Malware Analysis Report

2025-01-22 16:25

Sample ID 240929-1elrzs1gmj
Target ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118
SHA256 c9ba5242f0aa65ac11636c17fa5f61a6fc641facf1c37f1ebd53a6ba8a5cecf6
Tags
gozi 3151 banker discovery isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c9ba5242f0aa65ac11636c17fa5f61a6fc641facf1c37f1ebd53a6ba8a5cecf6

Threat Level: Known bad

The file ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gozi 3151 banker discovery isfb trojan

Gozi

System Location Discovery: System Language Discovery

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-29 21:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-29 21:33

Reported

2024-09-29 21:36

Platform

win7-20240903-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118.exe"

Signatures

Gozi

banker trojan gozi

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30aa976eb712db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b0000000002000000000010660000000100002000000032a2447f5cbb13a7140e235623abf403e8cefca957a3ed2710ef107ae81fc981000000000e80000000020000200000008557cd55562004f00ddc2a0cb456882e7bce5644d988b8efba18bf50008f35b5900000009eca47e552b28d9596a2b78808258f4f6f428697b34ebfa8d4130d3b131951e1ea7ae4e5d5158b132a9226d843359fd6797a25249f5404399ce47938148b4fb9fc4e6b3ecefbe9a08ae7f7ea40da048b73b61afa7bb403cd41b93e69f63a152e522b5bd49a608260d0b02205bcc608a7f7b7c0af00f7a176eccbf09d57b0a113d4d989cf616f87668d796dc60bc20724400000002c582232b06c21cac713a73ba688b7807d6f170f5387ad602fdcef4c44fde0d1e7cb29d16b565481b09a1d0dc1295c0466ebea10774bca441b4a6cff03e8524e C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433807530" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000e73d6baa72ac244ef54eff3371d33d73c3b3610eefaa3bdf47a1f54b5962f137000000000e8000000002000020000000ba11a98190c9de8f8cf4c60b8624e00aa8e5b95d1f7500b2ce4890cd4991004620000000a2af75d6a68f21c919c71fe61d88a86169b44136e7abda312b8a0c63a45e22f640000000a2708280f06813b0fde675d4e2e42702741ada1b417ef98434093c7fb79b805036cac4280e2d0017cfd066d83cfd1c163541e4fd3bab1cd74859072af9036f41 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9721B721-7EAA-11EF-AA6F-523A95B0E536} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 zardinglog.com udp
US 44.221.84.105:80 zardinglog.com tcp
US 44.221.84.105:80 zardinglog.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/940-0-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/940-1-0x00000000001B0000-0x0000000000203000-memory.dmp

