Overview

overview

10

Static

static

3

f98e3633c9...18.exe

windows7-x64

10

f98e3633c9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-09-2024 02:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f98e3633c9adf8cc97e0b6e4c60bbf26_JaffaCakes118.exe

  • Size

    372KB

  • MD5

    f98e3633c9adf8cc97e0b6e4c60bbf26

  • SHA1

    c77424e0d954f265ce95fd3bf9684c4d93622316

  • SHA256

    070e038e554ebad461d8def40bf6357e749aca2b5926a0fee8db0c8cb2cdf202

  • SHA512

    0a832046e54777adea28ec90aea202da7e37c1feffe3f10b7642dc03f1fa6a4333396babe230aaa6fc6cdf3e44bfb1860c9e3ea35677f92b486f5f519c60fd4e

  • SSDEEP

    6144:QfsvEug4/COMAIOVW3Uqz/HJpadR5Fz4gF:QKEufaORxezE5Fz

Score
10/10
gozi3181bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214062

Extracted

Family

gozi

Botnet

3181

C2

bm25yp.com

xiivhaaou.email

m264591jasen.city
Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f98e3633c9adf8cc97e0b6e4c60bbf26_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f98e3633c9adf8cc97e0b6e4c60bbf26_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1956
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2676
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:406535 /prefetch:2
      2⤵
        PID:2112
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1352 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1852
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2300 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1564
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2276 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      aef03470bdaf8d7da6d3bc43cc26199a

      SHA1

      e8bafbc5738e423a6ad72600121190ff15bc8759

      SHA256

      a3d4eeff3ef38665ed09f9374c1f9b80969cec19b732b910041d235417411be8

      SHA512

      1d7860ff44c6c133439c0388aa54d3d2aa540f819d17b1836c6d92d56562a90a331f27d67b178115dbce10ea9a4bb3bf052c0fd59e8ec951d8a19bee745678f5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      4a23d37a9bf428a11d349a8a674ba043

      SHA1

      63fdfaa1de00b62e99c19ac3aef32c813b1104ca

      SHA256

      69a7f963cccae3e1fd625fb236d3e1fd7739a3fe3a1fde48a76fe4ad1acdd513

      SHA512

      fd5478372447daf7e357f12cb968fa53f2ee3c0250e3ec516c5863fb6f0b601f4f6b2ac8270021ea4dc494b4699726d8cfbe12811bf3958d577ebf4ac9ea5d7c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d76198cec45fe01b9fbd1c2db3c39e16

      SHA1

      714bc1a15ecf004de5d55ed20ac68039129bd014

      SHA256

      4be645613cfbd8a5e600d19c3770258b56fda23ed1c3acea4811f65d4a55485d

      SHA512

      71e55c28ba96c20455f415865d1e05376171dc9d6a7b47316d26099ce0cf125b7b342d6d87f0234d4f18c2d47c1631f97f5a22733e820e2dc02ef6540c6559c8

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1d97d59761bc74db0e12bfa6e621ec8f

      SHA1

      fca57e0bf8e2e838fdac828f2a560fb846a838ef

      SHA256

      c1c089029edb03e1ce8a38eb89d2f3362dd1b60c197686e1e9882e3051f94ee3

      SHA512

      26af8f47794383b0a03412dbf6be583e70c54ff9544cf1714a2f20d0e4ccb877c0137bfaa14e973064dcb96436fc307901ad00474c258d8949a0bbc50897318d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      43bea3e818da1447176aee3bfb8e64fe

      SHA1

      0c6b4fcba55e01cbd333adf14efa0ea243259eb6

      SHA256

      64ca77923065400f941c183e9cd6a158d2e782d93c2c095aa6684231df42a80f

      SHA512

      8e903c4be1781ed04d6674a3211135b54230514b1f2d5981e646eb2ea7e9658c0d9c56cf02d387892071cfea846cdb877aac4e4fa232a93b63305fbd173b7277

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a2ded3cadd7e6c27e143a17b1e43ac37

      SHA1

      3cbfbd7a2397460187f878a2eb5690ec75a9ecc4

      SHA256

      e86bd6ca8e3778db09cd63abbe36d15eeb356f1d96f7f22f6abbe709a81115b9

      SHA512

      024c054df1dec54ae11d2799ebe773571c030fd91627609136fc86263d55a2955dafc9ba4148f1ee0966a0090fd01f210ef6380ff6998bbe066124b133bd373b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      139d8d8048f1bc9f1c31942cdfd03509

      SHA1

      1462ad1d7fe65608b1edd74ec440178010ed1660

      SHA256

      72ceb85ac72fe8a0889e759d36daddaeddd3608e08b6262785326a9284f70d3a

      SHA512

      eed278912bd0fd15c9807ce9274c0877d79060858816982b2dc709d99602dbf5f193977cbe86729926acfa515ad8a1130fcc86c84a22444556aad9beba7af88c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      98645f33b96b677441bc118ab7933b9b

      SHA1

      12c1a66fe727b8a44f56924d2b3b4f3ce6fe6d80

      SHA256

      117c7469ce5c9438adc29ee192407aa822b44eeb7b7d538a099b079dd4c344d9

      SHA512

      67189952097adb7f9c83e89c7ae2f62316f422791e3abe18a2cc95381b11dda8c205f504781359864514524bdc2b3e3ef15895dc2f7074384b7512151433fa4f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      9524e115b9dead6c2fc832545f30b4cf

      SHA1

      2c7e2e43d3cf3184951f71297068e0842bebc3b1

      SHA256

      850eb2339ee9f757d9aeefb7d395d773fcaf488c56879a27b1587f2b692fd838

      SHA512

      1e5c92c29de1b668e1ad427aaa44e74c4b4c032778dc496442fbaa8deb44d94134b353171769ce2859c5e51b3a80492ee5d9537827dd377480af05e6ea8dc343

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab17B8.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar18D4.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFD2B58E8206056236.TMP
      Filesize

      16KB

      MD5

      ed98bbb0fc62ba87c6241e0c47af8e36

      SHA1

      e09c650fc0f56c068b2280b125387a81a6874d70

      SHA256

      4cc5069ab4afcbf73ff9145d6b67fe5bdfb4c8c3ecd24d9ab8c8df00dd97b248

      SHA512

      beea504c63e88e37e14db446a6dab859f6494adc913e130fb82331c773f7cd2b119b931d0830c3be8a9648d2afa299df6f41538041082363363daf6968123077

      Download Submit

    • memory/1956-0-0x0000000000330000-0x0000000000331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1956-7-0x00000000004F0000-0x00000000004F2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1956-6-0x0000000000330000-0x0000000000331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1956-2-0x0000000000370000-0x000000000038B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1956-1-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download