Analysis

  • max time kernel
    142s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 20:18

General

  • Target

    d2c2434c6b9bbf83f922d31d3a3e8308_JaffaCakes118.exe

  • Size

    908KB

  • MD5

    d2c2434c6b9bbf83f922d31d3a3e8308

  • SHA1

    56dfe39a47ff46eda0aa0d691bfff4e4177b209b

  • SHA256

    d3787d8d0b8e4e6db017b9420c749273f611e378887caba77a50620f2039f5bd

  • SHA512

    948089e820f0075d0859a400cb3fed16f209b9a51652f8fdb5905c6b00092ff60aafa52f9f2c62a2989f206040c674e06a2a9acda2784de3af997a9909fc6200

  • SSDEEP

    1536:tV7RSS9YSCSISCShSCSxAGzsCTXYtFBo45GQG770gSvc1RIVLmyLmRgRLuLkutb+:JuAGBTYzGHsNv6xgRK4VljQaeA

Malware Config

Extracted

Family

gozi

Attributes
  • build

    300854

Extracted

Family

gozi

Botnet

202004141

C2

https://devicelease.xyz

Attributes
  • build

    300854

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2c2434c6b9bbf83f922d31d3a3e8308_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d2c2434c6b9bbf83f922d31d3a3e8308_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1352
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1936
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1036 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2452
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1036 CREDAT:17416 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2168
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1168 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4364
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5000 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1468
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3508 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1224
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1192
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1896
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\951G8FD5\dnserror[1]

    Filesize

    2KB

    MD5

    2dc61eb461da1436f5d22bce51425660

    SHA1

    e1b79bcab0f073868079d807faec669596dc46c1

    SHA256

    acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

    SHA512

    a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CFIOOOZS\httpErrorPagesScripts[1]

    Filesize

    11KB

    MD5

    9234071287e637f85d721463c488704c

    SHA1

    cca09b1e0fba38ba29d3972ed8dcecefdef8c152

    SHA256

    65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

    SHA512

    87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GENTSNHI\down[1]

    Filesize

    748B

    MD5

    c4f558c4c8b56858f15c09037cd6625a

    SHA1

    ee497cc061d6a7a59bb66defea65f9a8145ba240

    SHA256

    39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

    SHA512

    d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GENTSNHI\errorPageStrings[1]

    Filesize

    4KB

    MD5

    d65ec06f21c379c87040b83cc1abac6b

    SHA1

    208d0a0bb775661758394be7e4afb18357e46c8b

    SHA256

    a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

    SHA512

    8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VDS6YA2E\NewErrorPageTemplate[1]

    Filesize

    1KB

    MD5

    dfeabde84792228093a5a270352395b6

    SHA1

    e41258c9576721025926326f76063c2305586f76

    SHA256

    77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

    SHA512

    e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

  • C:\Users\Admin\AppData\Local\Temp\~DF21909E9E88ACFA2E.TMP

    Filesize

    16KB

    MD5

    a2005ec647aa7a0764639d88c8851fb3

    SHA1

    a0299fed76da3f261ae78b3e4f785d5020589c4b

    SHA256

    0a62075c884c14ebcc2e801e541cc033174595658604e48d5a135502ad542030

    SHA512

    892f36806a152cec1ba62d7b244ae49b31fca0fcd9ca682017e3c13c0fd59556b653612980df591b03f78c1f35e26d3637f5449b66435ff5499d90267ae0200e

  • memory/1352-0-0x0000000000640000-0x000000000064C000-memory.dmp

    Filesize

    48KB

  • memory/1352-1-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1352-2-0x0000000000660000-0x0000000000671000-memory.dmp

    Filesize

    68KB

  • memory/1352-9-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1352-8-0x0000000000400000-0x00000000004E5000-memory.dmp

    Filesize

    916KB