Malware Analysis Report

2025-01-22 16:26

Sample ID 240930-dwtgtsvgpm
Target ffdb42073f5782cf8f55eaa264330a29_JaffaCakes118
SHA256 de4339620039110d188971ade20a6d713db0561e1eab89a4a99661f22a09d144
Tags
gozi 3153 banker discovery isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de4339620039110d188971ade20a6d713db0561e1eab89a4a99661f22a09d144

Threat Level: Known bad

The file ffdb42073f5782cf8f55eaa264330a29_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gozi 3153 banker discovery isfb trojan

Gozi

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-30 03:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-30 03:21

Reported

2024-09-30 03:24

Platform

win7-20240903-en

Max time kernel

99s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ffdb42073f5782cf8f55eaa264330a29_JaffaCakes118.exe"

Signatures

Gozi

banker trojan gozi

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ffdb42073f5782cf8f55eaa264330a29_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b0000000002000000000010660000000100002000000055a92cc71c6e2864dd693db3f2a2fbf1bb6fc430d17598de646c94dd35cbe285000000000e800000000200002000000011e9765d0195d865cfe778b375ca17d5b2606e0ab35bd03d14f478d0275ba5d020000000151f064f7473c869e967d2ab847a3726f58b6d0b713c4aee65d2653b24ee18a440000000f14696f0c807cb8719b7aa576e18d0cbb8280de5df0639632472b1e2a61c3ef38089dcc114e6c1cc332eb07338cb4d31ffba1d9bf1f002a79f60c6d11d3369b3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433828422" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70a1a610e812db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3B5DB021-7EDB-11EF-A0D9-6E295C7D81A3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000f89f9ff6c1e6fb2e9b7f9a968744f372754f1265aa908293cbef374557523dfd000000000e80000000020000200000008831f09b1f921103aa0e3bde16095576bcb50720b604b94606e1183844f5bb30900000006dd799592bf18b5150d5777167ecc20c56b1ff929b86bee403409cf796174e7b7338756f7e0b9db5230e2abb09a205413ef7103e99c6c07def3e5113e2200045932d3a351fc807a3b57c4bafebf4e7a89d5b037454d460da7981c315fc6768726a518d00236e8a35d49ada59655438e119f50c52efc5d92692d70d21e2f944eaf4d0b46f6bd97f8c507b2d6f4635be1f4000000068ff37c67347d62b75ec88d390092466825979a746e4feda5f00ca41aa45ade15047dea4c9b7bbf866ab097bbc1611b4575661fd30cf16b4fdfdd8aead132e10 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ffdb42073f5782cf8f55eaa264330a29_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ffdb42073f5782cf8f55eaa264330a29_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2896 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 biesbetiop.com udp
US 54.244.188.177:80 biesbetiop.com tcp
US 54.244.188.177:80 biesbetiop.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2592-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2592-1-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2592-2-0x00000000001F0000-0x000000000020B000-memory.dmp

memory/2592-7-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2592-8-0x00000000002B0000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8A68.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar8B16.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34101904a7ea74cb402432ad695a7dda
SHA1 f97dc62d06c7a12cc2751b3fb1910e7b241701e0
SHA256 9d87697e44d21c1aaac353f9719870ac3b3d67cb28b9808fde02bf6af4f72ace
SHA512 c0679331b19ec38b88c25ffd335640875c350f23fd57c0edfaea4f2b100a4d589955a8d1cd7bce649300504d35f33157690f3c606549daa0320d707d4822437e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6434c6e05c0e17c8f6a1c81ebe920c4
SHA1 18b68ff726cedcb7cd1b9ccf21e394e625b26c78
SHA256 0da815707ff5e0e8e6eaa5f3cce277b72f55cff24ccce154c6f387894761c7aa
SHA512 9196a79b1d6679cd78ee303e7f000518381719f0cc085bf0b5b1686973c982ca24142bceba89e3cc970efe33305c70d7f6d637c9bb14e937d4e92e59d1b199c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22c013e511f3e37211bb6e2c7ecbb938
SHA1 ec2a75d646aecde7e5d895e8178250fa6e4a5503
SHA256 dcf9777ae8dcab4d9379b8be42f89e115b3d7fb915a230f794268c40593d68f1
SHA512 6bebafef35b465ea4cdf18d72ee5c5fd20b33818145a64f84567daafe5268de86e31c3afba5f490a7e4674666470b7bbeeb64f54fb4438899d5b0522aca142f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ac7b2b00bf5dc1a7f7770fe755dc83b
SHA1 ff858132d9f2ae3a64f2799d451c19d0ae716547
SHA256 041a5530d3e1026a4c9f0ee0ea440954d5afc01322732513f2c31983b905e246
SHA512 836d779eb7c44c8d859e27221fb24dadad3e141e1857d5072e3d3fc212d8bb2a327703bdb832fb8ed7c0865b6ef8618a4f39579972e3384b3c60d321b769f24d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6767d52d3d108d350b7040ec75a7a9fb
SHA1 baf77e05d9fafa36d9f1eac8f2ec2fbf4e9863be
SHA256 1333dae0e102ac3fb531db6716e1c6b0417467ef27e4af4b069ca446bdda1042
SHA512 d238e8b3c2265812446d136b452c58e86c95e4736403c3e20115edfbcfae169cd4608550719fe54af3e17170a0d260b306796a23a2fe4a09474aaccc02bb725a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90afc955176e989a784d105645196eb2
SHA1 faa034b3e1849bb04e56d80938ff7e0adeac6255
SHA256 dc2765da1f059a872e978f10bfafc2fbacc83534d28d5c2abc7001bad8b84da3
SHA512 4d73d0217256c71acde5ce79b2c034aa584d462977d4d4d9d30223bbed2a5e9a87de97a47e0ecffdf15748be8240b9119a34e59f8904a4480efc393a824db15a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b21ace3d92cf3204eff08adfb2fb76be
SHA1 1e48160c24a2fe5e8bd0f731fe1a9e7242bb388a
SHA256 22474904f4c85eb9b7670a19ebb142eea2024843c42e8de969cabe172f0a17ff
SHA512 d7359b99fe870fcc076b300a41e6076eb3891bbbd34a26a32b7aa9982a5c87361c4c2c4e7241649682857a0276bd9c1718cc551da43c5c6fb2faf05414d0a309

