gozi | 92c29cbb855e9063061dcfc9c205a672c69a405633f0b1781518f3801ca16bb3

Analysis

max time kernel
145s
max time network
153s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2df2ce148f8cadd995b146606ab02fef_JaffaCakes118.exe
Size

292KB
MD5

2df2ce148f8cadd995b146606ab02fef
SHA1

bf7344140b981bdc24b8f065fab6dda5c3419147
SHA256

92c29cbb855e9063061dcfc9c205a672c69a405633f0b1781518f3801ca16bb3
SHA512

017ff03b8e83ce0541a6a4e7a0581ee1d660188d3bc2481919d465ecc02036ee384817a9d99dc9139382a239622b8f79e0bd83b8808966c907f074ef02b54ffc
SSDEEP

3072:vKF4z5RUYfiu79iq1YHJiHFvdHw2LGQKihrieFPgjySz9UNottJ5//5lfr2qR:vKF4z5RBfwgtHjGwijyloF72qR

Score

10^/10

gozi 2000 banker isfb trojan

Malware Config

Extracted

Family

gozi

Botnet

2000

g2.ex100p.at/webstore

beetfeetlife.bit/webstore

in.termas.at/webstore

ax.ikobut.at/webstore

sm.dvloop.at/webstore

extra.avareg.cn/webstore

api.ex100p.at/webstore

foo.avaregio.at/webstore

op.basedok.at/webstore

f1.cnboal.at/webstore

xxx.lapoder.at/webstore

core.cnboal.at/webstore

pop.muongo.at/webstore

Attributes

build
217061
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
dns_servers
192.71.245.208

8.8.8.8

178.17.170.179

82.196.9.45

151.80.222.79

68.183.70.217

217.144.135.7

158.69.160.164

207.148.83.241

5.189.170.196

217.144.132.148

94.247.43.254

188.165.200.156

159.89.249.249

150.249.149.222
exe_type
loader
server_id
550

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Unexpected DNS network traffic destination 15 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	94.247.43.254
Destination IP	150.249.149.222
Destination IP	82.196.9.45
Destination IP	151.80.222.79
Destination IP	217.144.132.148
Destination IP	188.165.200.156
Destination IP	178.17.170.179
Destination IP	192.71.245.208
Destination IP	217.144.135.7
Destination IP	5.189.170.196
Destination IP	192.71.245.208
Destination IP	68.183.70.217
Destination IP	158.69.160.164
Destination IP	207.148.83.241
Destination IP	159.89.249.249

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9B684E31-0E9C-11EF-ADBF-FA30248A334C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2356 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2356 iexplore.exe
2356 iexplore.exe
2084 IEXPLORE.EXE
2084 IEXPLORE.EXE

pid	process
2356	iexplore.exe

pid	process
2356	iexplore.exe
2356	iexplore.exe
2084	IEXPLORE.EXE
2084	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2356 wrote to memory of 2084	2356	iexplore.exe	IEXPLORE.EXE
PID 2356 wrote to memory of 2084	2356	iexplore.exe	IEXPLORE.EXE
PID 2356 wrote to memory of 2084	2356	iexplore.exe	IEXPLORE.EXE
PID 2356 wrote to memory of 2084	2356	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\2df2ce148f8cadd995b146606ab02fef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2df2ce148f8cadd995b146606ab02fef_JaffaCakes118.exe"
1⤵
PID:2228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d81fa9ac3983bcb3cc618f1cb7ee24d

SHA1
44ce08b76eae0b23c2ffc05333ad9a40aec97dc1

SHA256
a066ea60231c19590ca6e681d8fa4868d1745fd0f345f3643f844805e7d5b360

SHA512
dba7ff724b5e38724574a65e3f31227385c59018dec9a6d0b3a031ddca3d5f683bcde1e310ff8259f21700b8e0c16830eaac9a5d84de3954a9fdca4b15f9caf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79753b6c0593a44302802b8618740897

