Analysis

  • max time kernel
    142s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2025, 21:36

General

  • Target

    60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30.js

  • Size

    1.3MB

  • MD5

    34686f47e7d2f9206fd5dab3814ed870

  • SHA1

    447fbec5fb2ffe97d839ce8ed56a75383dca02c1

  • SHA256

    60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30

  • SHA512

    092c9f37b44781031cd731a7c8fd358a3de4ac8be1192176bbb558e87a313c664918cc895e6c1971138342fb4bf24423afb6398ef6431d05c24f28a7c8788076

  • SSDEEP

    6144:Zi9kVg2B54Ah7JHNhbvxPKf1wGYew0CATXH4R+LcKzwi1w3R1V8KyIvSzxRUXkjN:ZA

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

3300

C2

addlock.mitial.at/api1

Attributes
  • build

    250141

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    730

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Gozi family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\AiJkqydZbl.txt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4544
      • C:\Windows\SysWOW64\regsvr32.exe
        -s C:\Users\Admin\AppData\Local\Temp\\AiJkqydZbl.txt
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:5840
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:3616
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2192
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3756
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1344 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:5444
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5508
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5508 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AiJkqydZbl.txt

    Filesize

    204KB

    MD5

    952bc67de7e7e40d3938ae5d9118bde9

    SHA1

    c9479c7cbe08c9b9c8d022f0a9dc0d64277936e8

    SHA256

    52b9735c9182c90dcf54bb2d1ae287bd702417070fa3dd403232b0a5c26b857f

    SHA512

    667a6894b3e772822a926e6543819f351639436e6a8d98f7bc6238f77c2d3d62227ab11b3beb007326437317c52e690a62f539ce196258f6c07192acbb1565ea

  • C:\Users\Admin\AppData\Local\Temp\~DF74B3E2E29396563F.TMP

    Filesize

    16KB

    MD5

    5efed328fb36ab679370fc95369d058c

    SHA1

    fa6ca2a3f3ee2c5a12375f2fb42be6cce891dc6c

    SHA256

    a789e5861442df6a4a2901ddc64d7349f31dba291eeeecc589d6c356166a5d21

    SHA512

    33f776b71a9a37fc1973f2cf7fec289bb6c00763f9d90fd615248e28849ff43da7b49f72d80d672a47319224987399de9006e1518ca3b2ee26f0ea2d8bfac599

  • memory/5840-3-0x0000000000418000-0x000000000041B000-memory.dmp

    Filesize

    12KB

  • memory/5840-5-0x0000000000400000-0x000000000052E000-memory.dmp

    Filesize

    1.2MB

  • memory/5840-4-0x0000000000400000-0x000000000052E000-memory.dmp

    Filesize

    1.2MB

  • memory/5840-6-0x0000000002D80000-0x0000000002D90000-memory.dmp

    Filesize

    64KB

  • memory/5840-10-0x0000000000418000-0x000000000041B000-memory.dmp

    Filesize

    12KB