Overview

overview

10

Static

static

3

clientexe_JC.exe

windows7-x64

10

clientexe_JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2023 18:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    clientexe_JC.exe

  • Size

    304KB

  • MD5

    27b1d878636e00e43436184b70e9f41c

  • SHA1

    b175d86922e1e837d8d74b588ff746ea7b8670df

  • SHA256

    fe05e50be407f5efcb1870991f86ec721fd7088e92782a60aa815e0a68eb486e

  • SHA512

    086b34070946d275ef50552969c6e561349299eb7eece513ca4504c84ad7810a02428a1540ecd715541139f500137209c94297a331dfa87c18afa2d91e24349e

  • SSDEEP

    6144:R+91vEOpa6NK56upTHirwtRinshvjxdyhgAw8Fi5r+IxsN+:8Dsf4K56u1HqLshvjxia8Mr+/

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

systemcheck.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 46 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3784
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4964
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4032
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:724
        • C:\Users\Admin\AppData\Local\Temp\clientexe_JC.exe
          "C:\Users\Admin\AppData\Local\Temp\clientexe_JC.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1388
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Wcev='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wcev).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\304F83E1-CF18-E2AF-D964-73361DD857CA\\\OperatorAbout'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4892
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wksdnp -value gp; new-alias -name ftyhkj -value iex; ftyhkj ([System.Text.Encoding]::ASCII.GetString((wksdnp "HKCU:Software\AppDataLow\Software\Microsoft\304F83E1-CF18-E2AF-D964-73361DD857CA").ClassDocument))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4108
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xjozj10c\xjozj10c.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1900
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F3B.tmp" "c:\Users\Admin\AppData\Local\Temp\xjozj10c\CSCFEB4F06152C04D23BAE866F6AE37FB.TMP"
                5⤵
                  PID:4316
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\luwp1qj1\luwp1qj1.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2380
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2016.tmp" "c:\Users\Admin\AppData\Local\Temp\luwp1qj1\CSCA33A308941EC49A382FFD0D8825331FA.TMP"
                  5⤵
                    PID:3808
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\clientexe_JC.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:2476
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:392
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:4064
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:412

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\RES1F3B.tmp
              Filesize

              1KB

              MD5

              1cf20fe16b4b4aed2daf85bcf9ed6828

              SHA1

              3de5b6fd70dfb1d1d5617a153fb1c59d89cefa8c

              SHA256

              73b8646c84c2bcb3823de3029e2702b40dadad12d63eae8217dc6b0dcc79cb6b

              SHA512

              b968295fb3a02e6288462fab1d2f35639ed4f105ce86018944f4dd91ec55a78687ba2593571eed932192b175449c22a90971e687c8f3573ffc3cae766d159c27

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES2016.tmp
              Filesize

              1KB

              MD5

              c2c17baaf49a014c5e6d33aceb2b2595

              SHA1

              62d69320423a6bfffcc973740f02ad5b0bde27f6

              SHA256

              508dfb9e1159a4b965d7a883d9ff9f69bcafc5854c0180dd79d07c5a1170acc7

              SHA512

              f92451adf27760168f173b7185c93b352897ebcbf5192d5478a0ad9bf207db329f8f172f575c1c081975f578cd2cbe79b39f66040b288e86a26a0c62f84f7370

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xujestgl.ipm.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\luwp1qj1\luwp1qj1.dll
              Filesize

              3KB

              MD5

              1a177a277cdfebeb124b80a5ca0cd259

              SHA1

              b42437f635146baae1c1c8b1f1664d6aef439b2f

              SHA256

              aa2afffeebd4083a59a95989df83fde8815a465edccb80eb1bbf188a60fccb74

              SHA512

              bf5e35820eab9091a4922fd3c29d3aa075d037a87f202e1f22eb9d9607c80279588f94e98e0a47440b54fea2ee98c4aa70fbe6aeec92af1f64229065d3d4be5f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\xjozj10c\xjozj10c.dll
              Filesize

              3KB

              MD5

              acf2e554681a83d97bc4078aa73c8613

              SHA1

              ee48ea1a9cf6be35f9e0a15f4ada1047b7393af2

              SHA256

              6ed7bbc6ca0cab7f3987e2800da87a29b82fb0c64eccced992340f843c1cb433

              SHA512

              1e283b0057d93dad14110856a0cd867a6c0cadc7c17150c9048fb89e5cbf7cab3beacf65fc59578cbd6d0a5fa2b8ebe900da109997b74b48e3458f9551cf813c

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\luwp1qj1\CSCA33A308941EC49A382FFD0D8825331FA.TMP
              Filesize

              652B

              MD5

              361386d5770d47321ef19653e226168c

              SHA1

              e1831ddc8df4fef061bd25c87ef4f6d7776847a4

              SHA256

              ea2623e8062edc900c4c36293045d1d7a42f6243cb727852faccb43b93d271c2

              SHA512

              29aa35fac70477dea0bf40aafa45dd59000f90beec29eeaaf14ecfbc4d7be84ad7ea248ffe84071cf765f4d7bf83defaaa5d52e713f2adbafd90cf3fc8bd4eb2

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\luwp1qj1\luwp1qj1.0.cs
              Filesize

              406B

              MD5

              ca8887eacd573690830f71efaf282712

              SHA1

              0acd4f49fc8cf6372950792402ec3aeb68569ef8

              SHA256

              568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

              SHA512

              2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\luwp1qj1\luwp1qj1.cmdline
              Filesize

