Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dc196388fe...18.dll

windows7-x64

10

dc196388fe...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 08:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc196388fe348c76c9008531b5e579a9_JaffaCakes118.dll

  • Size

    421KB

  • MD5

    dc196388fe348c76c9008531b5e579a9

  • SHA1

    e0eb8ad11f6c896bc3f905f4e885fb1db7883edd

  • SHA256

    9b8d718f7de61529733c5ee556e089ca281e35e9141060a2b6e5fbac9c574293

  • SHA512

    a5d3896c524a642bccd948907f8bc268df041705e0a1e7bff79ece151d4e8744a967b361588c9292a866c8568eddfb3bbaad4bd73aab4cc66840e6487cf842f3

  • SSDEEP

    6144:7TfkafAO0f7VSUZ57hEUWsVCem6ndZUVj6MMfeWvvDZZz9XbccuC96zLprRCmf1P:p2f7VxHgsVCem/jzCgcuCwx0oTFpl/z

Score
10/10
gozi2200bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

2200

C2

api10.laptok.at/api1

Attributes
  • build

    250155

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    730

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc196388fe348c76c9008531b5e579a9_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc196388fe348c76c9008531b5e579a9_JaffaCakes118.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1836
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2832 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2692
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2832 CREDAT:275463 /prefetch:2
      2⤵
        PID:1640
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:976
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:976 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:980
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:992
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:992 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2224

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      516c23b2725bdf723fb5e4a2e54d8e2e

      SHA1

      752434bcd1ad385ad836f3172927179e128c881a

      SHA256

      adbecb76b96f9a61ad7fac24941dfe0f67f6949432358e97df1979bb271c8a33

      SHA512

      8827267eb8c6597a0afe0385bbca5acbba05798f4dacc8f6ec0b6979efc1d1915ba21ab3c71df69b6398bd962c6a6e564ff72b945f42263bcb1a6e5adbb87c43

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      283a1075a6335bcba47519c79df7771b

      SHA1

      4473b65c5e9896b57700158396435821803031cd

      SHA256

      c185ee6349663ccb9a335f42bdc534a6f14172acf4ae42ef726d1f1a7d33064b

      SHA512

      eed74e4bcbba0c832393d392de7e3e1b359268e57c88da9f2770adb864d0afa566d8521167c1914c6746a13b8d08e642d5ea07ea1d1cd3d282190243d7c2b9f7

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c7d8f10b739037370cb6477036cd8fb0

      SHA1

      e99bfac02c76c8541e04da53c9f797b6a7e6f348

      SHA256

      181f925f61580142ceac0180e801ff28c8550755e1207aeb66825e97cff7b36a

      SHA512

      bd5df94d6c557a0fe9f322ca4cc471f925c457960394b5969105be7b7f4ead884a6f9c815a0a8af170bf27ae5e64469baae60109c12016df2dfb7dc774510763

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      38f586f3e5a9faf5cdca177b71717652

      SHA1

      e778e13d884b9572fb9f7b1e0da2b5c61c578ebd

      SHA256

      bef4bff0c943deec245fc379e30491af0fed1823833abbe89561bb07f971daa5

      SHA512

      4bf80c08af6f962e247aa44011c4f98a972e6cff3b1ac208ab9931cf8d03f845b4f329a71de5e20bd4e52480471ae1ab6bb4779fb93f2cf533428b26a73fe637

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ca07f3020ede21ebcdec53770a5d330a

      SHA1

      151a86ce1bb5a0e151c8a9e097aa129c6cdcb628

      SHA256

      54c7fbc2c05a7d7a60f3a314a684c70589d0db1586efc549ca16407490a03328

      SHA512

      ed4fcff510b789462a27ca7a04b28b8443d86a597b083725fb6ca97313871d168dd48d65e27681d2c21dc224957f4907026b3d7c7f4f183e48e4b5e976b1e845

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e8ff024b40c33c00caaa15e338d1a293

      SHA1

      77aaa84ec109504fa98cefc1657fa2859b834c69

      SHA256

      0fe6e6937501814040aa280c5209a5b3e4833411c6569ead93900d5fd5d101c5

      SHA512

      8de2cfffbe1319924872efe1711d8a630e9d6e62bec6426887ab8ce1101969a0e807592df59cf59685cc52aa15dab6d9afc5ae67d9ff42572f3066cc32e4bb7b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      4e02556c5e46e39dd1bf0168decff7ab

      SHA1

      a5842d2e1ac1e4d5886eeae89083b1cd72dda583

      SHA256

      fd3cc764d40525b3923ffb31f2a6dbd4f7f0da30e4a4df749d5d544f72824d01

      SHA512

      89f3f6bd99fea87da2c2dba2da58c58418d32609009dce9b4a805272975a5177680e9e14c82dc5cac11ed17ec2243d32a37ec985b3c055de0dc2d82f9bbd0b82

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      5c13085188d4a45e0559ba13bdbe56a5

      SHA1

      b3690ea514c20bbd17148b77bb6bf19ff2d97ea7

      SHA256

      cc68b47a2987b5915f58a224f534c20e44a2dab8b05d25a44cd2d13044216c41

      SHA512

      02b2f628ab1b78ceecddc9a414cba034c8d9ce354fe893b9f441220ab883e1a25355eff6670158a38988576ee88e3a4c59ec1f0849132b523f5a76685aaf7fee

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e2cdd24e3e4b060bb8adce4d932e6cd8

      SHA1

      5716bb8169c320c1546b3f4730fbf4a850b396c5

      SHA256

      882547a06382c5ca6e9d95ef927523cac72246034ceaded977f73536758395f4

      SHA512

      55963a49bffa6f2d1d0b30f839306edf5bf64fefae8d1c8fc6dbebda9717b69d5b6a1ad2fc6142bceab289f630525f0b620a19adfba28a55e2913ef4b0b6f2d0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabBDA6.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarBE27.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF11E05769F7080CE0.TMP
      Filesize

      16KB

      MD5

      c1281782d1d793cb8cb45265792a2dc1

      SHA1

      6e029af6555670a8799f2fb8c901d484bfea15db

      SHA256

      55527789ee499010d71687c12ccf0f138ced5bb118a6e38e43b421b87c45f27b

      SHA512

      4c9499a60600e9253d339cd8241edc4125f28b043b58d5f4ea3fc2a11b92b51a77ebf2d9f02201e5f0b2cc810d1936b8a8249d721c562cbf79712bf04dab1a56

      Download Submit

    • memory/1836-0-0x0000000074186000-0x000000007418A000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1836-8-0x0000000000240000-0x0000000000242000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1836-6-0x0000000074186000-0x000000007418A000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1836-5-0x0000000074120000-0x000000007469C000-memory.dmp

      Filesize

      5.5MB

      Download

    • memory/1836-2-0x00000000001B0000-0x00000000001C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1836-1-0x0000000074120000-0x000000007469C000-memory.dmp

      Filesize

      5.5MB

      Download