Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/09/2024, 12:39

General

  • Target

    da5df6cf42b7672f5b7c20c809ec3772_JaffaCakes118.exe

  • Size

    197KB

  • MD5

    da5df6cf42b7672f5b7c20c809ec3772

  • SHA1

    b9428dfdfa5db55cb1eda3c28c0702a5edf746e7

  • SHA256

    872f35f887a8c22fc56d9baa80a861a88d2b3737ba289788394f0a68147d0115

  • SHA512

    82198a670a26e821a87a308aafb59d18cac94df3627163d2e90118e55f5543e572281fb0f70be75fe65e35b3a2512c96f76b48d7d01a6652f0792e9295181288

  • SSDEEP

    3072:oWDdCZn+MHTptyZ1+5Ck15lxYY54Fp3QT2kZz2yDj0EQ8x7xSJM7UmA0ox6:oWkdVlS1oCPY5+QT2kx5HlS27Umg

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215165

Extracted

Family

gozi

Botnet

3135

C2

zweideckei.com

ziebelschr.com

endetztera.com

Attributes
  • build

    215165

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da5df6cf42b7672f5b7c20c809ec3772_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\da5df6cf42b7672f5b7c20c809ec3772_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1956
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2832 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2920
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2832 CREDAT:537609 /prefetch:2
      2⤵
        PID:1668
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2524
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:276
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:276 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1484
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2052 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2668
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:2200
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:275457 /prefetch:2
        2⤵
          PID:2492

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        e3b91b08e25c33a9ec813c065c582e15

        SHA1

        7e9e0d4940be5449211953e8e125be26d994d0ea

        SHA256

        6cab849579734c8ceb78c8664d5561dcae064c5051907a1778596c467be08c2a

        SHA512

        26b423edbf839b53d0bfabfa0af65c703d87e86ad5228383714ea89b33e25563f1a458cdd7443ad884b15bf0a49337a1f5e9529a48fc5f33fe24d0162f8b59d6

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        cfd34c67837894138fc71e13f9edcc15

        SHA1

        d7109ad942f79e6178ff3f5101df098da3abaf1b

        SHA256

        6860eb31804996367fa058a5394410cf449f2c9d0486d40c0c75fb526513760e

        SHA512

        47b0811edca9753da465727bc89cb63b6abe1a8e7bb3952e57ac37d5914adf2e69c98f9172506f249dc1b4ba62edeee57cdc4b1b07db82684a52b3c4813af9bd

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        4e2dc2c9fb11f11cb58bc839e993ddee

        SHA1

        e3710c979b3a23b8db22bf6007b918d1bce2cb7d

        SHA256

        61e120f255994add75da0d42e2d4ced37fc3e3bf407c39533499ed02014e8084

        SHA512

        fe07b72151bb9fa4153c1bffce8ef2a778af5dc422868c86fa8978b7b0103538e8e181786881b70e318c56b5b044075c7561e5b1ca75760703a8583a054c1730

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        d858d55a842fa739602b8cec44aab5f4

        SHA1

        5caf8ad92b8c234ba6affa0ce1a8a283d1bd3b44

        SHA256

        8eadb768412e20717ea22f0af31e0042afbe110fa02ed2f8cff3542591ef0a00

        SHA512

        07059cd255089737f4962bbc6bd9afe4843960eb2534653b38b93ae1c5a106f9ac18da6e3899d37e1263c01c4866b8d538f1e626365f7e883a9a9c9e4d88a449

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        afb4871b55373632ec00fc23e4f69659

        SHA1

        2ffc4c0daac9d8e144af4eaab9f77649ad0efb13

        SHA256

        81645b896c55cb96f0fdae9ae00d76196d8c7bbd724d6b00a876f1e5ed8d5d85

        SHA512

        2d8b0f1e30f3a12a10b6d80ea7ed4736de88ea213402b68bed98b8e208566be9f41ce36a00cd6242eb4516c154cdec2d840f4e551aca89e15a4b47dae308e9ff

