    22328ed08511c99200054fa60af897dfac07dc433f7b4c999cb10f52185db547

    SHA512

    af38c3c904684c2b4118fda9539241ad007bc1e89f809e17b9a3bdf6413f59f8b4c235e4dd0c0d92d53b93291bcd3446606d28da280602924f1a0dbf1440947f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    77750d51ad1bf8682a27ecce7df97eef

    SHA1

    618e62b3cf7bada707c65a60dadc5b61d3d367d0

    SHA256

    18e509c24318054aae1e2ab0710710029af9d25d8204b15ebd6eaef80d1770e0

    SHA512

    17e310951437c787eacd0b9f1863a579bf76adf24aea559604a55317488b46186042f699c7f6ebb0deac2708bcf4a8b68a76dab0a26a6b3568d3416c4590a238

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\httpErrorPagesScripts[2]

    Filesize

    8KB

    MD5

    3f57b781cb3ef114dd0b665151571b7b

    SHA1

    ce6a63f996df3a1cccb81720e21204b825e0238c

    SHA256

    46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

    SHA512

    8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\dnserror[1]

    Filesize

    1KB

    MD5

    73c70b34b5f8f158d38a94b9d7766515

    SHA1

    e9eaa065bd6585a1b176e13615fd7e6ef96230a9

    SHA256

    3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

    SHA512

    927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\errorPageStrings[1]

    Filesize

    2KB

    MD5

    e3e4a98353f119b80b323302f26b78fa

    SHA1

    20ee35a370cdd3a8a7d04b506410300fd0a6a864

    SHA256

    9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

    SHA512

    d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1738IZL\NewErrorPageTemplate[1]

    Filesize

    1KB

    MD5

    cdf81e591d9cbfb47a7f97a2bcdb70b9

    SHA1

    8f12010dfaacdecad77b70a3e781c707cf328496

    SHA256

    204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

    SHA512

    977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

  • C:\Users\Admin\AppData\Local\Temp\Cab59C7.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar5A37.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\~DFA2B4A17A072BFD01.TMP

    Filesize

    16KB

    MD5

    e47a38ee63d31c6c6fb9932d2678d0c2

    SHA1

    2b9fc6eee7be340e6e89f631f60697caf093f7e7

    SHA256

    774e5f521f660344ca0b5102205bc3a371f9bb3c15be95ad35c3f7c408553aa6

    SHA512

    0b0f0c348f3e3581963fccff6035725dfe82d1c528032f351e642c0e136c66aa7eb6c474476a2011135d467707a5ede9e83a1c9c92ab70661143ee2430e96cf1

  • memory/1448-10-0x0000000000290000-0x0000000000292000-memory.dmp

    Filesize

    8KB

  • memory/1448-1-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1448-0-0x0000000000220000-0x000000000022C000-memory.dmp

    Filesize

    48KB

  • memory/1448-2-0x0000000000260000-0x0000000000271000-memory.dmp

    Filesize

    68KB

  • memory/1448-8-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1448-9-0x0000000000400000-0x00000000004E5000-memory.dmp

    Filesize

    916KB