Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 15:39

General

  • Target

    de71e96ad63304db9ec903aba4640ebb_JaffaCakes118.exe

  • Size

    376KB

  • MD5

    de71e96ad63304db9ec903aba4640ebb

  • SHA1

    6820958ac5ee14d2acc8f0324dc833528e87f48a

  • SHA256

    619ae20022518debfed97201f34a22cc13631a25e6526e8c76a5a24798afe9a7

  • SHA512

    2bd93028bb2ab1a018bc1edcda239581abdeebf374f836fc37ac5277ab480107ec3ef4f6f1e0ca5b9cb5b35d5437807476176145031241da465c1ccd2d8e4028

  • SSDEEP

    3072:hkyrSmefi8xQRv00gDg4JYUrQrY17hJHe0KuVuPi6d+YShwaqz+UQc/uGkn3dK:hkal2i8WjgD+Y9hhFxTyUOaMkN

Malware Config

Extracted

Family

gozi

Botnet

3195

C2

nsyblefgg.city

m25lni11528.com

dgrover.band

Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de71e96ad63304db9ec903aba4640ebb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\de71e96ad63304db9ec903aba4640ebb_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1672
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2504 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2996
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2504 CREDAT:209934 /prefetch:2
      2⤵
        PID:1096
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2488
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:896
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1576
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:592
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2624

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      46b8299e8eeee21c3ed6b9350c024421

      SHA1

      f26c0c8d55ed965d8086a935922f0ad8cfa7c048

      SHA256

      53bb80340c68b855717f9bc26edc62d60625d0e0a08d2ab8a5e5c33fc36b073f

      SHA512

      7031ee027b5b85c10b904d7846c75d3a7a8a9b4b55541cb3fb6cbccad8e6bc31debf96cdb60e3f1e278728c0af427cb8047496c5835559c0913e09ddb979ede7

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      869abacd977e609bef4a9cc1d75a6188

      SHA1

      d924c20bab197139c2ea15f884e45490825f80ac

      SHA256

      32c7789bab0cbfb26a60bb98ef740231b448a1f0e11c06b60aee90a5b6eea673

      SHA512

      74f955d625f5a32c8ad303a4f0ab6993c56d36d17dcab0bccfb32f2e913f728f103bdc4b1a02e24206d828d7746644febf5494956c5eb21c8905202540cb880c

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      e48b64f80e36ca4257f6480a15400bcd

      SHA1

      ae4b25791ebb1c12b5b8a0dbc337688aeb7db7da

      SHA256

      bb4cfb72ab24ce9d6cfa70c832d050bba0bd2e041c9a6e8824a42689401b3635

      SHA512

      636dce40191f2be9d3385e45e325f3a3f911d78e43af273ebb21d91c4f78d5d7370fda75342f6a1588ed4f84e3c0afaa44a5e4cf9414556a28aa6f146ecd611b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      5fe2602d0ce5cd8220173a0b1ab9de07

      SHA1

      cf395e5a4be80413e8c3cc2df035778cdc34f14c

      SHA256

      f2583f79a0b8116dfbfe52372c3d1be73ef21d0f1530fb34c59687f6137e885a

      SHA512

      4034ba0f48c8f2237cc9fddf1e46875ff0750c1f191eced79ddb90f085f623ae4fb4c0078257b9f885a5a9d86c82476531e44991f1917894fc215242c5387a67

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      027d6161c0fb7285b4b87875c65d39ec

      SHA1

      8fcb0411a49ce277250ebd684b4e35052e5c8f11

      SHA256

      4c81a345d1ab7ce1ea415135201fe8d8e08f7af080db03ffd94079e293c535dc

      SHA512

      78d07ef4647069b542f0aec7f3e3fc082f8c6266395c6071ec080e9a4bd06281fa12ff0fb7d33ffbf2fee840f38cebbb33214dbf64d6648027639e046ca3b72e

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      d706d5bc0aacaa3a63a8f12a76e76491

      SHA1

      c7d835e1c06bf322d5c20f5b3c8b3e72e04b0575

      SHA256

      9fb88a53a58feaed01feff7f1d0e6c2945834c5e29e31481b66116243441db41

      SHA512

      f087b1e8e2481d95e8c23ede92cb510f4d4716a17a5199df66ac60d6d573dc5700ff0cb7ad77b5f61f2c0dc290477d238f7e4484619dcd62d79b38d142a4868e

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      aec53a69fdc8971569da8ec84d98343d

      SHA1

      ad2a4bdd98addc04df96cb225e3f982a384c51af

      SHA256

      3bae84041577875cb5315ee9ed68b15c0fc9041533321aeccbf7599e0772e005

      SHA512

      174b58cec8e6dfe5c4f0898b58f8bd74ac21b99e8426c5161137c27b40dbed41ce0d3b0b0c5863d0cebfc4f11ec7c3e46bd0953674412c4a9f85d6f2c3c66435

    • C:\Users\Admin\AppData\Local\Temp\Cab6F5.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\TarBBA.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\AppData\Local\Temp\~DF3FC73EA7DBFF0AA3.TMP

      Filesize

      16KB

      MD5

      8ad8d920f13bf7b6408b1dc99b057764

      SHA1

      38c773278214dc01138d542260fe213a375bd755

      SHA256

      402b72a7198077d28c5615371ba96848e4318a116b722b788e4278958e5b4b42

      SHA512

      82ad7e22dd11fc2cf2a1ea3c473e0d681e3ad365b82e014d4fd6459e72dd69f7d36c74ef558ef2bc2b4864a1fc28e95321863f14da203181d8d5c463e4828fcd

    • memory/1672-0-0x00000000000F0000-0x00000000000F1000-memory.dmp

      Filesize

      4KB

    • memory/1672-7-0x0000000000170000-0x0000000000172000-memory.dmp

      Filesize

      8KB

    • memory/1672-6-0x00000000000F0000-0x00000000000F1000-memory.dmp

      Filesize

      4KB

    • memory/1672-2-0x0000000000120000-0x000000000013B000-memory.dmp

      Filesize

      108KB

    • memory/1672-1-0x0000000000D40000-0x0000000000DAF000-memory.dmp

      Filesize

      444KB