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        8741e6966f57ec85d5593bbbabc7586d

        SHA1

        13d2b51f0e7ee00e834f482af87623842a40f1e4

        SHA256

        d60985bbc3e9b36bb32623b9749afdb89d3c12c8678717db77f23665dcea7040

        SHA512

        31c6124132cbf7cf15d93c22d62fd7f5ba9070fa28e354ba98bfd16f587ec6c19e3b73ecfdf9aafb70e98b2416320a35f4487696c71b5d716680592f8c51c9f4

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        e0e47c11bf0ae274fb3e4ca17ec92a83

        SHA1

        07465c5d7b1ab42aad6342bfb5cae6bb050bbfbb

        SHA256

        9eae40cf8cde6705db7312189029337065aafc69530193c5a607027e0e20f796

        SHA512

        a63002b3ac7a3dc5d99107504f87bf74dacca7499d2d574f776f45aca5c49c763d83631a0dbb1b05f176e659ea3fc316134a237c664efc6cb3cf6312f8250ad8

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        a88986c90d255d705874181da2b0b8dc

        SHA1

        9d889701e61ae257112dd3519453db4a4fc55526

        SHA256

        06042168d641fac90cd59c898093eedc0421af554bf18acbbe6b300f7a068a2d

        SHA512

        06684976b885096d70c7feca487d694a9bcc2fdf4f86246dda125136a3bae293232fd5f19565d598752b5b4ceb81420d418d42ed093852dc489c43e88d1ed865

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        e5e71c558990e27f204b3d0244cb7c03

        SHA1

        ead7a919261108c10ba3c9e46ecbc61a35b7a478

        SHA256

        d0dba1e628401f55426e510d550ac68587a7db69b4364302d2be11ac15040e1f

        SHA512

        42d78bd610893c525d3327a6175a72debc0ce9e7016d5341fc1a596d2a7205cde9c1ab69063af8a5b51832df6a8477db8f8a9570c99070f46aec765a1357d746

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        f3e2ade6a21430f1ce57e27e93ce3ae6

        SHA1

        2b5acef34960a0a0db14498803b1fd369747a2d5

        SHA256

        350ccc77d1373e4356eb82fab5c39da28cc9e3641fd41223eea9a9a468423f81

        SHA512

        4606bacaaa65d8161007fb12331897837fd6d905276856e8a5e41977cb51985f2157fa4df21ff71d02051ca716c970d314b2d4c287f18157c3d7d8ea8c01445b

      • C:\Users\Admin\AppData\Local\Temp\CabBAF9.tmp

        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • C:\Users\Admin\AppData\Local\Temp\TarBBC7.tmp

        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      • C:\Users\Admin\AppData\Local\Temp\~DF1041AB06D1C317E1.TMP

        Filesize

        16KB

        MD5

        f0f5d4f0d8a93435d5a4e728743f9616

        SHA1

        c5c850c4da55d69ab2a0e000f145ecbacfd6c650

        SHA256

        e2f4a5df06cae2c28889fc38bc709a2e40c7492c9f21946d40e65017a71db066

        SHA512

        2ef162954b9b944426e2bfbb1ff71fd5ee628f6b4fd1761d4d7f793fc22786ce0a57a48d044051b1afb0c9ce0b437dab880af4c635b9ac86706584abbb435942

      • memory/1956-0-0x0000000000230000-0x0000000000231000-memory.dmp

        Filesize

        4KB

      • memory/1956-7-0x00000000003F0000-0x00000000003F2000-memory.dmp

        Filesize

        8KB

      • memory/1956-6-0x0000000000230000-0x0000000000231000-memory.dmp

        Filesize

        4KB

      • memory/1956-2-0x0000000000280000-0x000000000029B000-memory.dmp

        Filesize

        108KB

      • memory/1956-1-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB