gozi | f67e3a124214f6da00015a838ac6a1e4_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

f67e3a124214f6da00015a838ac6a1e4_JaffaCakes118
Size

222KB
MD5

f67e3a124214f6da00015a838ac6a1e4
SHA1

717e4cde593e09e8e00747cfb7706bf2c3c65158
SHA256

beeb2df96896b88238fe53dc07b2dccfd81df994ebacc756c1255862288f8597
SHA512

c9a87ec2fea543a5cbe056801f915ce3e1129edc2cfa4ca0b1c6fdb86d9e54960bfdbe30146251bb0552a945b513dcf76a72bfc4d68d552d7bb8476d7726f352
SSDEEP

6144:/HExb7VwvtKNbnvSxYNiyf+D3Lu3y57H:cxb5wvtKRvSxY0G+D7u3G

Score

10^/10

isfb 4474 gozi

Malware Config

Extracted

Family

gozi

Botnet

4474

lycos.com

mail.yahoo.com

193.56.255.251

193.56.255.250

193.56.255.249

numolerunosell.online

gumolerunosell.online

rumolerunosell.online

Attributes

base_path
/images/
dga_season
10
dga_tlds
com

ru

org
exe_type
worker
extension
.avi
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
f67e3a124214f6da00015a838ac6a1e4_JaffaCakes118

Files

f67e3a124214f6da00015a838ac6a1e4_JaffaCakes118
.dll windows:5 windows x64 arch:x64

a2bba8f9bc87dc77d912b0ff63f31a67

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

ZwClose
ZwOpenProcess
ZwQueryInformationToken
NtSetInformationProcess
sprintf
ZwOpenProcessToken
strcpy
ZwQueryInformationProcess
RtlNtStatusToDosError
NtQuerySystemInformation
_wcsupr
memmove
wcscpy
_snprintf
mbstowcs
ZwQueryKey
RtlFreeUnicodeString
RtlUpcaseUnicodeString
wcstombs
RtlAdjustPrivilege
memset
_strupr
_snwprintf
memcpy
RtlImageNtHeader
NtQueryInformationThread
__C_specific_handler
RegisterWaitForSingleObject
VirtualProtectEx
FileTimeToLocalFileTime
CreateFileMappingW
GetModuleFileNameA
GetModuleFileNameW
QueryPerformanceFrequency
GetLocalTime
FileTimeToSystemTime
GetComputerNameExA
GetComputerNameW
QueryPerformanceCounter
GetTempFileNameA
CreateThread
TerminateThread
GetCurrentProcessId
GetVersion
HeapAlloc
HeapFree
WaitForSingleObject
ExitThread
lstrlenW
GetLastError
ResetEvent
CloseHandle
DeleteFileW
CreateFileA
lstrlenA
WriteFile
lstrcatA
CreateDirectoryA
RemoveDirectoryA
LoadLibraryA
DeleteFileA
lstrcpyA
HeapReAlloc
SetEvent
GetSystemTimeAsFileTime
HeapDestroy
HeapCreate
GetModuleHandleA
ExitProcess
GetFileSize
lstrcmpA
SetWaitableTimer
CreateDirectoryW
GetTickCount
GetCurrentThread
VirtualFree
GetWindowsDirectoryA
GetCommandLineA
InitializeCriticalSection
OpenProcess
Sleep
CopyFileW
CreateEventA
LeaveCriticalSection
TerminateProcess
CreateFileW
VirtualAlloc
EnterCriticalSection
lstrcmpiW
lstrcatW
GetCurrentThreadId
DuplicateHandle
GetTempPathA
SuspendThread
ResumeThread
lstrcpyW
SwitchToThread
MapViewOfFile
UnmapViewOfFile
SetLastError
lstrcmpiA
OpenWaitableTimerA
OpenMutexA
WaitForMultipleObjects
CreateMutexA
ReleaseMutex
CreateWaitableTimerA
UnregisterWait
TlsGetValue
LoadLibraryExW
TlsSetValue
GetVersionExA
VirtualProtect
TlsAlloc
OpenEventA
RemoveVectoredExceptionHandler
AddVectoredExceptionHandler
GetProcAddress
GetDriveTypeW
GetLogicalDriveStringsW
WideCharToMultiByte
GetFileAttributesA
GetExitCodeProcess
GetFileAttributesW
CreateProcessA
CreateFileMappingA
OpenFileMappingA
lstrcpynA
GlobalLock
GlobalUnlock
LocalFree
Thread32First
Thread32Next
QueueUserAPC
OpenThread
CreateToolhelp32Snapshot
CallNamedPipeA
WaitNamedPipeA
ConnectNamedPipe
ReadFile
GetOverlappedResult
DisconnectNamedPipe
FlushFileBuffers
CreateNamedPipeA
CancelIo
GetSystemTime
SleepEx
LocalAlloc
FreeLibrary
RaiseException
DeleteCriticalSection
VirtualQuery
ExpandEnvironmentStringsW
FindNextFileW
RemoveDirectoryW
FindClose
SetEndOfFile
SetFilePointer
FindFirstFileW

Sections

.text
Size: 178KB - Virtual size: 178KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

a2bba8f9bc87dc77d912b0ff63f31a67

Headers

File Characteristics

Imports

Sections

.text Size: 178KB - Virtual size: 178KB

.rdata Size: 19KB - Virtual size: 18KB

.data Size: 6KB - Virtual size: 7KB

.pdata Size: 6KB - Virtual size: 5KB

.bss Size: 8KB - Virtual size: 8KB

.reloc Size: 3KB - Virtual size: 4KB

.text
Size: 178KB - Virtual size: 178KB

.rdata
Size: 19KB - Virtual size: 18KB

.data
Size: 6KB - Virtual size: 7KB

.pdata
Size: 6KB - Virtual size: 5KB

.bss
Size: 8KB - Virtual size: 8KB

.reloc
Size: 3KB - Virtual size: 4KB