Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/09/2024, 20:31

General

  • Target

    d8ff579aa7fa4f9e658dc98b597c8a42_JaffaCakes118.exe

  • Size

    250KB

  • MD5

    d8ff579aa7fa4f9e658dc98b597c8a42

  • SHA1

    51877ef77b94248737ba58ae7f67c9e8e493c4eb

  • SHA256

    9d6dd00b22e2059d7848f8d32e79f4c68ef38c4e63793893a76027e617a7e377

  • SHA512

    0a48f026c3ec6563590115eb1525cd359506ea9406f3feca2ef7b95fb6d951ab984e9bb6fb0da8d915aea4f6b42f5105ce1dbfd790e478c19c71023060186899

  • SSDEEP

    3072:IFNthWQl/rSJ7lvt9filcZritkrINAEYsm2:IBhWQ/mJLflrOAp2

Malware Config

Extracted

Family

gozi

Attributes
  • build

    300913

Extracted

Family

gozi

Botnet

92020311

C2

https://appealingedge.xyz

Attributes
  • build

    300913

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8ff579aa7fa4f9e658dc98b597c8a42_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d8ff579aa7fa4f9e658dc98b597c8a42_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2268
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2604
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:406541 /prefetch:2
      2⤵
        PID:1004
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:376
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:900
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2624 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3016
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:536 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2200
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:688
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:688 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1536
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2052 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1032
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2916
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2088 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2720

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      8f4caec6e6dd93e222e580d3edeab9ca

      SHA1

      3a3e2169bb9b04f970cb5e0c7d430f50fdf7a682

      SHA256

      d46b81bbb4be8140d5d9e35856b52adae37ab1ab990ca09df838e41540813f7d

      SHA512

      5073eae94a087c2625ccf9a6227e5978616fd3c210c66a0c2043d08c13a4e1c39775773582780d3762439bb6e3d961c81fb8209da915365cffe6b95d8d417522

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      7455846f33a703749590f205543bb3e0

      SHA1

      b01180689933bce32f4f5bcc109d649ec4cca6f0

      SHA256

      9b383a76a6211bcc81338f506d51cc6660af72d93235a323b8e034248bef219a

      SHA512

      0c454d283e121087c4aa163e9232f5b670a69e8d8c86f6165aaa4e8bbd8189adccd9bc30b323ac398b747adbd22c79026116de65b1e1cad273d5e632aebd271b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      43535c4361af907fdeb2d49b24c32453

      SHA1

      99b09ef383bfb90f1f2b2264edd3bccef599ace6

      SHA256

      934707820dae9c1ce6d8603e9d53e2ae62890c8f6a1a478ec5ed883cddc29dd7

      SHA512

      440902e9555d5c45e766ffd6cfd47c2ebc0c775f420138f4a85628b730ad919eed43c988b4a3b11d1501435a6d5dac83f811e726000dc6b82b7197ce383115f2

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      d5db97fc608af76fac2d8a1a10fb63c7

      SHA1

      87ee3d003fa4832b922911477a0dd3532c61c08e

      SHA256

      4a075c95921b33c8eccc9fb184ee3862a8e3335e692ec697d747db9844aa883a

      SHA512

      887649e69df318415632429597b92f1221f46c7a6128c8a698535fca4c9d90053d2a1388d42648aa40bc44e370900a47ac0602e8b05cf4b8d129c4a370aa32de

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      051180de215f1ff23af17b52af6d1644

      SHA1

      a429d51fccdbe626938b666c1cc488eafde13636

      SHA256

      f753a058d027e8f2ba4c65c514c86dcb31d311430b5b7501c94b899ee55610ba

      SHA512

      d15baf3e6e6000f6e45ab686e085d9c2fdfe40346dabee9628f444c5243a76a844290bc17ddd5aa570ab528ec774e9ad2c0d804d4ea341894b53eec5dfdf3417

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      cdfcc20a363153bca5e73668d7d1120e

      SHA1

      da79196199f33858d5d11de8bb0921c82b760409

      SHA256

      1bb1fd8dbb4c7c5af214c48d7f22d9ffcf31c981a5201ce6b1b0053cbea963e5

      SHA512

      836e60cbf4acc9eff7ab82195fa32ff2aa97f59227c9a3d74d86150fb87d984d54abe17d3c1cb49336f327a7c15a95b7984d75170d04c921201465a4ba1bbae6

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      89b0e4e43d878c2f24925c9e1c204e26

      SHA1

      ada74ee96d2c6d44d45a21560b50c02d4c80701e

      SHA256

      2cdb4b1e943c8d34992ffa99b8bdd0cc164fc03adde5766e9f92c889b76f4de3

      SHA512

      e6cac63735a3c26ec699a0ea108effe523e0acc757da924f595ff7943b7b5a78d3dfd455459b51af12008040b4f81d01f49fb5341067521e696a920ad52dbb51

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\01LB6K3J\NewErrorPageTemplate[1]

      Filesize

      1KB

      MD5

      cdf81e591d9cbfb47a7f97a2bcdb70b9

      SHA1

      8f12010dfaacdecad77b70a3e781c707cf328496

      SHA256

      204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

      SHA512

      977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0I0VVMWQ\dnserror[1]

      Filesize

      1KB

      MD5

      73c70b34b5f8f158d38a94b9d7766515

      SHA1

      e9eaa065bd6585a1b176e13615fd7e6ef96230a9

      SHA256

      3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

      SHA512

      927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\errorPageStrings[1]

      Filesize

      2KB

      MD5

      e3e4a98353f119b80b323302f26b78fa

      SHA1

      20ee35a370cdd3a8a7d04b506410300fd0a6a864

      SHA256

      9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

      SHA512

      d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\httpErrorPagesScripts[2]

      Filesize

      8KB

      MD5

      3f57b781cb3ef114dd0b665151571b7b

      SHA1

      ce6a63f996df3a1cccb81720e21204b825e0238c

      SHA256

      46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

      SHA512

      8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

    • C:\Users\Admin\AppData\Local\Temp\Cab3537.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\Tar3597.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\AppData\Local\Temp\~DFCE63282DAC7253E8.TMP

      Filesize

      16KB

      MD5

      5117c34d8a39bebb26a4fa66744cb189

      SHA1

      1a5476ff0d8025f27755e832a65f15bd35e880fa

      SHA256

      85ff14c8083ec4c136904287d57f5568c57b55c5f797641e2e4c4a0a4f4fc389

      SHA512

      8104fef8cf271f431faaeb0ec8193a594dd576a1cbf3fd9a81355d6e4112002c91b98244fc472929864f1d378562c9a0660fd38e6a28b7e261bdaa0129a7ffd0

    • memory/2268-10-0x0000000000380000-0x0000000000382000-memory.dmp

      Filesize

      8KB

    • memory/2268-1-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/2268-9-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2268-8-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/2268-2-0x0000000000290000-0x00000000002A7000-memory.dmp

      Filesize

      92KB

    • memory/2268-0-0x0000000000230000-0x0000000000258000-memory.dmp

      Filesize

      160KB