Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/09/2024, 09:59

General

  • Target

    e2381bb591d8104e5639c61751d5682d_JaffaCakes118.exe

  • Size

    376KB

  • MD5

    e2381bb591d8104e5639c61751d5682d

  • SHA1

    16d062a84a29e9510cb69c83e536b21441cc878c

  • SHA256

    dc1f57e5ef69133536585dcdb45f2992281288e8bce7980d27af774b6f3eef98

  • SHA512

    fc66fb58b00dfea88aa4b128c5f0ed84320e8c8584ed644f66756ede2dbd953a812d73c441a31e19ebc3b5ec3ce848dff7afc2c6f44e92fa98102be61b862802

  • SSDEEP

    6144:tFqTpMmb37r+TiZNAqMRQzRZZxKxMFihFAzixQuLNMEC:t0NDmoNAF0RZZxKGIFAzixQuLN

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214062

Extracted

Family

gozi

Botnet

3193

C2

fy76qn.email

dst1894.com

w40shailie.city

Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2381bb591d8104e5639c61751d5682d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e2381bb591d8104e5639c61751d5682d_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2172
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2320
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1052 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2888
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3464
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3464 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3044
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3024 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1972
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3872
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3872 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2152
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1880 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\02PT5J1W\NewErrorPageTemplate[1]

    Filesize

    1KB

    MD5

    dfeabde84792228093a5a270352395b6

    SHA1

    e41258c9576721025926326f76063c2305586f76

    SHA256

    77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

    SHA512

    e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\02PT5J1W\dnserror[1]

    Filesize

    2KB

    MD5

    2dc61eb461da1436f5d22bce51425660

    SHA1

    e1b79bcab0f073868079d807faec669596dc46c1

    SHA256

    acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

    SHA512

    a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3GJVVK7B\httpErrorPagesScripts[1]

    Filesize

    11KB

    MD5

    9234071287e637f85d721463c488704c

    SHA1

    cca09b1e0fba38ba29d3972ed8dcecefdef8c152

    SHA256

    65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

    SHA512

    87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OD2FK6XO\down[1]

    Filesize

    748B

    MD5

    c4f558c4c8b56858f15c09037cd6625a

    SHA1

    ee497cc061d6a7a59bb66defea65f9a8145ba240

    SHA256

    39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

    SHA512

    d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OD2FK6XO\errorPageStrings[1]

    Filesize

    4KB

    MD5

    d65ec06f21c379c87040b83cc1abac6b

    SHA1

    208d0a0bb775661758394be7e4afb18357e46c8b

    SHA256

    a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

    SHA512

    8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

  • C:\Users\Admin\AppData\Local\Temp\~DF5D7F514556AFE6D3.TMP

    Filesize

    16KB

    MD5

    51b770dfc752e8b803e93fe39b9bc248

    SHA1

    bab2acf0abc54d098dca1884192727b1cb539737

    SHA256

    c1384a4f84581062785e70e5427636dd5e2753a15e3ee2fad304c6b1be765be5

    SHA512

    736adcf94c4d46e9e6a982b5429d6127436f8826e0f9df0cf437fc940ed4174242d776cc50f6f319c89125f3d25435f0603567ce3ca42fe50e26e4417bcc6974

  • memory/2172-0-0x00000000010D0000-0x00000000010D1000-memory.dmp

    Filesize

    4KB

  • memory/2172-1-0x0000000000A90000-0x0000000000AF7000-memory.dmp

    Filesize

    412KB

  • memory/2172-2-0x0000000001100000-0x000000000111B000-memory.dmp

    Filesize

    108KB

  • memory/2172-6-0x00000000010D0000-0x00000000010D1000-memory.dmp

    Filesize

    4KB