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3514c1172feacfdc75fd3f57ffd129cf
SHA1 b4796c75e7d662f239fe21d28f5c5a6e1a50cc14
SHA256 f51f3b51e167b896d7630c11d0eefafdcf4f4c75837de790e2cdfc04d65da4be
SHA512 6bb2469f6a8a861a1f77c73d975b76f0dd349eb65932a0d5f7f49923c67c3dd995e8dc1854fa5373d95bfddfd343cfea99cb3995e7792efba01b6b6076a96fdc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 751bc956c7538b4968b91ab4272a1b3c
SHA1 041165e326cb05af063eb901096f9992de484b9f
SHA256 2001399e1472612938d0f46bd6d93230ca32217ff10272bed97fa69c1ee199ab
SHA512 3ee8b2ba218bb2a39a1e6e1cdefb8694d218430b9b0ad3893cd7e8b51a7849092ffbf94337183f806e7e6d7f805de6172c50dfd5fb08884ddf63e9f030516045

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48f38f99922778a42f8ffb7ca2dd61e3
SHA1 8a98999ad52aa8dbc7d4c7ed9caf748eb88a36b9
SHA256 8fce8119315f93e11cb07103c12d06fc31cf5d2203046f14fe56efe06710a4f5
SHA512 73bce4d4f541664398f71049b89e37da6b6e13864c6b4c454649f170c827e341e3eea90f7c53d983d34d6236d55edfde29a32557822d92968af54ad5a41b7cb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b82d79121b183d9e318a64b62690f17
SHA1 2fff838b2b547d337544e3b2630cd35fb5d2b1a6
SHA256 21b365ae0fee20a64bbcdfc646cc86662079b5f710ee78cfcf59384ad1bc8370
SHA512 dfe177304bbfc3391eb6da62bad8d084b7a11e4150c4a4701bf0460bf67a4edd3573d41b828f7f5587ba1671b12f74bbc000cb61310289780a9566f708aa15fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3244304d00c99930ccbe9b071d0f5639
SHA1 1b5bbbce528043edf4bf170f15285deaa209ba8c
SHA256 83fd22fcef361378b7fb3d5f54cf3f31b27a3962f9ca4c266c2ac88dccd3b144
SHA512 8a55316c6b50bebc8e602190d675c9dbce7a48ae016236c928628a36074a42e9204afd64a1f0d1c1827cd6d03ed948e8fc4509db642b639676a21926f33ce268