memory/940-2-0x0000000000120000-0x000000000013B000-memory.dmp

memory/940-6-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/940-7-0x0000000000160000-0x0000000000162000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab740A.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar74F7.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2cc8e6285b833e88e108cd208980a6b5
SHA1 ffaa52d2cdef2ba94238a36cb01286b199e368e9
SHA256 d27ddf2731c76a76eb9f39f8e5f9f11cb4d9ebfd083e4c3a9a82e8b92cc72a2d
SHA512 927671961af04df58e72563a9040d58d09bc179dce4707b14c7d234b3adb6b414a7ae1b2c3c8b84eb2fc191c85e58e552ea0bc817af1a6c114bc5c74ca0b200e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ea391e573f83d1a272ffab84e63c233
SHA1 3dda6cbc26482a1fc3fc42876256c0e67be14e5e
SHA256 208e498132629c143d6e1e6ca8bdcbc94fe78ff7a09731e0c52d674733fd9de2
SHA512 96ca8562fca9efce0ffdff46505b77951916b22a4a0aba9fc0538d19ff64c81b2149e48ceb4040a5ea07828efab3367f899e6059f1b11220a5ff29e09ffc1dcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 080fb50717f222a45567dbe7b0770e3b
SHA1 4c4715e0ab480b6118a158663acd6e75d2dfac21
SHA256 73b9fffabd7887668dd8a424bbbf33db1ba9429a867fce9970dea2d2b296ea84
SHA512 eb1f64e0ae752e1e754bc0dfb01703bb6c7c1ebe577715bcb6c40ac91076a659648e4843753ecd09e655e90576a9a3af93e4fe4c4707d60d22016bac2ccdc41a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bf0ed668434159ea95bd74a6436a8b1
SHA1 2564f5c1ac94d8840bbe2461200cbc3d42c933a0
SHA256 da290bc9987f7e1478a35374510d1f2ba777a6bfbf62bf7f88c2ce1b38e3a1bc
SHA512 6c625db1caf7f3c115fae1d65fba05725131d493d098ee76eab3211790b0460ebaaaeb1ecce9e17f64c2cee717683bb75fa836e016fcc3e3698a3c6fb6e8d4aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3452aa2623635f7f305e9af57ebcbc61
SHA1 d76a0899b705d6ccab76fda20e7a2edd246c197b
SHA256 71c9c46851461f0f8c54304aa4c8ce354fd960c92457f283efa98e6089f8325b
SHA512 14e621e9cf0feee41643aee2db1249c17e3f4fc9262617acb9413fe36d263307dfc2792d786d3bb017f8e5e368fc74900eda2908691bed43597d7947bdaa30ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d81f7e181c509d80929af9f389115b1
SHA1 19304ec6154d669f477624abb43c3d6122186b21
SHA256 382c434db5eacbe8872863d60f1d884363da3747d69bd08205fe73c1b232104a
SHA512 ff6d49832632be827bae99fd75fef08e54f8b2141f3d84cb52dbc10f7df7288b907a1112ac09165b420f4dee9577b7b6c2a86cf925b5722bf90a631597aa893e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5063072b28e8bc10904e7f0b80145968
SHA1 eb6fb1a50e745ba38de5858ad8f5c6d8bd1ef7c7
SHA256 ca4f62a06fd6f738bf8283adac898bdf097cbda127c1eda2a5e16826d0b12166
SHA512 39abcd619f91d56bff0e9f630d30c4f7e2ca04b62bfab41d9c855e30965ac6460ace06ad1ed00e8dbc4b6b72c3b11234c688c425bf82fdab3496628164d765e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb655a89d65432472abcfce62a65efd3
SHA1 e94ba6c2934ebe26b645e1b66087a213afd81c4a
SHA256 3af5591ddaf130893bb4209bfb04e944147747df689fc1efdfb7af4b761c6869
SHA512 bf946835beef0679d26b1d1afc239c351522fd04b758bf2b9c27c6dbb1994c325d81e35fd284cacf43a3adc70fd6d55a9a5b5c9e9cff66c5be082307b4a850e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4bf583e0a633c9e6a34f2507d31243eb
SHA1 b258968f126c46795a2d3efda5c476560bb85d36
SHA256 6a285c81d5a9301d6a07a73cb906a345157bb3ed5adf68cdd4fbd4f91bf70213
SHA512 795587b4ba9d0c2ce899aa5d931522ddef4133c70b1b138d8e39e2c180a9188b9638b6cebb97b4af15da33df53dbeda45dbc4ea7b9091b8fca724c295086df9f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e309584ea7e401a0d44f9069eef3db0
SHA1 6292239c327d40818be8da3bb5213e2c6c357689
SHA256 301df1186d8aec91c61b98e057334bb2c18557ca46a98017d34e38d0435d016e
SHA512 cf6f34b9bfb3fd39d2969dccf374369b89b0db07b1282d47f6d62815974c82c45d9a022dbe6e892fa13f8792c1e08cce164a95c44741e95082309235896966a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85c268376260257aefcc9d22aeae06d6
SHA1 a9ccd861b57e8b3daf303852b1d1dbbbbf8631b5
SHA256 7bf3332ee9b86f8a4407883898d93fcc4bebbc42b7dea3a111f992780a61b605
SHA512 e7efe50cb6f9dc802bb5320f2913e96e06be559134243fcb9ef124db30b54dbb08e00d5f0c959987ed382cf438aafba77b4659b992144318457e959a3cf47788

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0edd557a52c73d6960322a213e0495ae
SHA1 299dd857f576a3a390d347ac2ab780c515ffad97
SHA256 04c878c18d436f489e1b81d6b8f8e3047952b473c9412fc7122a573f9f92f25c
SHA512 0912be4153801597942fc228e073491a5d7100b88865a959f26350c35afc2dc569eb0e9297b3107303bf7efc5864b62d32476c1436f50ef4f7e0fc5ad9dea4b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38aadac34b7ded188ec11fa23f36ec51
SHA1 b6cd123c12eb392600fdf3687fbd285e191a4bfb
SHA256 623f83539a3cfea0da8a0632de05e7aa9d7ec1dfda7fc6735cc846a302d99112
SHA512 f884a27b21024482dce4ae0eebc6cb58e814da928cb431b31eb45ebee1b228766c29548d86e225ae8f6c62377f3359cb8e73b4481cc1c8d2e3a115031d008e3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f369dbdab88f9b993192454269b8536
SHA1 c818524d55195c89c7d7789b03ab2963c1da54ed
SHA256 930c0cd2a7dfff7687b36a7dbd5c6f3487808ab60d15735d6c6068c4d11cd4a6
SHA512 59dfad464eaf071dfe04c52da9bf2fc913383e43744a914f9b557242f525df571cceb636743b612d20236092065e78a071bf178fdcbf661045ee892a9cf2229e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e1d822e9f28bd69caba4115c38849ea
SHA1 5fb54147b0c2fc95871da4941fc68f44c9d295db
SHA256 2d7c791903160fd6e55475b630a6fb8012503ea67dee54aea8b27a43e40cfc02
SHA512 cad0a02de4536371cd24762ec7a80c3d79913b1467cf24c2e751312212fb494e6bab38aac20249dc2fdd615201227784f8050813d0b6c3b67ae06371c5f2d43d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16cb88e6956f59fa63a1dea605cf79ec
SHA1 5c3514a44ff63991675e47d57e86693eebb9f00f
SHA256 f7819a5c6a0a9ee03bb368e31dee19fda33537cae99218ce2fa113cafa194048
SHA512 f93278ec1a5897280d089eeb42199c80f1a4720e33b978348059b0140385ca6322a6890c1f3273b42f16c178b4265f4ff838ab7112e1f974d4590ef5c5b5d024

