Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 04:30

General

  • Target

    ddacfdabad02364fd78eb42480d5332a_JaffaCakes118.exe

  • Size

    249KB

  • MD5

    ddacfdabad02364fd78eb42480d5332a

  • SHA1

    7a816f4c3af6c04e65d8c0ec090e45367f96a9e2

  • SHA256

    5c27ce50baba810accf6f2a1501155ef7790c61396850880779daff1ac93df45

  • SHA512

    ea4c606107ea8891732fc46b245771a5223b4fdbac29ee31bc563bafaecd92a4b0c0fd0a65d96ba440c522e388e07698fb0b4d40825e78fd4faf7401fe2b35e5

  • SSDEEP

    3072:jg/FHt0BFQ9PzY0kKiuAedGp5O3nsjZqMNJEnmz:j8FCMP+KbGfO30vJP

Malware Config

Extracted

Family

gozi

Attributes
  • build

    300904

Extracted

Family

gozi

Botnet

90420251

C2

https://vvietnamnews.xyz

Attributes
  • build

    300904

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SetWindowsHookEx 40 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ddacfdabad02364fd78eb42480d5332a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ddacfdabad02364fd78eb42480d5332a_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2840
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2620
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:472074 /prefetch:2
      2⤵
        PID:1724
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:288
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:288 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1392
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:896
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1480 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:592
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2960 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1132
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:308
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:308 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1496
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2764 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2196
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1584
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2636
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:836

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      e5825c51a8b8d35a89c28ac37741a586

      SHA1

      035668d8524a8cfcef56775c85fab2e3d4c843dd

      SHA256

      a1d4787323313d3492ca5d3083aea7fcef7ca57143965095ea53ec91b668706a

      SHA512

      cd6e116c477ca9ec224fd142ab7c60ea998b2374f72d12c0130736d9e32251723bc884af401d8cbfaaa29c567d1d3bbc2a2ba1e13a0fca8117d51c18f80399ce

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      4aa09cf9ceffc456934f66036dc9a8e1

      SHA1

      dac46003a32fa19ef03bd50484b5085950a8b666

      SHA256

      7ddea29e9d959d42f386f478f07f78e7c2cbfec035fafcbd018976dfbc375294

      SHA512

      d3cc49c92ea37edf99d540f69b3d6563bac38ca9847a28a5895a346b0b9824a10d375ffe7e790d78aac4315542017ad7459fceeaf99b46531d361567cde3b5eb

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      cf214c10466d8d25c78d706f067ccb9a

      SHA1

      0aad49459c63205854cf448c52ba6a12d1186b70

      SHA256

      f4ef9566d763426ab80ae59e80932a3e0366026a3f0ed1c4dee44aa9168bb37d

      SHA512

      5d16961ffc8bb7da6238d87df3441bf1d530facf3fd90029c1b3a2883e9761adec4bbb921f21f5b00739a79b2fbcee20c7310cec511cd749b3bb51fa7f4970b6

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      6e92627c7f1eaa3691918e332203cc7b

      SHA1

      cc65d4c3931c06a58d0d24bc5d86e67471047bd4

      SHA256

      e2f641bc73db40dcc7f0683e99c432bd84c1b9e3b260ece0009592e93bfcefc6

      SHA512

      2b1c3be17d39ef55684beada31ae0df9e6e8478d6569ef2ea7b16a521424420e20460279d12d244bfbef41992a269a7616420a9799c9788bf7e804fac287940d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      b9e0ea7d5e8a0aaa3a0268fec9cea3c0

      SHA1

      22bea3d9707864c6c52b11ed4ea83e64fb4ae644

      SHA256

      fbdfeef787f888d78834af433a3fa513be1384d523ac41dbc63332c71b072dc4

      SHA512

      2992255062fb40f8533db1641d5784ef7f11476dbc5b80c499df409a6a409486af2ba20ad6335b1e0bb9fb7cc9443272ecf960a6c2e1679501f3175418a43563

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      03b0e9a4fcf5c288a8dfdc0f1c4397f2

