Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-09-2024 20:18

General

  • Target

    d2c2434c6b9bbf83f922d31d3a3e8308_JaffaCakes118.exe

  • Size

    908KB

  • MD5

    d2c2434c6b9bbf83f922d31d3a3e8308

  • SHA1

    56dfe39a47ff46eda0aa0d691bfff4e4177b209b

  • SHA256

    d3787d8d0b8e4e6db017b9420c749273f611e378887caba77a50620f2039f5bd

  • SHA512

    948089e820f0075d0859a400cb3fed16f209b9a51652f8fdb5905c6b00092ff60aafa52f9f2c62a2989f206040c674e06a2a9acda2784de3af997a9909fc6200

  • SSDEEP

    1536:tV7RSS9YSCSISCShSCSxAGzsCTXYtFBo45GQG770gSvc1RIVLmyLmRgRLuLkutb+:JuAGBTYzGHsNv6xgRK4VljQaeA

Malware Config

Extracted

Family

gozi

Attributes
  • build

    300854

Extracted

Family

gozi

Botnet

202004141

C2

https://devicelease.xyz

Attributes
  • build

    300854

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2c2434c6b9bbf83f922d31d3a3e8308_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d2c2434c6b9bbf83f922d31d3a3e8308_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1644
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2868
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:209933 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3052
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1788
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3048
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2224 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1856
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4df88db5e9f57af6bbd80f9049d258bc

    SHA1

    c59f6d906085fa5f7c541dd9ea8351735615d4d1

    SHA256

    43650900ccbb00b1084b0a0e43170029ea83eb036dc058f1e1f27c0939cea5ed

    SHA512

    f60b8700131738742a12435af5d5c6d98437fd442e13f3cc54b34fe5ac26506220dcc60091e4867d0cdd0d2b2b9eacf44309c480a0dcca863de6985b7f778dc7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3ff54517d666a3b574a35d612f7e94ab

    SHA1

    89595c55a10c7541282a7442bdae0ea3695381f7

    SHA256

    aacc198bf49d25b022b64dd568226c8bf635c6a5651a8a5ae42c6b828c947672

    SHA512

    6b8dce9d5787c27726b151d99cc1095fc108541bbbd65bd42fd374ef3de795c1bd0ebd28151cb1af097b002abba06676135fa20f267d9326308b4e652660ea8b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    16f75cca77bfd842cb00b0e064a75eaa

    SHA1

    a5b16956dd7e37229499e35b05c48447152e8721

    SHA256

    4cd494a1ae57bdd99e7a296120c5be4595d725d2b583b4cb37cec751af4374f5

    SHA512

    4e80253b3bd97a0603aaf0733a7a070700470294fa8ef634ec05106bcaa74b6305e0cdc95ced422444de455e3732b1288b6da9074b9b6c95ef037cfe73de2076

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    db74ec415730c15434e1a7c29c97b4f7

    SHA1

    96a0f3940a0fecbdb45e652de854f3ca818ff21c

    SHA256

    2c226a81b62b36ea22f4a985ebde7adf8235df12895ee4e01a5b68537493384b

    SHA512

    20eb986039c751083186dc5f31258f19cf8aa58bf1b2d5fce509ecbac1cf07b1323272949207499ab6db06b0820715a5dd8cafff6371ef4f3fa829cba29fcbb0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a7fd9be05eb6b4d8ad6f37f88d5c44a9

    SHA1

    ee1b1070f49d36840e80bafba55225561b3f51b9

    SHA256

    b56065e0b2ed951a5e760c5f8b431a732fc3ea311d58a9edb104336575899bb1

    SHA512

    3d13faacc8d3cebf9d520f9b5b13be70893f14dbd11aafa9e8ab20052a0097a9b4b063e7d499b8e03a14968e8187f86901cd57412ba514181b44dbb4c181c6cf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    289257606856a0175394c70b7879408f

