Overview

overview

10

Static

static

3

ff0b8bdf75...18.exe

windows7-x64

10

ff0b8bdf75...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-09-2024 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff0b8bdf7576aab2c0c32590e11c0c36_JaffaCakes118.exe

  • Size

    203KB

  • MD5

    ff0b8bdf7576aab2c0c32590e11c0c36

  • SHA1

    72fca6865972e48b7781efc9af9290cd28c61cca

  • SHA256

    ebf5cce0f863d898ddac6b4621fcbf38b173125e327a1aa22a6c7265828c0a65

  • SHA512

    f52286905891eba573012c0cc58e59d042144f96a737279e70910731144b519d12ae7f03710aa9f80f6f6a1ed77a70a0b84917f6780f711603938b830e2aa170

  • SSDEEP

    3072:9Nji2dQ6v4uPXDNUj4jKBonzmLXlYVRLh0epEEZqkFBc4+uTqN76o:9Rdp4uPZzGonqXGXh0bluBc4GZ5

Score
10/10
gozi3162bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215165

Extracted

Family

gozi

Botnet

3162

C2

menehleibe.com

liemuteste.com

thulligend.com
Attributes
  • build

    215165

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff0b8bdf7576aab2c0c32590e11c0c36_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ff0b8bdf7576aab2c0c32590e11c0c36_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2068
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2792 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3016
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2792 CREDAT:734213 /prefetch:2
      2⤵
        PID:1644
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1372 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1896
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1412
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1224 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2644

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      578f18c508cdf9053e439d331b189a41

      SHA1

      c09a7120856b03d8e5a5fa4d31459e23bbbc1674

      SHA256

      a4cdec7f417070dc8704dc9ee03d0eeeeedc5db74ca009433ad7b8be58dbf56b

      SHA512

      87f896a7e77634734015e09fdeb9179f7fda96471c8166ddb774f518e6bc6dbab9c0cddd5ae6964e23d29f939f707442519e333903891ecd0b8c733ca09fb088

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ff3f501a54a38d5c17fe0a0e7df80252

      SHA1

      5bf818cb87da4c736a05532929291f6748fce8e1

      SHA256

      2b8ad5a650f957d6d48a5b2dd008e7db627575de257556cab46194fd137f2e1e

      SHA512

      16035a6c6d188e27258df33b71cd293e484ff1fead5ee21b7272935fcd645362d3c9e8569661f549b6b117ae7d5ec0850d9aba28e0f7c8c3ff704fab1756f4f6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d2345d5a56e97a9f5b65585af721bf31

      SHA1

      498cb85d437e70644fb0da556bca56519a47e3da

      SHA256

      b14597f24885ac9978bc336088c3ac2a1d4030d4e201cf88c5765e02992bfb17

      SHA512

      73bf0a6e94cb8cd046973d858d9104bcb8f905aeb10370d4fc83eb7484c274c8ff5fd13e8b03cb984d61d34f311b7a8164fe3181644d215f158b8c6d301ee8d2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d602d99f64b08bfb1c29bcedabeef1aa

      SHA1

      6e645c32ff5c5b1ffe9c7e707a56e24832c5f95e

      SHA256

      963c7b707e8eb144d4adc14e72602793cee043ae43309db0f40d7cbc09f6d994

      SHA512

      45ac521a362505629bb3903918a87b2d864c3e2b7f4e32e71721e4e06b72311c76f5b8d760f7c9de3caacc11b9c9ddada54a7b4417769901a55647268bddec9b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      00d7996e3e1685985169e334c0929368

      SHA1

      d6f14236d1d9d7227c661c3cf2548dcd7a629da9

      SHA256

      ca55f70b82b901549aa5f100ef26363d2bdd420b92f119263aa4fa0970aff94c

      SHA512

      e71145fa591d973a5f999d3584abc122a5a8dcff892ebce3515184ede363afdad1d2c5a0051c72e543ce05abbedb739efa88449bfbaabc85e35a481386edc8d7

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c9bd49874f3ece07adca07dd5f296a33

      SHA1

      231df7772034c5c4d015ca13160d91147aef561f

      SHA256

      b3a44e1c507c2f4dfaa631bee41b0d28bc4d3d8406cf10d8b0970a4738b1d861

      SHA512

      ba71b373abe8dc2402799a1ba13aa7a9bb75fb1b9dc791b6e254f1e6a8f3ad1b29b4d1ddbc7532518a7ea82c3af1fe7f69439e326caf4610e9d96c4a62d76043

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      4565aa1f25cfdc4ab7b82e6dbd125e8c

      SHA1

      04486c7131cbc5491a4658d3c929216bdb8768fe

      SHA256

      fa00b9398d27e6db4cd325362f2fd7fdbaa26a4095c026d9f2f2f43496dec30d

      SHA512

      01f26b7faaeaac8e69a2593244016db18334cd381df5913b1ff55962e9575e8bfb7db2682f37e518f7aa5a3bbc941b49f8c8f7c660fa07081b3d5fc2b68c1a11

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      12531e15358931f6dfefe0afe8871e37

      SHA1

      eca091be3032fdd2a802168b4b24b2bc74375342

      SHA256

      68c1d9d619997fe4e704f59a278c4570d295210b461a89d7f801bac5e75b07e0

      SHA512

      597dc2c37dd8244bce11227527a1161cf58392b8826322db681a8323b1fa7701475cc5986f567a6a8eeef95f97ea32ce5f465a866a861498fa499b05b82d0293

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e62880d84a1505b95b84bd30e75e30cc

      SHA1

      3948412564b774244b2f74062e5f83be3104b912

      SHA256

      533677ceac535fd64ee2e3bb0be618a45b61f369426ad0f139c374caa1398305

      SHA512

      4f73c901a58adfebe328cb9da1a2a645037c6722bf8a88656d95d8bd5aae9cbf40cf057d9d38a05dab0221d60c5364ca4598b388773026303a1483f1544ded8d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ac9a26ed06cebe983547e9285b2e864a

      SHA1

      c4607d985d9f60fefd740f1aa96284d5e6a160dc

      SHA256

      7df3aec1babdfa4fe5be7e352b06f86c4ee7e06eb91b1eb0312cf6e5b5e28e3a

      SHA512

      d60cb526a47bb22c3852bb6fbd0cea1858cd5b48f519a51cc4b7612a99beeed865e0a662e074c5a6a8d5a6b84dd05f3de04345627d96dda0d9bb9db7a43cdb50

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab64CE.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar654E.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFBBF8850A39AC0A9A.TMP
      Filesize

      16KB

      MD5

      a7c3694a84f18737a0908e6b817cf64e

      SHA1

      157fee6c9b1087262de62f679eb77c0205e04207

      SHA256

      f629db413a4c0601a80373eb05498594377e53bfd6ed7701dfc30ba163fc0710

      SHA512

      6b64528f00f986fa0eb8f43f106d65830b520137b503272d8ae3e649e2ee473083cfb67ed87cf612404222a7c452fc30c0141085822fd37e3d32c8e74e251883

      Download Submit

    • memory/2068-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2068-9-0x00000000002F0000-0x00000000002F2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2068-8-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2068-4-0x0000000000200000-0x000000000021B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2068-3-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2068-1-0x0000000000435000-0x000000000043A000-memory.dmp

      Filesize

      20KB

      Download

    • memory/2068-2-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download