Overview

overview

10

Static

static

3

b633568bdf...18.exe

windows7-x64

10

b633568bdf...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-06-2024 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b633568bdfb080391bf6bd6e3d03beaf_JaffaCakes118.exe

  • Size

    139KB

  • MD5

    b633568bdfb080391bf6bd6e3d03beaf

  • SHA1

    862fa1fa4fbaaf5973eb59454598c5ae78f0df57

  • SHA256

    d218cf64252c0e223b229d8a85a9f8d2aa95fdfc8bd76d7447e8e1d18091d126

  • SHA512

    e0d2decf301cfac803ec0c8cf572c1f3686524a089c98b4bd578e40c26003a1d6dcf2be329f3ffb8758d1e853801216fadfc0c3ed9a6339712ddbb6a852aaf5f

  • SSDEEP

    3072:K17ujx+j3Y2QoGRSd7I9VvI0i+Enq5L0pq/43M:Ktu1+j3YJ1RI9TqL0c/j

Score
10/10
gozi3134bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215165

Extracted

Family

gozi

Botnet

3134

C2

zweideckei.com

ziebelschr.com

endetztera.com
Attributes
  • build

    215165

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b633568bdfb080391bf6bd6e3d03beaf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b633568bdfb080391bf6bd6e3d03beaf_JaffaCakes118.exe"
    1⤵
      PID:5092
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4400
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4064
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4064 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4360
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1924
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4204
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2764 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3400
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1476
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1476 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3696
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4144
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4144 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:552
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
          PID:780
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:780 CREDAT:17410 /prefetch:2
            2⤵
              PID:636

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\httpErrorPagesScripts[1]
            Filesize

            11KB

            MD5

            9234071287e637f85d721463c488704c

            SHA1

            cca09b1e0fba38ba29d3972ed8dcecefdef8c152

            SHA256

            65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

            SHA512

            87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\NewErrorPageTemplate[1]
            Filesize

            1KB

            MD5

            dfeabde84792228093a5a270352395b6

            SHA1

            e41258c9576721025926326f76063c2305586f76

            SHA256

            77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

            SHA512

            e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\down[1]
            Filesize

            748B

            MD5

            c4f558c4c8b56858f15c09037cd6625a

            SHA1

            ee497cc061d6a7a59bb66defea65f9a8145ba240

            SHA256

            39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

            SHA512

            d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\errorPageStrings[1]
            Filesize

            4KB

            MD5

            d65ec06f21c379c87040b83cc1abac6b

            SHA1

            208d0a0bb775661758394be7e4afb18357e46c8b

            SHA256

            a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

            SHA512

            8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\dnserror[1]
            Filesize

            2KB

            MD5

            2dc61eb461da1436f5d22bce51425660

            SHA1

            e1b79bcab0f073868079d807faec669596dc46c1

            SHA256

            acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

            SHA512

            a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\~DF013FD7EB87D44616.TMP
            Filesize

            16KB

            MD5

            4a44bd7b4959c39f2fa396abe775d2fd

            SHA1

            9b57bd822225630b0023a4d117606314e2ab124f

            SHA256

            15c4dea002c2e9d2ac26e6396040f09af9aca66b889795e99d42663034c6c0f2

            SHA512

            c040a07d6f56ffdb5babb316a1c71121509e9b95fb3ccf7898911355399df3e46d092a90ed96910ed2ef1ab1ae50cc6b6be0cf6e78754383b5aa2d142f94b32a

            Download Submit
          • memory/5092-0-0x0000000002050000-0x0000000002051000-memory.dmp
            Filesize

            4KB

            Download
          • memory/5092-1-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

            Download
          • memory/5092-2-0x0000000002080000-0x000000000209B000-memory.dmp
            Filesize

            108KB

            Download
          • memory/5092-14-0x0000000002050000-0x0000000002051000-memory.dmp
            Filesize

            4KB

            Download