Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 05:56

General

  • Target

    d3b158ba2a81b4ddc15491ec4f7aa64b_JaffaCakes118.exe

  • Size

    909KB

  • MD5

    d3b158ba2a81b4ddc15491ec4f7aa64b

  • SHA1

    44f60b8bb5cb309bbdda1197f9d716fe77d831ae

  • SHA256

    9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401

  • SHA512

    77ae26fc01a6243fa4cc02d8dc3aa62ce88b7fbb473ca758ca6e11c9f36d9e3b0278e1bfb1b1802b2d99893b4c19295f75b30baa7429843eb4d7d6d28406d3f7

  • SSDEEP

    1536:tV7RSS9YSCSISCShSCSxAGzsCTXYtFBo45GQG770gSvc1RIVLmyLmRgRLuLkutb+:JuAGBTYzGHsNv6xgRK4VljQaeA

Malware Config

Extracted

Family

gozi

Attributes
  • build

    300854

Extracted

Family

gozi

Botnet

202004141

C2

https://devicelease.xyz

Attributes
  • build

    300854

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3b158ba2a81b4ddc15491ec4f7aa64b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d3b158ba2a81b4ddc15491ec4f7aa64b_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:3044
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2812 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2984
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2812 CREDAT:406539 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2376
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1700
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1864
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:712
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:712 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:800
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5a1bb2604d8d20bcbce540d586fa7674

    SHA1

    8b0da6f7d92264b0aab0caf3aae46a59cac8099b

    SHA256

    3c37c494ce131da7191827926c89c585aa6f4b1f010dec83488e03e749e525aa

    SHA512

    88de7d61e03630c76701d15705519c62f414fc2aa7e27b0ce88d6173a3c86a6b7ecf531ae4c2d2d0d2c0c008ffb49cff5a5ae8731c40c78f6d0b86c1380321c5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    650db5ec557fd3a28dafbc53e12cef83

    SHA1

    c35dc207b82cd7f316d67d02be3a0bd6060b4ac3

    SHA256

    66fc8c58ddf9f62126d64c3c660e41d14d4e8903832dfa5a283e3434439c9630

    SHA512

    ec3d20be9c03ed688bd6c14ae5ff03c8a308bd07d047f6a7d590ab7d006d4da80aefb932f2a4efc8d9c0e73e1f2044e73020ed1ab2595025109562409046eb63

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4199318937f0ececc9fd493f19797c33

    SHA1

    5029b36c17107ea68c2c1938a86ca5510013d14a

    SHA256

    733f241947addb0c8cb1baa38c22867c382f5ebfe68f68bbf19ce5a71870e930

    SHA512

    d3b8e524eee522543ec55114d7d773bb980499874ff6fc49cdf49500d70fa2871919b8e9cbad8b4a781ca463063ae2af6403a9544529eaf37c1011ec76f6a19e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fcd681d0ec4bfb9a85468256bad29766

    SHA1

    6bc2ecf4c260a172e349b46435ae8b7d92beb623

    SHA256

    ea2d6c5afe50c1fc7423214955f462e67be870af05077c62e4e5e062b43b2621

    SHA512

    9441f1832cd160848e7877b3d22a964ee558e9e73575764195a6a238ed9349e8e6fea6d4b1c9149ac53a3d7e6e0df59628c44e77689d2ad2fea0ffe65725b98f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b26bcbca0a036442133ba10404e87a04

    SHA1

    92aeea7a5fce338d62b7496796f0db248d2ff5cf

    SHA256

    b357baa22748af00be5973f00a6dcd3c029b87271bac4a4050d22da6099a7058

    SHA512

    e82dad4bb4fa52d255ac3d609aab4b8a1797c4f5eccadf99cebc60520ca5a04570a39cc365fb2d7ebf8279d774b888572274090083719e11aaf9c3669cdf9276

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    462301aba7f9dd267febf8a291ba1e25

    SHA1

    12ba36e1fc5cb1c670a084d3ac6a932234e3438b

    SHA256

    743775d2b6c84f34c801ebb6add6ea55702f389967360fb431ff3ed728f536d0

    SHA512

    0e91e8c32c1df3d18346220327fbc962b709015443c7e39dfd85b042977476e9312c277f177f88f34c2d9f4cb67f9e9b4c042d5675526355b7964956fcd7d4ed

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    677af7c0216f813481abf02a6cdfccea

    SHA1

    a516a777e5224b9894958644af6e684a6dbd79e6

    SHA256

    8b02f8d1a50f3829a2b0f9c47ddbb20dab7b64d653ae871dd83266ea4fa37baf

    SHA512

    84ee3a85c8fac5c7b687960f1397b43c7e363af9b997f3e9cf8dfb3ce92e3b8237519218c3873b3334f7da7031720682f2dbcf5632c9e4e3d938af1fae2dbb40

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    457942e18c1c32bd36007bfd228d4ace

    SHA1

    4c7245b6d9b6c7898b247cc3ecfc0f5f3ef25087

    SHA256

    ef851d970856a520b47fb2cef35fc7036967b60637c209cba35d7492be14fa87

    SHA512

    0a5ad67cb4f9355a3ade2d1264627311e02848845baa67f58d51482f89700a2c54b806e5f1a84ecc353a3f3f4e8bee755d6be2b413847d86c1e659d58f66c3a1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9UR26M8S\NewErrorPageTemplate[1]

    Filesize

    1KB

    MD5

    cdf81e591d9cbfb47a7f97a2bcdb70b9

    SHA1

    8f12010dfaacdecad77b70a3e781c707cf328496

    SHA256

    204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

    SHA512

    977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\httpErrorPagesScripts[2]

    Filesize

    8KB

    MD5

    3f57b781cb3ef114dd0b665151571b7b

    SHA1

    ce6a63f996df3a1cccb81720e21204b825e0238c

    SHA256

    46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

    SHA512

    8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\dnserror[1]

    Filesize

    1KB

    MD5

    73c70b34b5f8f158d38a94b9d7766515

    SHA1

    e9eaa065bd6585a1b176e13615fd7e6ef96230a9

    SHA256

    3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

    SHA512

    927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\errorPageStrings[1]

    Filesize

    2KB

    MD5

    e3e4a98353f119b80b323302f26b78fa

    SHA1

    20ee35a370cdd3a8a7d04b506410300fd0a6a864

    SHA256

    9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

    SHA512

    d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

  • C:\Users\Admin\AppData\Local\Temp\Cab5AE0.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar5B40.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\~DF9A64D1630AD41D1B.TMP

    Filesize

    16KB

    MD5

    671f58a5627b75abe787eed872a9d037

    SHA1

    fe7344cff44dfa516bc718b73cfd81e87d470785

    SHA256

    d02bb9a4166a7d74363acbfecd6e2c800be3792895ed5b725d09df06c9a451c6

    SHA512

    3542b1112d5e73b6c54008947d5f5b6176a637df44fce213881bede61fd27e62a598c0e15199c704adf98d2c7e9396b876b11f23a4c35cb3fbed7e561dcaa7ef

  • memory/3044-8-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/3044-1-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/3044-0-0x0000000000220000-0x000000000022C000-memory.dmp

    Filesize

    48KB

  • memory/3044-2-0x0000000000240000-0x0000000000251000-memory.dmp

    Filesize

    68KB

  • memory/3044-9-0x0000000000400000-0x00000000004E5000-memory.dmp

    Filesize

    916KB

  • memory/3044-10-0x0000000000280000-0x0000000000282000-memory.dmp

    Filesize

    8KB