Overview

overview

10

Static

static

3

fca68745a7...18.exe

windows7-x64

10

fca68745a7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28-09-2024 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fca68745a7b3b5b9bdfe49b9e02a11ae_JaffaCakes118.exe

  • Size

    547KB

  • MD5

    fca68745a7b3b5b9bdfe49b9e02a11ae

  • SHA1

    73e2439cb751b078cc63d29b096141285fc9f9a0

  • SHA256

    95018fef89b70c0c85453ff907861a0cc0763fa038c392a3f8176b98fc414366

  • SHA512

    f08dc2370330ddaf8c90b99ad0659d8fb0da9ea3507a82ead441fc3ecb12225727d09815080f6a5882f35fe705257dad9048ce4ff87c201a0ffedbd76ca0714e

  • SSDEEP

    6144:uVJt7IsATy65KJZnF/gYdpOLw9F/lauaS7tsPUF18avHUwAIgJ+ke:uFTM5utF/tdpm87tKO6asJIgJt

Score
10/10
gozi3187bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214062

Extracted

Family

gozi

Botnet

3187

C2

qrodericky94.company

g77yelsao.company

tromainevirginia.email
Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fca68745a7b3b5b9bdfe49b9e02a11ae_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fca68745a7b3b5b9bdfe49b9e02a11ae_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2180
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2240
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:537609 /prefetch:2
      2⤵
        PID:2372
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:988
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:988 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1056
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2512 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:316
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2668
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2972 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2368

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      7d7ccb4e03c8927969b54eb79e362992

      SHA1

      fd053d4de5cb185646e325ef63cea9ac8d1a4895

      SHA256

      206abc4f1b7da6b643887221cb52e634ff2d3d3aea604a5f35f99164b5f6d1ed

      SHA512

      2517b4be1f545bc6ce18f6d8d3b379407c86e2e112f8492daf7e9a056c48c8145e268ab5d923e85f133bc70442f82596a40de77bbc844983ccd3e0eb0878e482

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f5be994ed0d6adf73df7c22d57b69cf1

      SHA1

      0f101fcdc563c2a739db2a8ff056d49329dc533e

      SHA256

      99af51248f5f270e861e6da26813ab62c11d6e40251a8565962f4dc942801662

      SHA512

      c007b791baf42a77b70199992c596a4c4fbb34276da6024ed4ed4d9b712b33f1cc79cdfb925f2ca67134059ae542869706da186887b91c691487019255debaef

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      aa4a839c6b73d18826b89fdf3422f4cb

      SHA1

      6b23f29de85b7faa273a318908d0a2056803a423

      SHA256

      c0287beefecb33cd62d9d3c6df9ca400ffa4828132b43c54cbd654bd452bfd0b

      SHA512

      4dd82cbc10164d57b22eaf03e1c1f9fd0f99deca09efd201ce1696cafc9db164c751739178b566bd3afc064d79d86d2f2af2a386c5b2d0891bcb014c20a37cdf

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3878e07718e3dccb51ead3533165fc2e

      SHA1

      03f8e373ea039df46a698b2c4d0ad4aa60fae669

      SHA256

      d6575abd180bb5f533949e96e26c57e7f3bc337246b8cca02d673d2fdeb0a546

      SHA512

      d3ffe7b7ef282798a7f71dcd938c65670c07789b61bf8a380c2f3bc7f41e75043122a18b963a21b4f5690de33ff2379e9ff4b38b9c5b57f72c1f404e755a1d91

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ee45db7df99994b18b02e0c7669893fd

      SHA1

      4d4990cfba5b637798d3d8bd8620625a525ebefe

      SHA256

      9a99bc8785a024880f5018debb0a8fd1f24c16e2c1d9407be69b8f0512a6d279

      SHA512

      0d7990ec670372b3434a7d7508402040a5775148ada286f58ca4f88032cb364034996993ce0307d6c7e9731905f9866ac03ed47054c9f77116147339af1e9005

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      eb5477fd3b6368cf58deb6d64e472a5a