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41ea2628e5731fe3ff8229f1380948b2
SHA1 b6a2ef41101e4a8b9a8f116c32a0441ba3fc2bee
SHA256 4ecd3b51e8cb6c3d8fc0f107dfd793cb7f9cf009a52df1ba86a138ebf772b019
SHA512 4af8a80679a01d21440e1827952b9c713f5e2d07c04fe3ba506545091bd60296cf529a765724361173591dc5ebc5a72ccc80019a94be4fbd263e52454a2e4e23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77700c5b17f258a0cbc4f9f215195c89
SHA1 833ea70ca302e069959e02fc19ba8b68d9ca2ae8
SHA256 32d63bb2bed5dee3efa472b96032aaa67f1344d36afc1d973fc927117c5728fe
SHA512 5c1e882eb1151691de167edd3df0093d104f62f8f5ee0c30ee3ea4f86614bc708a347a102ca92de162d7380c9bf56c10e07d3e106a06e3fb26880f880eec1a23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2623a6cda97784cd3ba684f8655b6a08
SHA1 2c7dd65bd107fffb342b1c14d8844b4b1d44421a
SHA256 04fea4d76cd81f221b7dbb234ad7f7afb840252e299a0e1fac7b69ff4ecf849f
SHA512 c3c11345e95d924b1e77429c5d2cb5d0dcc483511a452571bf7ed861fdfd00f519d5088a6cc8a482b7e587033f45e7d3822377fa67e854b135fea8cb4d7a0bbf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5be0b65857c30565399cdd68d81726ab
SHA1 6c5e24241297bb829aff15af0069c709047da923
SHA256 7496aa8e3d24277f7a2e9ffce34055a32b94a128959e55299ec1d5aba554c8d3
SHA512 131d852acc7a690108c53607d52cffc0d7f79dca60df86a04eba109731f773f88cde0757f9a08838a718980c42f4b08c544f92e2440a4a1f387c648ef331a68f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f3a1928445236c129b165dd1ba480b6
SHA1 a3980795fc115b534cd4176b145ec7a6778bd32b
SHA256 41dfaa242bb1918f86faf53939ee248c55e3e3c4f330259ef1b6c8ecb9840425
SHA512 3145d65348b6382abd86736608c9a8effc48b1cf92568d982008e47ecec239c131bb66e572935aaf7619f887e20fd4c4cf594da49af0789b77c88bd7d3eebdcc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6545bc05d5b02ff08f1b65928153e6c6
SHA1 1a177c1581e33fe3ebba70a18914c3ec91349eb6
SHA256 24619f1ffbe4c825d7b4241810b099f2e3d85288fdc2ca09b2c3973a5ce094d1
SHA512 1a5473d81d0d642b81818b470eae26879bbf1fed7cd85d2af7474c1f3eaa29c43de5f9f0eb62aaa0990176798f831e7d0004d3e59ec6983f3fc727e02688afef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d1a92e49cc5723b22d90162b44f3107
SHA1 7aac1a412a3309afc21e8aec1e4e9e10d6b76bae
SHA256 80cc24a5fe89ba692d91adae2a81faf7c5c843a33fb3d47e1140182b4e80f5b5
SHA512 2d119928d23f58e2063a24db835487f4c554e4fe49e1b865d248c48c5f3e83ee2a1b0406ded8977bb47e3d91a96ca53f1b0004ffa457646f933bfd1a3f2bb6db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d06f0102cdcc18acf1a690fa193bf205
SHA1 b842126656ec02195893c3a14a17dcf9750af3cf
SHA256 2d1a7ccc095b18f7baf8263d691d6a0a980f7826a0b8528d4c15e298df5800eb
SHA512 fb214e2b17a5b379db8bccff34115e5228f88aa692164a296df06210a16777bdc30f13886d597180da3eec4b25e20ecf9911b42cd3f6430d02b2ca7dee9e21f0

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-30 03:21

Reported

2024-09-30 03:24

Platform

win10v2004-20240802-en

Max time kernel

90s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ffdb42073f5782cf8f55eaa264330a29_JaffaCakes118.exe"

Signatures

Gozi

banker trojan gozi

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ffdb42073f5782cf8f55eaa264330a29_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\ielowutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134440" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80c9260de812db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000262c84e5c2a8b24db398d3ff1cc7357000000000020000000000106600000001000020000000f765e5c2ebd095cd2b2fec2a8508dc87840ba37793e122f586cfa2c6747892af000000000e8000000002000020000000c56e56f7879925da0769700d737ae11b02e44c47db19d8336ec547f4e044883d20000000dba02b08a94938458fd0015ed272d3c8984a3e814d6cc1e4025f4e0556c155fa40000000455221f5018f6f45a4880e99616ba37348ee7bf075a6701cd7b26252ca6e5b92414c6feba40965ed420d406db9aedd8d3332569fd6ca6e85bab80acdd91ca90c C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 907f240de812db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "208780159" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134440" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{37FC43F9-7EDB-11EF-8D5B-7221D8032630} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000262c84e5c2a8b24db398d3ff1cc735700000000002000000000010660000000100002000000082ac7a04241dc7278b5cf23550537ff73ca36b697c9adab5c5062de15b0f4fd3000000000e80000000020000200000002c69bf60af2d3b1e6ccaefe01f50e03d82efee8c827cfbabee1d37f2436058e1200000007e05d3385260bd8874feca5361cbe99b5f77faa1048cf69c67295d54fe54297d400000009f911c3c02d12bd8f561b32f7160a5a1e8003b903ca2060b0293c11b240ad8dcd032258d60f1914ad2bbe4797be818621df73c302578ebfcd7b16c71740f9cb9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "208936162" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ffdb42073f5782cf8f55eaa264330a29_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ffdb42073f5782cf8f55eaa264330a29_JaffaCakes118.exe"

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 biesbetiop.com udp
US 54.244.188.177:80 biesbetiop.com tcp
US 54.244.188.177:80 biesbetiop.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3384-0-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/3384-1-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3384-2-0x00000000021D0000-0x00000000021EB000-memory.dmp

memory/3384-6-0x00000000006C0000-0x00000000006C1000-memory.dmp