Overview

overview

10

Static

static

3

e24537cc5c...18.exe

windows7-x64

10

e24537cc5c...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 16:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e24537cc5cc2a0c3d2b0a436225bcb9f_JaffaCakes118.exe

  • Size

    3.5MB

  • MD5

    e24537cc5cc2a0c3d2b0a436225bcb9f

  • SHA1

    f0c95f060d39c0b7278259a67f947b7617fa16f9

  • SHA256

    c58f196fdf796e7ee65379f54a74a2bf99c1d76148d0bc3fb18376dfe83d09e3

  • SHA512

    ce854efc998042fd2a9728100c24821117daac275a9ab8850bbff151dd3aeee6f16af7224d8b057514dc662e85968a631f42bc38bdb135e96f72d9c00373341d

  • SSDEEP

    98304:qTe3GIxSRqXxpS/bvI5HYuirZlRx1npV9u1O:qe3GIxSRwxGIRFir/R7npVMo

Score
10/10
gozibankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    217038

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 10 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e24537cc5cc2a0c3d2b0a436225bcb9f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e24537cc5cc2a0c3d2b0a436225bcb9f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\is-CLQFE.tmp\e24537cc5cc2a0c3d2b0a436225bcb9f_JaffaCakes118.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-CLQFE.tmp\e24537cc5cc2a0c3d2b0a436225bcb9f_JaffaCakes118.tmp" /SL5="$5014E,3303661,121344,C:\Users\Admin\AppData\Local\Temp\e24537cc5cc2a0c3d2b0a436225bcb9f_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Program Files (x86)\LetsSee!\smcphost.exe
        "C:\Program Files (x86)\LetsSee!\smcphost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Program Files (x86)\LetsSee!\smcphost.exe
          "C:\Program Files (x86)\LetsSee!\smcphost.exe"
          4⤵
          • Executes dropped EXE
          PID:1592
      • C:\Program Files (x86)\LetsSee!\YTLoader.exe
        "C:\Program Files (x86)\LetsSee!\YTLoader.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1180
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files (x86)\LetsSee!\YTLoader.exe
    Filesize

    3.0MB

    MD5

    c53d2de8becdaf58caba89a297455c65

    SHA1

    c60da079393025e63475683375e0a045cefa3473

    SHA256

    7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

    SHA512

    a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

    Download Submit

  • \Program Files (x86)\LetsSee!\smcphost.exe
    Filesize

    152KB

    MD5

    61dfa5e2f9fcfc20ed85958aa57f604f

    SHA1

    dfef7530c2e0e6ac7ba6aaae9a32bf891ce36e23

    SHA256

    c1e37638c7f2d94ab6dce9fa53bfe1ef80f5ea318e01cceee36a88959dd9ee1a

    SHA512

    f6c250173391bf9666179a83b6792737a2fb3d0a7bc6f93f7bdc3166c009e38fa080c7aa95487b8e7c77a986a788ec39824c2701692caf59bd122e7e09dbd6d2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-CLQFE.tmp\e24537cc5cc2a0c3d2b0a436225bcb9f_JaffaCakes118.tmp
    Filesize

    1.1MB

    MD5

    34acc2bdb45a9c436181426828c4cb49

    SHA1

    5adaa1ac822e6128b8d4b59a54d19901880452ae

    SHA256

    9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

    SHA512

    134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst69AC.tmp\System.dll
    Filesize

    11KB

    MD5

    2ae993a2ffec0c137eb51c8832691bcb

    SHA1

    98e0b37b7c14890f8a599f35678af5e9435906e1

    SHA256

    681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

    SHA512

    2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

    Download Submit

  • memory/1592-39-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1592-41-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1592-71-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1916-11-0x0000000000400000-0x000000000052E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1916-27-0x0000000000400000-0x000000000052E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1916-8-0x0000000000400000-0x000000000052E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1916-64-0x0000000000400000-0x000000000052E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2364-10-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2364-2-0x0000000000401000-0x0000000000412000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2364-65-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2364-0-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2684-49-0x00000000052E0000-0x000000000573A000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2684-52-0x00000000002E0000-0x00000000002EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2684-51-0x00000000002D0000-0x00000000002DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2684-50-0x00000000001E0000-0x00000000001F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2684-56-0x0000000000470000-0x0000000000478000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2684-55-0x0000000000460000-0x000000000046E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2684-58-0x00000000006F0000-0x00000000006F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2684-57-0x0000000000540000-0x0000000000548000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2684-60-0x0000000000720000-0x0000000000728000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2684-61-0x0000000000730000-0x0000000000738000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2684-59-0x0000000000700000-0x0000000000708000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2684-54-0x0000000000350000-0x0000000000358000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2684-53-0x0000000000340000-0x000000000034A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2684-48-0x00000000001A0000-0x00000000001AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2684-47-0x0000000001020000-0x0000000001328000-memory.dmp

    Filesize

    3.0MB

    Download