gozi | 41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
03-04-2024 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e67e68ddbedba865b91b5469ab642ef_JaffaCakes118.dll
Size

701KB
MD5

9e67e68ddbedba865b91b5469ab642ef
SHA1

f2c7b0735343081be06e48616d0fc14235a28744
SHA256

41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee
SHA512

802d983ca7ca04ae737da69ed5772eece8f408c6c02c8d0c42cfea1c1abf25236b02c35c09d56f3ba6a229b3b71f72fa3d4c6735c8670c76affdbbc139b63d87
SSDEEP

12288:aUAQSxl6fDEr8Np6b/rPPsjosrS9aEoe+0JCym+4YJAOSVUNcuHIGF4uW/XrGAsV:az3xl6fq8Np6bTPPaBreaZlYCOSVol2a

Score

10^/10

gozi 8899 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

8899

msn.com/mail

breuranel.website

outlook.com/signup

areuranel.website

Attributes

base_path
/liopolo/
build
260212
dga_season
10
exe_type
loader
extension
.jre
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1624 wrote to memory of 2052	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 2052	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 2052	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 2052	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 2052	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 2052	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 2052	1624	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9e67e68ddbedba865b91b5469ab642ef_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9e67e68ddbedba865b91b5469ab642ef_JaffaCakes118.dll,#1
2⤵
PID:2052

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2052-0-0x0000000074930000-0x0000000074A7C000-memory.dmp

Filesize
1.3MB

Download
memory/2052-2-0x0000000074930000-0x0000000074A7C000-memory.dmp

Filesize
1.3MB

Download
memory/2052-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2052-4-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/2052-7-0x0000000074930000-0x0000000074A7C000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads