Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

de7f4951dd...18.exe

windows7-x64

10

de7f4951dd...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de7f4951dd06b0ab46c88eed0be19d13_JaffaCakes118.exe

  • Size

    3.4MB

  • MD5

    de7f4951dd06b0ab46c88eed0be19d13

  • SHA1

    512e16dc9ec2deb77fabeff3c3c027884ea7fdc4

  • SHA256

    f65732cc2d7bb3c7313ad5c0d990ca5f8353739b5c7ec27e41f96c40ec2aff67

  • SHA512

    2722f6b9ea04137a38c4287460b007ba9114931deb8a3a6af9c5230e3a6d550a295760878bcdbfe1ffdf07fa47c6276e21ff4f899881c773c149795af2101502

  • SSDEEP

    49152:C89nwonUXJK2qmngTTHQVOwkBc9ODyxN50bj2qYYTWttR:r9SWDPwO8PR

Score
10/10
gozi3478bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214096

Extracted

Family

gozi

Botnet

3478

C2

google.com

gmail.com

waouqk51iu.com

jsztkeagan.club

jkeshaunjakob.club
Attributes
  • build

    214096

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de7f4951dd06b0ab46c88eed0be19d13_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\de7f4951dd06b0ab46c88eed0be19d13_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1480
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2692
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:406543 /prefetch:2
      2⤵
        PID:2560
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2540
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1784 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2308
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1592 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2344

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      831c5464436b92b8e645c37a02b8d230

      SHA1

      d2962bc9f4ca3f71613cdd289583abc38e5a920f

      SHA256

      66137d33459ee1469be05f747c1d4cbad1d368ef988616a3d0f069060d767c07

      SHA512

      40495e6be9d682724c4d80d70d8a68026df6293aeb426d049e646cedc297223e17692b67bc251f75b5b95f165c6aa70e9e87fc85aa3bfa06a22f4f0e7744571e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ac10296c213701fcf26d5b405b654452

      SHA1

      6e9362a8924da6a1f91495b2f631f3873cf0e8cb

      SHA256

      079a8cfbf4dda421efeaf5dc977f2860941919a76fd8d4cc18a687b82719f7b9

      SHA512

      4e55aaf15114a94be2a38dadd6ccfcc951b6578cce052c44d1fd129f9786e50f8c8b6bc4676baa366cf2aaf6fafa754450aff98cbccfc5faa48db820571bc62c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      94d4e0232aabd40f50072477143d7190

      SHA1

      ae8183244c9cb7203feb432847923df7d3f4b1f3

      SHA256

      dcf696125cdc20377f17d2e13e163f5a946749b750437871d6b054da29a89ddc

      SHA512

      bc0d7d7f6d61f87526a043a4e0ba8dd0f7cf7f60fcf959f1ba5634aa92b53c488a2299dadcfb2658314469d6c9fafc758017efdc5ccfffafebbca0ebac0a128c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      b6b4a59aadf39bea1978e656d4f0c5fc

      SHA1

      db0c3f163eb47fdad780c8b0e5a6787eb5ac0cfa

      SHA256

      3b5b1db9254643edecd129b60b172661bddc6fa0dba1489427a08ad60523bc8f

      SHA512

      ea13b8967063a2f35dd2c0f0e791e15be3ddcf674ba31459db6b600056b02e3fd8032d984cca951a2eab31f4ae1fe47394072a261cd3a8b248bae2cec35b0f39

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c65fd658e7d249b2118235d179b50d79

      SHA1

      f80e9c5fc394d8f01b7f0b34f11c22840906d561

      SHA256

      5036d79901accc08f51406a1c32d6576ea49e219aa1764cfb084e631bb90d745

      SHA512

      0a2ce63640d5715c59d13e5ba24e43bf7c7f966da3282a6130361689c5414dd945107d2fd5f97f8fde3d00c6d9ef7045127bf77239f36d1757aed311c4828b3e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      77b9d1d8e83f3de3eff0ef772c1a467a

      SHA1

      53cb4a4c45b52e3c0d8806cf4b5e6751966a7aec

      SHA256

      f6a8f0bc322ac9c20f17e9a2f484ee8ed929592b1796e4373d9f0a5eb6f6e614

      SHA512

      99af90d64dfcc84c8ae80bb3d055d794f9fcb9a29456d9b59fd650b40394774ad05d59324e053071db44231e8e4b23fc5ae675c43c404a7b59026e185d39b1eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabA2D7.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarA376.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF3C17FC9E1BA4148C.TMP
      Filesize

      16KB

      MD5

      71a31e236e47afb9565ebac0b3e9b92a

      SHA1

      4a14525124083dab84b4d64cc678a4772b509c9d

      SHA256

      b699a98137252d48af1865d35e06355fd52b1ab7a20979aac466979f7814f520

      SHA512

      e73683da1753e98e6626c6811ea1fc71de2c871e8893b0cc0aa42b51d405177f541e54c4b6cf258ebbd5ee96b35e859f43a7b3d43ea30232d70971c21bd99602

      Download Submit

    • memory/1480-2-0x0000000000779000-0x000000000077E000-memory.dmp

      Filesize

      20KB

      Download

    • memory/1480-11-0x0000000000350000-0x0000000000352000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1480-4-0x0000000000250000-0x000000000025F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1480-3-0x0000000000400000-0x000000000086A000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1480-0-0x0000000000400000-0x000000000086A000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1480-1-0x0000000000400000-0x000000000086A000-memory.dmp

      Filesize

      4.4MB

      Download