Overview

overview

10

Static

static

3

fe96bef523...18.exe

windows7-x64

10

fe96bef523...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-09-2024 13:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe96bef52343cb58b78af1f951c4bcab_JaffaCakes118.exe

  • Size

    485KB

  • MD5

    fe96bef52343cb58b78af1f951c4bcab

  • SHA1

    9e0d0a557f831605eeabe1390b06c235434eb14c

  • SHA256

    6a0bcd8b17638f9424a2a5af9ff0b538373301b2d7648472d878df3b242b83a5

  • SHA512

    355725c4ed95ef76289ac69822c6814be591388ab1b8b0d7a3c7bbb1ade93937a727900d3be763bea10a54522855166ae1015dba0cc5f4d66a43ed406803dcdd

  • SSDEEP

    12288:mD9UDevpMtdoe83GWLh6iVMGP4tYLwqYZy4e:hiq/H8hh6O94tqHYZS

Score
10/10
gozi3140bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215165

Extracted

Family

gozi

Botnet

3140

C2

isatawatag.com

bosototsuy.com

atamekihok.com
Attributes
  • build

    215165

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe96bef52343cb58b78af1f951c4bcab_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fe96bef52343cb58b78af1f951c4bcab_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2212
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2564
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:1258501 /prefetch:2
      2⤵
        PID:1604
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:640 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1804
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:892
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        PID:3040
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2292

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      2699aad57fad462ea95ddb8e051ee830

      SHA1

      499f9d76d19a4a1767adba65914c6c77483827aa

      SHA256

      e03a297a9ca5f368c091b81c1b8b17cdbe96b380e5732bb96bae25f2ad148782

      SHA512

      cc6ad512fd9e325a46871a545fa58c98a34c31a2f65b92ebdb297d3ad57f16a38b557df392cdc491f95122f53ce179f72163543f904fcf6a725d4679a1f0732f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      2ee0d74cc1fa29b341fc5cc787671fb9

      SHA1

      0c88a0d470e54e7a95d431bdcebe64c1adb3824e

      SHA256

      6bde78485d65f7c1a8d7eecf1f0e5a1d9ec8baa450bf4d91f90bbfde57e9bf44

      SHA512

      1ff4341578819b9cb92a2df265375c7786cd61bf79b8917c6b3ddb28d1ce7b53dadfa3a59bf8ea0820d9606d4e607e3015f1761dae97e20182cefff7b2336303

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      de92bb75946a6e1834a3448c9c17a746

      SHA1

      339b185a6eae4626772cad593d3ec903ceba892b

      SHA256

      0d7da4249364c605c96f1a80faad454432a92c20d6a3495b56963d63c67efe03

      SHA512

      04f757cd866eff4c0bd46cde028c0367273a186a19e2d6b53d37bb3ec6ba814901a61077faff54e3e1e59f3ca35f0b3db4d3810acb31273655db7ddd893061b3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d1bd4751e5600666be49b690ff563038

      SHA1

      94c09a51a8459f0f2d2e65dd228853657716bbf7

      SHA256

      9a8855067b6e50a13826279006bdead2bcf1848fad2fdd2f7eaf028f75bdc723

      SHA512

      520aedf5d2358fd3a4324a3d74e7f54fee86126585102b332107f2450c36666b13f8aa9842ad725e6d56a8a9d26fa4733a5d2c786c2167f5dac7d144f5041909

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      75ab5952132aa19608fd4af8ffc342af

      SHA1

      45bf207c1cbd20e9205630b5de147c92ffafbe2b

      SHA256

      320b6bfafd9ff7322eff5ee8380b962b45c238d6215e4bb21336ca4bac997ba3

      SHA512

      878d81ae55cf71b029d521abb074b8b47051a4aa17e40b747c6d9afbb5a0d351f40551938a4d7137af31dd20d9274ef5aeeab6a46beb524a4545b55e7fa15d7f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      df5638e10e417b6b211720881795c09f

      SHA1

      16e1a71aca958f5cdbc16c111bd14ad7284cef3f

      SHA256

      0978823ab8520fadf1eb21a47a1194d741d63b9bf6babc17c7dd8b7d488b0180

      SHA512

      b762f246f70b3f0039d040166f38f336d227612e548ee35a0060840b7bc894a82aa5aef78457a368aaa27f0b06b884face264871fa18804dd03b1404751cb61e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3fb5c11601c8902a69ae0253543cc80b

      SHA1

      71e72964f1bb6d9c19bf49ef736243b661d9f2a1

      SHA256

      44d9d1575fa9a7c2edbe6a4e4fc26f1c1b092f1d2079fbe5efc992e2997e562f

      SHA512

      08f7def45804d4a824c90b13026109b6e26f894198372bc41b963ee429c135eb7d85b4093615cf456a58f0186c08d35fe6d14d2bd19429c2e5d6e34a9f47d201

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ebd19e5a6df9c89b316983e4a016e643

      SHA1

      b226686e19da33c1348880ad41c1fc5641bdeed4

      SHA256

      2ecff0d7dd6884ed5edd7c0e0d80d3b355938a3ec4dd77b7fa6853f084e4f5f6

      SHA512

      6c6aad48bb8ec8fca9f3b28ce13a94f0183152a880f9967bb33f20a2bf9dc272732e153ed88112e866262ff254ea01995d72051078d4875f781a40e379956a08

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1b7dc18ef8cabce325a47b36bac5ceee

      SHA1

      935f2199b79e04a4e91694ff5d3fb27124cbab58

      SHA256

      b8eaca2132627d62e791cd44500ab2f1272dffc3f96dcdb696f9e5d1a170ccb2

      SHA512

      18f57119b89fcf7211fd373ae26390d2e0922b00f0eecf28a36838b60ed697e249849a9399fcdf953fe93d3c1a921ff18856c3989501cec8a0ffdc5d315f9a6d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab877B.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar87CC.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF8A94B001447BDB7B.TMP
      Filesize

      16KB

      MD5

      94c62191f57fb7709ae978e12e69f667

      SHA1

      3e15915b8ce4bb8052320206534aaf5167b1aafe

      SHA256

      f48eefd965c0434fb62ad945d661b5420db8de4e9926de8c1c18d6c1d2829d7d

      SHA512

      2cba6f84ac00078fac7a3edb1c67c6e30030f06d826007fb8039a126f17b5882cf14500f793ea28d783a070745e906b7bbdc53deecb6c103dad9618a582092b7

      Download Submit

    • memory/2212-0-0x0000000000130000-0x0000000000131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2212-7-0x00000000001A0000-0x00000000001A2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2212-6-0x0000000000130000-0x0000000000131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2212-2-0x0000000000160000-0x000000000017B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2212-1-0x0000000000290000-0x0000000000314000-memory.dmp

      Filesize

      528KB

      Download