Overview

overview

10

Static

static

3

ea9b242774...18.exe

windows7-x64

10

ea9b242774...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 04:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea9b242774d24e235cdcb7e54beafe7c_JaffaCakes118.exe

  • Size

    387KB

  • MD5

    ea9b242774d24e235cdcb7e54beafe7c

  • SHA1

    64e0a1e798d519526e79493dc0ecf89121d23959

  • SHA256

    ba0d5d5eda8b9a940785414689be0e71742feb00d61d50ad6925bdf60a17cb7c

  • SHA512

    173cca8643c45266ade49c4274517ef31bc14c9db9c39811e2d9a0a9baf89f9159ca5bfcc07aa6d08db294025e225eef212f8ffe8c7e1753fe3d699a83b24f62

  • SSDEEP

    6144:WZ5Zbi6/yYfF+pP3bNcQrKEgp0zU1RQ47OWfvabZOsk5:63iePiPLNcQrzicCv6+vabZOsk5

Score
10/10
gozi4778bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    217170

Extracted

Family

gozi

Botnet

4778

C2

https://okkolitalia.icu

http://194.76.225.64
Attributes
  • build

    217170

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea9b242774d24e235cdcb7e54beafe7c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea9b242774d24e235cdcb7e54beafe7c_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2948
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2172
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:4142093 /prefetch:2
      2⤵
        PID:1148
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1116 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1868
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:900 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2988
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2300

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      fb15deaa3522f6e9ca3004568edc373f

      SHA1

      f6f19245b989c0d05e882ae4819b23cbff07b548

      SHA256

      e91d0c9eb1770366e8ca561e6b4593b2219be3d64090456262d71f8aaf8f8d16

      SHA512

      ce50fcc7ad06c634ee7a1d8661854aee40440bf5b28910b8af934f01163d3d2c984a41249b53fe3158bb2cce780da314448e08972ccfd5d8d81b761ac3bb9ad1

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      2eb1b0ebdb835d7f696e5e613e0c634a

      SHA1

      35edc4ad7852d52b1aba2a43322f03a3a08172a9

      SHA256

      232aac3911edddd7108ac28214c04926eede1e52723b0981c52dda66b68cb347

      SHA512

      5d821c6a5c76bbaa9c5eef192d3aee3a97341023da962903e8e4002e5d58fe4d6566d5c65413c18bf4ee65f64e062af46eef25a40dd1fe14d6ce9e2521e71144

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      bdb1304ee5749552b8c8f289735ee590

      SHA1

      a1074e74eb17cabb243668919f0150b3cdab50f4

      SHA256

      501da51e9aaed142abad8221a0439bc0d70ec3b08edf61396a3652e25e7e11b2

      SHA512

      80beba81fcc1540429b3722dcb4198fc1872a1e7eda87a5d08bb0aad713d4d52f8879b6ee389f8087aefc220b71f7260c4ce4bf5c0db6c8401fffc3fe167c2cc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ac6e08cd355b8231ad2a39c7ee1c7438

      SHA1

      3b351ae41ed7fd0b0053b46fdbef8a8127952bc4

      SHA256

      613ffb1ef717ea4ac979240d51c9dbc2f5c56ebaab45510c38d49b8eed1e671e

      SHA512

      d3adb64e45a18b4f54f955b97ab663756afc83cfcf5a9d1ebca030837d5091e30acfd40907aef9f7fe8a10376383688a509e57eddac55d821d9e96864aa06527

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      88e0cdc1f81d769f229b502f237a99f9

      SHA1

      0b8925d21342d0f260f7644747732b019e37b864

      SHA256

      f626794790f52d39a48ea0190177f920bda1842c3fc24deedeba1560544b6629

      SHA512

      62d6b3930bf4ca423d505d088fcf2f3d711919fa8901a296d59d857678bade17a2e6d2361595c4982fb7d5f1fb4b6dfffa3537baad8966f9c531855a9c126cd7

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      371820a95668b8f116858ae7c44432be

      SHA1

      a651256c4f78adefd607c1532a6145a84d24a7a5

      SHA256

      e103141fddb3e19b744a1861afb01d4c4d2ff4f3c1e99008ca1cae1a2d16db3b

      SHA512

      39bd56c3a63e057a4f383e85ca90fe86e90d7746a2e5f294a10f62b5436934382008b9c6f83474728e7e19fc34c2eb55b60eb9d3fa37a00e9de88b9db5707a62

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e1b7c0f74f60be1aeab7669f2c8a84c7

      SHA1

      e5fd7ac1a4291ce6e381e4b426534e9c6964f1e8

      SHA256

      5ee86a8b708f36ded1ba4c15a854141ccdc20e5354d72350cde794e4f7df11df

      SHA512

      4fac8b6539ebcd20242277cdae7094454428de8ec37cc9f4c7fe68caaffc77ac98cb17268656335a52de5d1aca4dc28cd4b69d2aeafe610966039a198903d623

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c582dd391786b5137ab195174df25d2b

      SHA1

      fd174aead83d5498558ecc700fe78ed54fa7a9e4

      SHA256

      b814b6b3eefaaead1b819b53109629a11780108617c87e9014edb8531ca55484

      SHA512

      2da6f16b6e163f0802b699e20c9d88d1bf1f4650d16fd7ced4a235166ad95cf02bedf2a0ee46b64fccb2db0a8d12dfe43127176cd31caf02c6b86e9cd754ed6e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      bd4902723d8b083b85501ca4372e77f7

      SHA1

      136158f4266710625691e63aaa2cb69805c92dfc

      SHA256

      ac275b6a5aecd581b2016c4e48e0f0b194579117df33fb3b0ffd62e78c891e14

      SHA512

      d9d57d4e56c1b79fe6bd0674d0b8bd8fdec77c1be6f6f7e82db17acde885983c71bf3fa8d469025abb1f0a487e1938025431b98e4bb5a50dfc5691f8dc813e46

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab1336.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar13F4.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF8D7B85632E7E68E9.TMP
      Filesize

      16KB

      MD5

      1a4269ab04690c9a2a0f977f81124408

      SHA1

      ea26a2a11ba3c1d2e931a0505e79be579f4414a5

      SHA256

      a5d06aa8b430b5ca1ffddba582c067430ae6d561f000efea7d0f0bd6012043a6

      SHA512

      5f8ae742514bde64f9ff10709c2ea9766bdf6020cecbd2796fbcbada883fb18c9bb00f871e7156c47b3ac512a2a2589a74ab7c48e081356b136ec3cc06f97baa

      Download Submit

    • memory/2948-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2948-10-0x0000000001DF0000-0x0000000001DF2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2948-6-0x00000000007E0000-0x00000000007FB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2948-5-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2948-4-0x00000000003B0000-0x00000000003B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2948-2-0x00000000003B0000-0x00000000003B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2948-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2948-0-0x00000000003A0000-0x00000000003A8000-memory.dmp

      Filesize

      32KB

      Download