    SHA1

    e032b12e4911ff58606c469d3fb23a39d4e90798

    SHA256

    e10892a2f2824807e43f8f21e1f8a9ca31fa9a590ddf4690b1579458f0820c68

    SHA512

    bdd3fa8a2176734e9f7eb8edab9df1662da3a2f9ada2a3c8aba42f1f066e549126696a66e0891d9cd6c996f458953c74afe651846ac2e585d196c86a9b9baa97

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    13337ee006b1b932eeeb54a3f78ba28e

    SHA1

    927a001e916af719eb110e05915d76e0ecb81694

    SHA256

    f01c78a021fbf43ee7285b955b5c9e3c03f3d5e9548d15ecaf700ce0df681bba

    SHA512

    5955f981367cdb16323ebadaa9aa768db8a6d1674653c1643c253b5ae3e2feeefe2793c8ef36f8b786d0a4b2054922ad2cc0581b5a17cc520ddb7a4270559bd4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a05c8b55f374b6e7aaabf5542098767c

    SHA1

    af18f3be57277b9a74c4523b579bc3821db40d6c

    SHA256

    7a0ead7e42708f358b8f701c192291d9b13d5ec88ba2efa192bc88459fddd4aa

    SHA512

    3fde51f743d234a5a140d0a7d4b27c48ec2839120054662da8c8624cef1e9714918d741a541b6fc2cf86ff753bbaa1f6416cf8cf70305385a26d1fde5b804f10

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cccfbd8c40e3ef0c05f0e3ce2b32d721

    SHA1

    352ad4d37668301d67124e25d3eada0e65496e91

    SHA256

    4cc99d49ad83955ad1d1f5b8d8599e7c061bfdb795d8a2bdefda5b3c6e8caa6f

    SHA512

    3a0f621afe5bf66a6c09154daad1f7770eeb638374415700de4c98ba47499fb6f7be7a02bb2c19277fd57d965a25124f66d932805525198abebb4202f151c5a5

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\errorPageStrings[1]

    Filesize

    2KB

    MD5

    e3e4a98353f119b80b323302f26b78fa

    SHA1

    20ee35a370cdd3a8a7d04b506410300fd0a6a864

    SHA256

    9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

    SHA512

    d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\httpErrorPagesScripts[2]

    Filesize

    8KB

    MD5

    3f57b781cb3ef114dd0b665151571b7b

    SHA1

    ce6a63f996df3a1cccb81720e21204b825e0238c

    SHA256

    46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

    SHA512

    8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\dnserror[1]

    Filesize

    1KB

    MD5

    73c70b34b5f8f158d38a94b9d7766515

    SHA1

    e9eaa065bd6585a1b176e13615fd7e6ef96230a9

    SHA256

    3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

    SHA512

    927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOGPI1N2\NewErrorPageTemplate[1]

    Filesize

    1KB

    MD5

    cdf81e591d9cbfb47a7f97a2bcdb70b9

    SHA1

    8f12010dfaacdecad77b70a3e781c707cf328496

    SHA256

    204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

    SHA512

    977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

  • C:\Users\Admin\AppData\Local\Temp\Cab482A.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar49F2.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\~DFFC62E19B235D2EE7.TMP

    Filesize

    16KB

    MD5

    1bec11cb83a7f546b01ba64132c48038

    SHA1

    8ac8f97c281af072d1ffdf2bf0e4382b9f65c865

    SHA256

    9ba12759d1f9458ff1e693cef5c5d41191c3be59b62a6518cf86ab87c03bb45d

    SHA512

    33a148ae7b56f4d9769a4c0d1229c2a5005f675d8f416abc3049fa5f7a16efd26be82e911d29dccd74b50fd20fa630784374c3dbe2d9dd63c4adbf532d9dfafa

  • memory/1644-10-0x00000000003E0000-0x00000000003E2000-memory.dmp

    Filesize

    8KB

  • memory/1644-1-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1644-0-0x0000000000220000-0x000000000022C000-memory.dmp

    Filesize

    48KB

  • memory/1644-2-0x00000000002C0000-0x00000000002D1000-memory.dmp

    Filesize

    68KB

  • memory/1644-8-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1644-9-0x0000000000400000-0x00000000004E5000-memory.dmp

    Filesize

    916KB