      SHA1

      cfddc1071dc75b58d80c7a29f3e5a4fcade4d9fb

      SHA256

      e94a4ed5fdee554afb998cdcf3d3c4af0406fdaeb2d15d6ccc5f438df021ce82

      SHA512

      fa23c874e4928bffae20009cef86b37917e877d20935a2f7a61deafae9bcd8fd1ac24754e300e12a8bbc984fd1c8f01a9b697b5a701e7f084289beb58815ce57

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      19e9dd94cf79d63312ca7c467ee5e6b1

      SHA1

      bd480accc3096963058094e701e4e55e45f48226

      SHA256

      ae562793feeb58ea36c3aa0c50dd6cea16295c92b0d8a1614ba622b2af6850ac

      SHA512

      4a0d1f042d7b0906457e2fea68a9851cd77dd4689274f8552101e8def41ceb5e0d41bbb527761035fcf0e0282206834899e451af0d91dd543d85090f6d26eb40

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      74d5b75b40921b9cdecb5233849efc79

      SHA1

      55178bf00d9b8503cc46f85e50d63c4bafc20fb7

      SHA256

      382f8af714198eff3ba8b8f109ae6196f2b870526260af9e24f61529225a2ba0

      SHA512

      b95c3b40af2b093fe02d2a8c7f9aee227df3cb4cff1434babae6dd63d688b62240f3ed7de36607570f9b68d8262e978b10a80aa6bb13b46ecb9a9c79725fd4d1

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      51214518aa2a3ba58cf62590d059f85e

      SHA1

      6f307b9e7a9cf2234703439953c6d99ddbe8bc80

      SHA256

      ada4db39ef4af14dfabeff12bdfe7df230c78f14c65f155850151526433496a8

      SHA512

      d6327e321096f9ee153a2b653c20eeb6c5eb90d997811db49c85aa1b15b3d32a07884eef0da5a0869d38af0ca92233bef5d66a3b7da75c40bac6861cdd1e0de1

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\httpErrorPagesScripts[2]

      Filesize

      8KB

      MD5

      3f57b781cb3ef114dd0b665151571b7b

      SHA1

      ce6a63f996df3a1cccb81720e21204b825e0238c

      SHA256

      46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

      SHA512

      8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F91VN88R\NewErrorPageTemplate[1]

      Filesize

      1KB

      MD5

      cdf81e591d9cbfb47a7f97a2bcdb70b9

      SHA1

      8f12010dfaacdecad77b70a3e781c707cf328496

      SHA256

      204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

      SHA512

      977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIYAG1MM\errorPageStrings[1]

      Filesize

      2KB

      MD5

      e3e4a98353f119b80b323302f26b78fa

      SHA1

      20ee35a370cdd3a8a7d04b506410300fd0a6a864

      SHA256

      9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

      SHA512

      d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\dnserror[1]

      Filesize

      1KB

      MD5

      73c70b34b5f8f158d38a94b9d7766515

      SHA1

      e9eaa065bd6585a1b176e13615fd7e6ef96230a9

      SHA256

      3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

      SHA512

      927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

    • C:\Users\Admin\AppData\Local\Temp\Cab8067.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\Tar8118.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\AppData\Local\Temp\~DF018BFE14BA12F943.TMP

      Filesize

      16KB

      MD5

      a6a4165c41d620fde62ef7a308fabc51

      SHA1

      4c3ce138b7338d17ef278395cf1e5b652d6c6763

      SHA256

      9b976e4e38d0a77085dea1d2db2d46064d1e41a7acf5cc63afd902b1caf1d98f

      SHA512

      bcdaea8cbae8bf67aba0e0e44c14bfbd8e7ebcc3b1393c223f7e8b57e18f840dd352879187280259b2082ced4323ac1933c6eec6daac60663b9a03426ffc2b85

    • memory/2840-443-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2840-444-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/2840-0-0x0000000000220000-0x0000000000248000-memory.dmp

      Filesize

      160KB

    • memory/2840-8-0x0000000000370000-0x0000000000372000-memory.dmp

      Filesize

      8KB

    • memory/2840-3-0x0000000000280000-0x0000000000297000-memory.dmp

      Filesize

      92KB

    • memory/2840-1-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB