Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e0a4ba1eea...18.exe

windows7-x64

10

e0a4ba1eea...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e0a4ba1eea7abb7bf24426a9ad1d65ad_JaffaCakes118.exe

  • Size

    203KB

  • MD5

    e0a4ba1eea7abb7bf24426a9ad1d65ad

  • SHA1

    33ff2532a37f532ca5c685797638491066d209e1

  • SHA256

    efafd27fb0a585e826263ae077edd88686c7d7d5b8444aa192d61046f0d40033

  • SHA512

    4f5f9c785df84d718e168d73054f2b00701454f8a9a7e28a2bba3a05ce725abae13ed73311f35475d4358d526220f63e9e457bc53ef965b9d2912895be3371c2

  • SSDEEP

    3072:9Rji2dQ6v4uPXDNUj4jKBonzmLXlYVRLh0epEEZqkFBc4+uTqN76o:9Fdp4uPZzGonqXGXh0bluBc4GZ5

Score
10/10
gozi3162bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215165

Extracted

Family

gozi

Botnet

3162

C2

menehleibe.com

liemuteste.com

thulligend.com
Attributes
  • build

    215165

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0a4ba1eea7abb7bf24426a9ad1d65ad_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e0a4ba1eea7abb7bf24426a9ad1d65ad_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1592
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8
    1⤵
      PID:1344
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      PID:2332
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:668
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:668 CREDAT:17410 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4904
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3196
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3196 CREDAT:17410 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4952
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:17410 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4144
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:17410 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:656
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1920 CREDAT:17410 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2328

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0KP8BKDN\dnserror[1]
      Filesize

      2KB

      MD5

      2dc61eb461da1436f5d22bce51425660

      SHA1

      e1b79bcab0f073868079d807faec669596dc46c1

      SHA256

      acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

      SHA512

      a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BKKBWXOR\NewErrorPageTemplate[1]
      Filesize

      1KB

      MD5

      dfeabde84792228093a5a270352395b6

      SHA1

      e41258c9576721025926326f76063c2305586f76

      SHA256

      77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

      SHA512

      e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCPU4OJ5\httpErrorPagesScripts[1]
      Filesize

      11KB

      MD5

      9234071287e637f85d721463c488704c

      SHA1

      cca09b1e0fba38ba29d3972ed8dcecefdef8c152

      SHA256

      65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

      SHA512

      87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XHVIU6BA\down[1]
      Filesize

      748B

      MD5

      c4f558c4c8b56858f15c09037cd6625a

      SHA1

      ee497cc061d6a7a59bb66defea65f9a8145ba240

      SHA256

      39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

      SHA512

      d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XHVIU6BA\errorPageStrings[1]
      Filesize

      4KB

      MD5

      d65ec06f21c379c87040b83cc1abac6b

      SHA1

      208d0a0bb775661758394be7e4afb18357e46c8b

      SHA256

      a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

      SHA512

      8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFA4133E8734B9CF03.TMP
      Filesize

      16KB

      MD5

      3973293afe7b8f6ae843f6504acec788

      SHA1

      ddb11a0d8f5b922f12e0a85d2340ed12cd70f9ab

      SHA256

      1087281e1571a21c0b49bd690cbfe229d856cc01b3aa452b1a156fec394086e9

      SHA512

      a02ba475acad1b56957229a6bed293175bf613a0e892cd322c880245606e28014fdb0022445c6d1efc3a567a64f75d8f7fbbc40d5c8df7fc5ccec0ba40905339

      Download Submit

    • memory/1592-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1592-1-0x0000000000435000-0x000000000043A000-memory.dmp

      Filesize

      20KB

      Download

    • memory/1592-2-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1592-3-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1592-4-0x0000000000940000-0x000000000095B000-memory.dmp

      Filesize

      108KB

      Download