Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14/09/2024, 06:13

General

  • Target

    dfa227555e67863a65cfe03a588ee23b_JaffaCakes118.exe

  • Size

    203KB

  • MD5

    dfa227555e67863a65cfe03a588ee23b

  • SHA1

    2ebcc7a0d7a421ee212fbe1407f3865791d7ebda

  • SHA256

    e4f19d47d850151c4026a85fc71ea4f1a211d0e07a9ee1984723837c99dd8d34

  • SHA512

    a9993d42b8206f631f575abfd7243de1bbc62be5986d88c09047102aaeedb1422cff4ffec9478b7a999f1b1ae50eac620e54e6fb820047574a225b3f6b537b01

  • SSDEEP

    3072:9Sji2dQ6v4uPXDNUj4jKBonzmLXlYVRLh0epEEZqkFBc4+uTqN76o:9cdp4uPZzGonqXGXh0bluBc4GZ5

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215165

Extracted

Family

gozi

Botnet

3162

C2

menehleibe.com

liemuteste.com

thulligend.com

Attributes
  • build

    215165

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfa227555e67863a65cfe03a588ee23b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dfa227555e67863a65cfe03a588ee23b_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1312
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3036
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:537609 /prefetch:2
      2⤵
        PID:2232
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1232 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2808
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1692 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2176
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2684 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2444
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2880 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2968

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      e87a71f25d87e061f34c31c7dcde1b08

      SHA1

      a9ca94fa69ee4814024df1b8ecd431be44da7f1a

      SHA256

      58c8fbd5c18074ffdd6934b069ea27f5cc2916fbfd756d3dcc3f04144b5288a8

      SHA512

      ae8b20c2de91f1d6ead9ff6cd02bc2286d3896961320a27d11ef39b718098c9c14d5448426363ef634d5e94f1f139202c47559172451fedcb0a2d182ddc80978

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      ea8ac69949d5ed123f6bcb7b31f61d1e

      SHA1

      5b414a8dd385f3cc75b71f8f4fefa221316775f3

      SHA256

      218d7f0aa429f302c8b4309af5c55b9b7f090d9209c5b5caae2d8d860948eaa1

      SHA512

      bb8b51c67fb70f2ddc63a7ae86da9a137084dd84418674caa241a0c287d1a946568b1428aa458dabba3fd7751b70a80ac567b16b5a90e5161f25c7cd307f6a84

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      f3245e56783d037551d893b857cd6813

      SHA1

      c48f7cabbaae8a64ea0b7beb55511d1b3a36525e

      SHA256

      affa45d368eb68531ad7d1cf0f9b8deab4f667a5f392146861eeaff5ace3c1f5

      SHA512

      1419b9891aef225acee5a56b9efa0466f72442d65942bf1361ed7b3694e27af2b3d2a1f56e2db3956f256ec822e3271b8354414ad291bdbb36e293b9d2e1d76e

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      8bec4c3a80044d527483234af6eb56eb

      SHA1

      3c2c9364ebbc708c7e47260f50455f7e30cb6322

      SHA256

      b038f80bf52b142ad0c95df872375da30e3702d2619c5fb34d9b193efe570a8b

      SHA512

      5900f8a41fdd36b7e792dff17ac4292043c044f6d71a1b4f75ff554308a8d118c9026c018c76146321fa18c0ccb2e95510fa1ad1f90672698986615cdf0d5139

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      4f38ea3e96dc260c3dbacafa8eaae7af

      SHA1

      a9da27794fa72bd8edfd4a1f46023c98bce56b68

      SHA256

      875d6d134464164783be22d5a817fd1b76082dce18b8878cba690cb83ae6f1f7

      SHA512

      0de731c8a5de726ea0f9322b0974c9804f42a9f79b7dd0a1d99f35aae7843796a5d388f82467a05e7e6897cf273df26af9019d53195a35dc82c58b2dcbb501a3

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      4408a630c6b47bdd0967b68599220891

      SHA1

      ea9636bee7e32f7dc33e59c516fa06219c3e0f4f

      SHA256

      4b8e97fca22b3870e8e7a6da9a7d75e0172561831ea17c35d62545e1bb56f041

      SHA512

      1d9fed1379d97c94f8c7b28d2b0dfb3fe8c42f94fd3bb94db3f80fc9dea7b5a04a38d8a3c8a9e0faf9a14a160dd6f95bf56be05ddcd9fa18e99164ca79b81e6f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      bea0cb6199d80faaf93da093484ba598

      SHA1

      6a8dee732a1862f3dda82062892e1eaa425f0744

      SHA256

      331c6990e02a69e8cae5bc33c177b9a1c0d817229b2d64dc5d3a9043604e8c86

      SHA512

      135f9afe282e4c6fa36b01afa0e5686c1a9dcf296540195da36af51a25305eeefbcd1f2e87988e5060482e4bb737cc3739aa13b20b35de778e001d6671326f5f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      c2432f2f67b855234e5700300d34ef90

      SHA1

      c7ecce232bb362846ba45fee542271d069e2dc11

      SHA256

      5ce6cc85b5a265573943405350956a918ab473917c7ffb0bb22e394fa8eddbba

      SHA512

      a96af9f9733fa9fceb44514584e3b9fa8706aed606c6495bb92f7a7d6542b8c852fdea9f5df65fa79dd6b3527559879d6bed9e3d0923bf0868d1d29a030fef0d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      e570eb9674a1b64a88b4db0da9e622da

      SHA1

      5cc60581ca7f836f4f945371aff1a69f33ad9f2f

      SHA256

      10486b8a215cfb38041f1a0d1c36afc38e00235a71edc4afa15d9fc538bb5ac1

      SHA512

      f640eb445ed2650f1a380d6a2445609cda338667631bbe31ca0d6c13cba1801807c94646eedbfa1e51f94f462efee3e098f3df873284810539b851305fb50146

    • C:\Users\Admin\AppData\Local\Temp\Cab515E.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\Tar520C.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\AppData\Local\Temp\~DF2BC5E5C73D3426BB.TMP

      Filesize

      16KB

      MD5

      638fb2194cf6676930700f99d7af1ce7

      SHA1

      cd8a6ec6428ec85b737891736ffd1d37c7121091

      SHA256

      7e68dfbd03ffffd7707b4b80c944ca015fd3c0640721079c71a2a05ff98ce203

      SHA512

      7e82e53bddbdb5554285f58b10e760b748afc13f4516555641a80b21e0340b64897a921e9e331d6a2fd2b78f076d304fb5977b689276c175bef2f908052f4bf9

    • memory/1312-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1312-8-0x00000000002E0000-0x00000000002E2000-memory.dmp

      Filesize

      8KB

    • memory/1312-4-0x0000000000270000-0x000000000028B000-memory.dmp

      Filesize

      108KB

    • memory/1312-3-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1312-1-0x0000000000435000-0x000000000043A000-memory.dmp

      Filesize

      20KB

    • memory/1312-2-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB