gozi | 6938215029fecc79b97ea58aaa33d721e7078af9b14aa8cc848d55aed653a7e2

Analysis

max time kernel
136s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8f2cdcc41071630c65f958d688e75a4_JaffaCakes118.exe
Size

2.7MB
MD5

e8f2cdcc41071630c65f958d688e75a4
SHA1

22d4166c277d50e338b2c1432720f91ceb7eed57
SHA256

6938215029fecc79b97ea58aaa33d721e7078af9b14aa8cc848d55aed653a7e2
SHA512

7aae273b1e04ab510818886b67d6f763267e81b102ecbb8b8a4f07c7f798475cf8b5b175cc9135769e016d84653a20b8b582881b6c198781c9f507826f8e5e9f
SSDEEP

49152:51zajJPlAaWvlkgC3VXpKLXl5FOfo/1LpLBfIlcDC4V38rzRGbW0l5H0RwKMMp:KjhM67KnsWLpLBA+C62zR2H0iKMMp

Score

10^/10

gozi banker isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Deletes itself 1 IoCs

pid	Process
2288	e8f2cdcc41071630c65f958d688e75a4_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2288	e8f2cdcc41071630c65f958d688e75a4_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4628-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
behavioral2/files/0x000900000002324b-11.dat	upx
behavioral2/memory/2288-13-0x0000000000400000-0x00000000008EF000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4628	e8f2cdcc41071630c65f958d688e75a4_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4628	e8f2cdcc41071630c65f958d688e75a4_JaffaCakes118.exe
2288	e8f2cdcc41071630c65f958d688e75a4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 2288	4628	e8f2cdcc41071630c65f958d688e75a4_JaffaCakes118.exe	96
PID 4628 wrote to memory of 2288	4628	e8f2cdcc41071630c65f958d688e75a4_JaffaCakes118.exe	96
PID 4628 wrote to memory of 2288	4628	e8f2cdcc41071630c65f958d688e75a4_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\e8f2cdcc41071630c65f958d688e75a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8f2cdcc41071630c65f958d688e75a4_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Users\Admin\AppData\Local\Temp\e8f2cdcc41071630c65f958d688e75a4_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e8f2cdcc41071630c65f958d688e75a4_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:4340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e8f2cdcc41071630c65f958d688e75a4_JaffaCakes118.exe

Filesize
2.7MB

MD5
c91669a5b4625647b838615d816bf378

SHA1
614379b60e87546b2d0ddc9688cd95490bb04c3d

SHA256
9928b9aa2c72ed62a7a490cb3494782ff4328d29d82e0babf40cb8cbfa2dcbde

SHA512
2ab41248d15132a99e6649c6edd5f4393a63bfe4c8689d8086d661267e1dac3402a3d5ad933e1ec3f572cc577568433c5b8e754e5468fca23de482b944d5221b

Download Submit
memory/2288-13-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2288-14-0x0000000001D70000-0x0000000001EA3000-memory.dmp

Filesize
1.2MB

Download
memory/2288-15-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/2288-20-0x0000000005670000-0x000000000589A000-memory.dmp

Filesize
2.2MB

Download
memory/2288-21-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2288-28-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/4628-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/4628-1-0x0000000001DB0000-0x0000000001EE3000-memory.dmp

Filesize
1.2MB

Download
memory/4628-2-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/4628-12-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download