Overview

overview

10

Static

static

3

ed9326f805...18.exe

windows7-x64

10

ed9326f805...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed9326f805a176d1077f3036eab15abd_JaffaCakes118.exe

  • Size

    376KB

  • MD5

    ed9326f805a176d1077f3036eab15abd

  • SHA1

    fe3558cfbbe47db911ec3784d28f9b77aecb9ec7

  • SHA256

    17bf38bc178333ca8dac526db4957582eac1d2cea29508c8789f512dc07e5e07

  • SHA512

    124fbf8c74e481b2ff7c3c97859254d583b0b0e6599eb4e0522161a0ab9c0e7ea614b390ddd73771f625b6dcf6f7e4156f8ef270f63826ed89ab550fc3b6468d

  • SSDEEP

    6144:tFqTpMmb37r+TiZNAqMRQzRZZxKxMFihFAziuQuLNMEC:t0NDmoNAF0RZZxKGIFAziuQuLN

Score
10/10
gozi3193bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214062

Extracted

Family

gozi

Botnet

3193

C2

fy76qn.email

dst1894.com

w40shailie.city
Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed9326f805a176d1077f3036eab15abd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ed9326f805a176d1077f3036eab15abd_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:328
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2940
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:472087 /prefetch:2
      2⤵
        PID:784
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2960
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2512 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2088
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      639e345f1fb6c7383b04096105f05440

      SHA1

      b4745bc154f32306f0c160a387ad8c758f685f3d

      SHA256

      3b754ccc428477b015082e5276d020233dcb086be8c0e8287ae33f67eb970770

      SHA512

      cdde3295eae5bb96a6abcb30ef07f4984a2e0fdc23c5f7e3073aa20d1601bdbf9beb21bfa82e04dfc7dabf1610528498059300fb62cf136af54442eef298cfec

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      b2cda9af2fe128952c5968c2fba6208b

      SHA1

      833dd6f133d17da705181bf80f235a74869ec751

      SHA256

      81f493b1a28f77933e8b3466fe1d32addfa71670be2ed8b3f0fd495cb1cf4d4a

      SHA512

      dda63a939560c14ae1b29e32b2921713a7445afab6668fbe4feefe2c08f583ea022ade4bc45e08197f87eb44f9bc5eeec0dc8ee20fbce4f7f033c2d32850850d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      4f60fdace18b3f181938cde710f2979c

      SHA1

      52497381fa52020aa6552ac199e580daf63bbbce

      SHA256

      cf496cfecb0d3ab9fb4e4464668a9d09d8a0e2eb76b72aa75983d4a07aed5a69

      SHA512

      4924dda6087cd468478996cf84f958b9985359c8513a582198b782a84462575e9da9095cc96aff5fb3feff79234686745e97908136f9df5c2f4829369b77c04f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      67b8ef172ba62a832e7a29f77c952d0a

      SHA1

      949f733c2a9f55de3408f8400df31245d31f4385

      SHA256

      cc2509e9e98635f606652f7bbe7a32b159e1063a9f733a6e3e17c9a38b6a5a33

      SHA512

      00c750cba5e3b494b327f7669fbcd78ebb77a600e0500f7e5c62daefad6814e8b63f940ffc1c5781f5ca0a221e0d5e726654eb5d7bbedb858efa28b65b180d04

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      28a4f642d6e1ec4dd5fed772e7a629c7

      SHA1

      10c98b09c1ed5b4c7b0b0aa9aff4704b5cb0c5a5

      SHA256

      f0a937340d7b59672ad693ddd5021e6ddefd461d562cfb7cda979ad810cdadf7

      SHA512

      021e1ba10cd92907f395ea5d0cff41579997a4c1bbc784873b655ac389eb66bb98dbe1284f3dd0af9d33f979c0d0a1f6cd233142c066e2e35e88bd16857e7938

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d639c0d4c7a9c9acc37f72ccbcab8a66

      SHA1

      b588d336d9a11cd9b4882be7cbe4c4b18fec9669

      SHA256

      f6751788ac82fda46385bc021b94b8c25c9897d291ac162370fc8e50cbc7e1d1

      SHA512

      9bfacea336c4712860db5cfe0b1e40b8d70a8066ab33bd175846a7bf31bbef75b77f26ce36b86025956a1c1a6634332d0dfa28f2b452aa785cee544d539b542c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      9aacbd98293cc288eb798dd814a4e60a

      SHA1

      e94c8acdac56fb16098cd98e526911ab344f2db8

      SHA256

      9f20b2aeb1c155722c4283aa49071552d5d9277a240b43bd7599a78aa787a746

      SHA512

      7152d484254110a5ebf73cddeb4220a8fffc6a2334533e59f0836de7466106146e653b22834e518631c28a56f93bc3f9f96562947475513f5323a63ade463d06

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3e278c98565b97d4d7fc29b4ec8b3428

      SHA1

      b60f7ae3a8e02917b3ac28f7124cffcbeb904bf9

      SHA256

      69ff7fcefb9ba048398e74d7b2994f33cdf4a644b06c7d2a08bcbb2d5267cd69

      SHA512

      f3102d1942b0ef50ffc5197713a3712b08958c60bbeca9507dd2366faa15235c569d78da3548dc744dcefa420b6b461ea72f73e9ec20c64def09d1ef3a730fbe

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3ce8234883dabdf69bde56887bf960e5

      SHA1

      7597b639581ec2f7a600f54a7599a1b5c8cc0dfb

      SHA256

      acdd4213494345042ba6d6a6094de3be2cb34144796a1b515e45ff7a401ccfaa

      SHA512

      e08ff840192a2567fdc4d1a51a61b0c6ff7d4dbd94bc0f36f6884deaace6aeadd2500f967ead98fd0132e45c454707a2f97bc4bc7ba95aa2b91e6c155e763550

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab61F1.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar62A0.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF656CE1498DEC9B93.TMP
      Filesize

      16KB

      MD5

      2682c96cf556a9a09a9a9feb6e22348b

      SHA1

      3b024a6f341e4318aaa22e68683143be81e81f55

      SHA256

      a914ce689ea42886224811ee01edc3a1d8819326a77630827a7e5c923638ee3c

      SHA512

      4e4851981e3e93399b2f385072c15c1f30c4e222a446db1df618f571f2733206f13880586d3693ce50ef8825a9225199e319ba71ee950e313cf48cbc15655a95

      Download Submit

    • memory/328-0-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/328-7-0x0000000000230000-0x0000000000232000-memory.dmp

      Filesize

      8KB

      Download

    • memory/328-6-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/328-2-0x0000000000180000-0x000000000019B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/328-1-0x0000000000A20000-0x0000000000A87000-memory.dmp

      Filesize

      412KB

      Download