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8572ab5b7f42e69ee5bd840fc0b5ecb4
SHA1 270e1665109d826746c86b6aeda2ae9e6bcc7f58
SHA256 d94fc5a47bd7323abd0ed0d42ef5e908b65437abf7fc0baebef33942889ca3e4
SHA512 986995478339cb1467fa90ae78108e579a6e1751b6ebcc5b737cada69703c260b199ae9227234b619230c958533345685f51a979b8ca2c2878a4ca87e9998870

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad25c7cdd9d9041c034526abe33e66f9
SHA1 e9816a2650aabbffe93169cc83ba344c5137dd1e
SHA256 c9b42b474d4657de3039c77ac0ff6512c686070b180228506a235740d370ac21
SHA512 267d8b5f166a1ffd76af76ca0aa008b9d62e5462916f2cff4171bdfe2ae3e7d9d24609ac64c9eb44766ea674fdc29210a2505d2cc75ff6569d00ae204b831f7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6889a9afcc4315a5db3736be52cd709
SHA1 ce9dc2e39d9d19f5400a25c5008961a2a0a0a70d
SHA256 21c368951c4877c5938e223042d765d8d993c675b261ec4ac545aeff966032b7
SHA512 87f8bed3df106289d2409ec73a6fe61b98b7404d1e47366b12d86aae11cc09b0c9a0cafac1ebc02b25361d2b71d2e2cd05283c53e66852f46bf3eb560c2de870

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-29 21:33

Reported

2024-09-29 21:36

Platform

win10v2004-20240910-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118.exe"

Signatures

Gozi

banker trojan gozi

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\ielowutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1776564118" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d74c4a2d6d7764449694ff5b3c3fbde300000000020000000000106600000001000020000000924b702a8f2427ee8edc16e93fa4bd355f3d5a1f723f5b38288850b69648eb01000000000e8000000002000020000000ae0247a4200957ae1d6dc032ea7a4691b47d8c2558ae592c08a535f5650ab9dd2000000039e036243462cdaa7c0329ac53571901661b5e25c2c133101be26e2ad9333721400000009b189034376abcb300be055d73a230665442511d3fd36ebeede3a46899de3420fddc55312b4b1c291beee73a4a741fd0f19d4d8b44e883b463b9c622f65f8501 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134391" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0b1886ab712db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1776564118" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8027926ab712db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{957F71EE-7EAA-11EF-B35C-4ED88B793F16} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134391" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d74c4a2d6d7764449694ff5b3c3fbde300000000020000000000106600000001000020000000f1ee5389a1faac152b09b6b0170e4fb6a98d17590e46d55cd81fbdbd5da5ec55000000000e800000000200002000000002171504cd6c8a52767900b692f8aa73047fb208d7d98f174a63512508c50bf8200000007d21bac83c8f9c3560b2f14e9179d74d7e390e12ec2696c12a154fb5d05330064000000046f4c89cf561df13ff5c239294d9a0c1452203aa9f79b2eecdd9539d40af7f9ae0aa339f502a7b8efb6a670c84dc84c9f3b1234451d542790d63697dbfc1eaa5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118.exe"

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2084 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 zardinglog.com udp
US 44.221.84.105:80 zardinglog.com tcp
US 44.221.84.105:80 zardinglog.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/1392-0-0x00000000013A0000-0x00000000013A1000-memory.dmp

memory/1392-1-0x0000000000120000-0x0000000000173000-memory.dmp

memory/1392-2-0x0000000002DB0000-0x0000000002DCB000-memory.dmp

memory/1392-6-0x00000000013A0000-0x00000000013A1000-memory.dmp