              369B

              MD5

              846577377b072f292fa17aea974cd959

              SHA1

              504ea31ad70d13b9d869d0a8fbd64a157ba5e470

              SHA256

              b1530e3ef316e726f60badeaf17fbf38805478f1ae938026008a965119088761

              SHA512

              27128d6ff9fc72ba6efd2b36dd215bf723c5f721164b70e67c5ec029c5b523d8886f7d51906ce9a915506b08991c7aa03679bf922cdef62cd47c2349d8f31d2b

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\xjozj10c\CSCFEB4F06152C04D23BAE866F6AE37FB.TMP
              Filesize

              652B

              MD5

              9ec2650ed60b1c9757e3b4f059e62fe3

              SHA1

              0b1fd3c34f0d744e7f018df57ae3bde8cd005f49

              SHA256

              3b493213690ef5083c8ccd88eeed1f4d175fedfd34f1d4ca796c7ea26f0df74d

              SHA512

              98ac2408e99ed25439f6849d531f09addfd1a8462f91530fecf0a3129f7783669d1b7f9b8d3e2b4f84ab1c4bf8509061420c1b32aa45dd7c32be35ca80425b1c

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\xjozj10c\xjozj10c.0.cs
              Filesize

              405B

              MD5

              caed0b2e2cebaecd1db50994e0c15272

              SHA1

              5dfac9382598e0ad2e700de4f833de155c9c65fa

              SHA256

              21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

              SHA512

              86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\xjozj10c\xjozj10c.cmdline
              Filesize

              369B

              MD5

              d400925d352fdfe33ebcc1bc479a3947

              SHA1

              67e93c35af45f08f83d5fbc803a4bb74a6738c1c

              SHA256

              dce3d4904c440f852ca30139c51bb2a470aa793ebb3988a73d7951f370f29f6f

              SHA512

              80813c8ac1c790c30dc2337c16a9d25b8a061925e7bc5dff02680455530ced0ea55c42abc7a0dd27dd2cde82df691633599e4abe57750a9a998cc58580718b7f

              Download Submit

            • memory/392-107-0x0000013AB73D0000-0x0000013AB7474000-memory.dmp

              Filesize

              656KB

              Download

            • memory/392-108-0x0000013AB7480000-0x0000013AB7481000-memory.dmp

              Filesize

              4KB

              Download

            • memory/392-118-0x0000013AB73D0000-0x0000013AB7474000-memory.dmp

              Filesize

              656KB

              Download

            • memory/412-111-0x0000027832FB0000-0x0000027833054000-memory.dmp

              Filesize

              656KB

              Download

            • memory/412-91-0x0000027832930000-0x0000027832931000-memory.dmp

              Filesize

              4KB

              Download

            • memory/412-90-0x0000027832FB0000-0x0000027833054000-memory.dmp

              Filesize

              656KB

              Download

            • memory/724-58-0x0000000008B90000-0x0000000008C34000-memory.dmp

              Filesize

              656KB

              Download

            • memory/724-95-0x0000000008B90000-0x0000000008C34000-memory.dmp

              Filesize

              656KB

              Download

            • memory/724-59-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1388-0-0x0000000000840000-0x000000000084F000-memory.dmp

              Filesize

              60KB

              Download

            • memory/1388-1-0x00000000007E0000-0x00000000007EC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1388-5-0x0000000000850000-0x000000000085F000-memory.dmp

              Filesize

              60KB

              Download

            • memory/1388-11-0x00000000008C0000-0x00000000008CD000-memory.dmp

              Filesize

              52KB

              Download

            • memory/2476-99-0x0000015FAAD00000-0x0000015FAADA4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/2476-100-0x0000015FAADB0000-0x0000015FAADB1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2476-119-0x0000015FAAD00000-0x0000015FAADA4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3784-96-0x00000176B7600000-0x00000176B76A4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3784-73-0x00000176B73E0000-0x00000176B73E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3784-72-0x00000176B7600000-0x00000176B76A4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4032-98-0x00000191CED10000-0x00000191CEDB4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4032-78-0x00000191CED10000-0x00000191CEDB4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4032-79-0x00000191CC9B0000-0x00000191CC9B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4064-110-0x0000000001300000-0x0000000001398000-memory.dmp

              Filesize

              608KB

              Download

            • memory/4064-117-0x0000000001300000-0x0000000001398000-memory.dmp

              Filesize

              608KB

              Download

            • memory/4064-114-0x0000000000A60000-0x0000000000A61000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4108-70-0x00000187CC5F0000-0x00000187CC62D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4108-56-0x00000187CC5F0000-0x00000187CC62D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4108-54-0x00000187CC5E0000-0x00000187CC5E8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4108-40-0x00000187CC3B0000-0x00000187CC3B8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4108-27-0x00000187CC120000-0x00000187CC130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4108-26-0x00000187CC120000-0x00000187CC130000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4108-69-0x00007FFD35690000-0x00007FFD36151000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4108-25-0x00007FFD35690000-0x00007FFD36151000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4108-15-0x00000187CC230000-0x00000187CC252000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4964-102-0x000001F04D180000-0x000001F04D224000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4964-85-0x000001F04AF80000-0x000001F04AF81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4964-84-0x000001F04D180000-0x000001F04D224000-memory.dmp

              Filesize

              656KB

              Download