Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e0a4ba1eea...18.exe

windows7-x64

10

e0a4ba1eea...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/09/2024, 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e0a4ba1eea7abb7bf24426a9ad1d65ad_JaffaCakes118.exe

  • Size

    203KB

  • MD5

    e0a4ba1eea7abb7bf24426a9ad1d65ad

  • SHA1

    33ff2532a37f532ca5c685797638491066d209e1

  • SHA256

    efafd27fb0a585e826263ae077edd88686c7d7d5b8444aa192d61046f0d40033

  • SHA512

    4f5f9c785df84d718e168d73054f2b00701454f8a9a7e28a2bba3a05ce725abae13ed73311f35475d4358d526220f63e9e457bc53ef965b9d2912895be3371c2

  • SSDEEP

    3072:9Rji2dQ6v4uPXDNUj4jKBonzmLXlYVRLh0epEEZqkFBc4+uTqN76o:9Fdp4uPZzGonqXGXh0bluBc4GZ5

Score
10/10
gozi3162bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215165

Extracted

Family

gozi

Botnet

3162

C2

menehleibe.com

liemuteste.com

thulligend.com
Attributes
  • build

    215165

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0a4ba1eea7abb7bf24426a9ad1d65ad_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e0a4ba1eea7abb7bf24426a9ad1d65ad_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2472
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2776
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:668677 /prefetch:2
      2⤵
        PID:1316
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:468 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1604
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3008
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:836
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2408 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2160

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a64a7404ed33bbe41b206a1bc3860f2f

      SHA1

      ab6577c671c30428fc4fc55eafe7ba366f0a9ed6

      SHA256

      acae0fa4d0cacd03056def68e66e13127c400f7ee1ac692c7ffd20ac63fdc834

      SHA512

      f0d93701937cc8d020c95d079bc4d4e315477eeac7d1225b0a5cc8dedff08b30f90d27c57da608ff1c6ba989a8ebf560703fe7b712363199a85a371f175ebee0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      81e6c48152a966f0b5cf3f05b08cb465

      SHA1

      0a1480f06b6022c3ba6e8e752e6bda9b287cc0f2

      SHA256

      3d3789cc0b68cf6c3ef26bcd059383dcd369035f121de1eea095ca2cb9711160

      SHA512

      223ebcdeba4387915a7e9a3c67eb538f3011e7906d2ca88b705dcc33b43ed9eeffa76d91b1d54f99e07c3e646c59878722c3bcf42eabf6f7c3186195157cc893

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      75052b04dcf92df1af14f16a982e505d

      SHA1

      68130fb8086a4d581ab94b76bb73263ef64038b1

      SHA256

      acafa98fa5cbe2ff88e68cda5a3aeacfadc5306985ff46ac0f7c9b176c9fc653

      SHA512

      731720fad5fd2297a2ba9666243bc27633c7719f50236f41e0696d551a58ff247871b220dd51717372053734be139f99e805e9ffdc1c59c053bd70672fc8f999

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      198badf694393b8c3efa14305a7d98ef

      SHA1

      874d13ccb8b93706e2ef88ce54f20c8108902909

      SHA256

      89a1ae391a3692526445b0a0e9a00421d89802fe71212389b54538ff0dd90701

      SHA512

      be83a2e5a7aadb667788b923b8aeb27f66b1518ccb196e1683a51e99e0b8d5adfacaaeec669aa3d4794c6e5ff754d9bf8b184fafa1d835b361bea65a3fcd3cd2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      555512cef5dae3ed48e2c727cecf5696

      SHA1

      2885ed1c9e472b52946c5cc784faaa7b58967193

      SHA256

      f3450bf843a2bae95c8dc457c4decac8b9e3cd60a3147d4598a711c52b20a130

      SHA512

      c3590fea90cf8f6ad2ba3840661fe65eebec94c6c596377a02794b6b4d5e36980bc487d7b1cb42553a917c8ec347891c31da1d18c6e32bce88aff39921d43372

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      df88d0735088651013a6fe5c52144bf9

      SHA1

      fd521b58b54b532abd9862b3610efbbf3f0b5a11

      SHA256

      2d7ce741d087e2d5424ff101b4e4673fe8793ec187a74326d4ff2b3c623d5b78

      SHA512

      d397415689095a1d489d6dd7e307cd3e01759d18e5210142cc8b71a4d152807a57bf3b1c795f575ed68aed3de39f713dd509ca914c8e84db1697c78a84572fa6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      b660eaf35c4fc1b703bef73987502feb

      SHA1

      0a34f9fd1f4d5d78d9a576c0325db846422a8fd1

      SHA256

      aa4a4370ea8511d09c7d6f284d20ac9f7fa5ac32aeeca36e1855740d8047803c

      SHA512

      d81a306f683fd06fa51bb30ee49537ada5df22cecc3158bb6fef99093c1c3aae36f006491deb4f1e96af9c905a9107b6dfa6601fe9b78fc6ceda54a762ab49d0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      fa624a8cdaaf74b8a9352a89a8989b63

      SHA1

      ac5c9e7a40adb5823220c67f59df348953ccd1cd

      SHA256

      50e2c77f0a118d8c19417ba913a71b8c11cfe79d5245e7a5e0233f6ab2f9d0c1

      SHA512

      f1c7fbfc261385a0529b8bc6054c034641fd6ef4be29e5ed6f9eae13e76f10f73955a870d795f5117b7bff322f5fc74dd3a54d70d3b9d87e82b93bec7b9691ad

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      10d51eb2270ab08612c2d2255e9c58c7

      SHA1

      6700e11894c69c0b9527496db2d2ab4577838208

      SHA256

      7242994ad2a687b08af9c8485ff66bad8c41f23f9a5ec3adbfe3949ed8e57f35

      SHA512

      9e6d0eb989202b1db124482e8cc1383045083de1ea2f21c3b166e9a936b536a617341f2ac2533dfa9caddeb1d25fc01f889f6a409854b1239b7c3f843b78e010

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab47EC.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar489A.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF5276BE9AB7104028.TMP
      Filesize

      16KB

      MD5

      01e14347ce86ebbac2d2145607496166

      SHA1

      e7b58ffa75c225c63c733cbc8548e7768ca84bbb

      SHA256

      180243e72977f10a4ec4f80a7b0cbc10c9dc38f4271bc5102cce880cd06e2839

      SHA512

      fab24fd6b47f6160f1b71d385947941c7733cd6f90e42537554a5dc716b4ddfc12cfbd3c65d3385871cb877b4e0e0ebf628f48e4e5d0adf05287fbbd5e9dad31

      Download Submit

    • memory/2472-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-9-0x0000000000360000-0x0000000000362000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2472-8-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-4-0x0000000000270000-0x000000000028B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2472-3-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-1-0x0000000000435000-0x000000000043A000-memory.dmp

      Filesize

      20KB

      Download

    • memory/2472-2-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download