      SHA1

      2bfd89bdcaaae1d9adcb206ec4f5e952c6f517d3

      SHA256

      7b0f81927ec9ac37115fddeee68722871657dbed2eb2eecf853b031cbcbbaaf0

      SHA512

      7a20355847d2908adb31942ebd56a74d593ca9b09f78be5fcb5cecdc8b8d787efc14eb85f0f5e6a0734325ca8cbf01867c998fca44f736e5447685684ebc7b25

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c09e0400b769ab42c4817dd1faf062ab

      SHA1

      5d95c4c0d8b9b8406c2d8edba947555847d0526a

      SHA256

      1a66dab699459b3a46674847848ccf34f376d5d7d25d897914ecd2740cc2dbd3

      SHA512

      286e169ea8671fb64a0b3050820a324791ab13f9af91f2108468983cd0dced47b204f02ded0654a027081dabc0ff1374ff76298c4b9c2e2806e7eb0d21a75d52

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c613d93208ca8eb7e4a830194ee15019

      SHA1

      ca2a558a0452745bbaeca16517538fcaee35c090

      SHA256

      69c8449feff0e1fe7947e0b3a7f36b95f3bc26ab44ef1663948fe43c5097bd8c

      SHA512

      8bbe2251014c5ee16d275727c6ac9b209864cf361884d564e4dbfb5a2d6169b40eee03065b30b31c33367d73a84d88cfeca87121117910cc3dbe783e6dd56d9f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      0ea375100f99fc281dbfcaea29e52fe4

      SHA1

      a856fa6e7235ca0ea7e3b072dab68b9d502a8ad7

      SHA256

      fb6e096c12990a948a8e72a7cf2208ff224bc721201608daa65f01dd38f990cf

      SHA512

      1280e96c78e44457eed5192478a683a8697d27499575aaebb55e66cb8d147ac325d6ad8b707608a47109019c2f7b8071fa7449dae22cdaf44031c3c0dcc40ea1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\errorPageStrings[1]
      Filesize

      2KB

      MD5

      e3e4a98353f119b80b323302f26b78fa

      SHA1

      20ee35a370cdd3a8a7d04b506410300fd0a6a864

      SHA256

      9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

      SHA512

      d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\httpErrorPagesScripts[2]
      Filesize

      8KB

      MD5

      3f57b781cb3ef114dd0b665151571b7b

      SHA1

      ce6a63f996df3a1cccb81720e21204b825e0238c

      SHA256

      46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

      SHA512

      8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\NewErrorPageTemplate[1]
      Filesize

      1KB

      MD5

      cdf81e591d9cbfb47a7f97a2bcdb70b9

      SHA1

      8f12010dfaacdecad77b70a3e781c707cf328496

      SHA256

      204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

      SHA512

      977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\dnserror[1]
      Filesize

      1KB

      MD5

      73c70b34b5f8f158d38a94b9d7766515

      SHA1

      e9eaa065bd6585a1b176e13615fd7e6ef96230a9

      SHA256

      3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

      SHA512

      927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabA41.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarAD0.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFCF4B89847E6E6A71.TMP
      Filesize

      16KB

      MD5

      ae3a375e1a6d856210bdcc25a1819c52

      SHA1

      47f26999ceccb23979ae1fb48cd896ab414a82bb

      SHA256

      b025c65304b740fca1698d342aa9853224176efa117b30b456a133f83aad05b4

      SHA512

      8b63c8373ff4470f6766a450469db278cf8863a3d8754baea58d76e55e87fda80fa3393ad7a98c063c44440033722ff43a3605b5711f4ee021590509451f4943

      Download Submit

    • memory/2180-0-0x0000000000090000-0x0000000000091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2180-1-0x00000000002F0000-0x000000000038E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/2180-2-0x00000000001B0000-0x00000000001CB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2180-6-0x0000000000090000-0x0000000000091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2180-7-0x00000000002D0000-0x00000000002D2000-memory.dmp

      Filesize

      8KB

      Download