SHA1
bbbea3b23f6687b2840c3f8120065f8491329300

SHA256
8325f62776457765b0ba2d51eb5d71dfe07726e0397c4e4a7d3ab202ac8be4e7

SHA512
291eead6c5ebcc1ea0456f999639e001be479cf223f43a7c27cd55d18d247230ab17c6e7d621c006f1e832b7e3996f9d82960aaabc035cdbc9500a2b670378a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0754c5ab38821465d2dd94e58f47fbee

SHA1
55e3bb8f6682f23e9238c251cf35e3c8a41da06b

SHA256
ea6c4232af352d24a60fa3564875d51b8316baa5d7a3668a2ad82a99d313e4f6

SHA512
b382805e10a6c84c5a9f30af4ed1b68e9a3a722e20895067cae7ace0c34b676f832eab97c2ce0bf473b87d32c04b6a2001ef360f9cdc97876788cab837e5cfbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b6b668df35510f168086a18bdbc7e6a7

SHA1
308a7e641a13a987bc0d1dc1fd8350672ceb973a

SHA256
f2820e8b8938a8f3c4112efa4abcb1456e4401d83adb9c80c1caa75321988fee

SHA512
2eda50fa6948b2fe75112db4e845079145f3d333f11b836a6ee7cac62d92450ddd375f5b10f67d2cf2f031c7eef3cddd2daf4bef39a09d5e37de568509fbcd82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
605da63958bae50f398da9ba9dbc19b9

SHA1
4619c83a34744f9f47aff00a227c7296aa769227

SHA256
3198497855e43aeac3d83e229ab7c8625ccbccabb21885c59885752848fa0822

SHA512
c85a8be5501058a1fb1a7375d19f39072894752f80d81c3e25b797d908f95ff5718b8c2e5aeb463f6f0de11e3f644301cd23eb8dbe48d30658eedfc041f53aba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
faccbcc78cbf0cfaad8943e8895ab0a7

SHA1
b43ad93c6db4342d395a5b22e859b1fb101d707a

SHA256
bde889ac1d1c9fcc85f96394cb3ea56df402d879b1858d90a173cfe224a3e7e6

SHA512
efd4870335a6fd22046761096701029e012c260acbce0a34c2776d8d19e4c49f2b08a8032555c907a77d82201dbe33530a9ccc6ba5c98342c43f2561ce54ac66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b7d72b236200c807ca1b7af9216a691c

SHA1
d5c48a7785b07247c5325bc260ab2ad6483a1a48

SHA256
d6f85843ebe7e818fcd01b9882a997d6d9d0e86c1af1c0e89b3e69539ec77df6

SHA512
d91bd6df6187233a8a935fc1c68d99584ea29be8cf199f875fd433c64c4edd7acabd95f1214809a47b7dd091a11e374d7c75694f0aa9ed3aee0f075c8a81d6f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1cc080e06c1b4c79fa3902f35c553c0

SHA1
0f9c972d95b20a473fc46d51b3a1afd4d5227efd

SHA256
36d09097ead97b42f40f391bac7929dc6e05e6460c388285628ef8db3a7cc004

SHA512
6b9a604b7229a287cf1d82c1be64f2cc43a7a454d0cdc4f6622ed7539a225fc15a64921a5982163ccf9eb539d1a181e8a982a627ff5627e95438eaac9e5f0bad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
690ae1f45e7c2bec68c3e7d43cd964bb

SHA1
6a46967adf000867525f67959ad2241982b882ea

SHA256
3eb2d4cf2b9f97872262666ef470ce698b2540f561936f64b3b6f2bd23b04f14

SHA512
17df523faa154ef7d1a0fe97771efaa7af9f71cbd67d4f9a436046eda32b1b431fa630945cfc2867aab38a7966ede70194d2ea7b016866637c02226c83a301a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC24.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCE1.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCF6.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/2228-1-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/2228-19-0x0000000001CE0000-0x0000000001CE2000-memory.dmp

Filesize
8KB

Download
memory/2228-8-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/2228-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2228-3-0x00000000003E0000-0x00000000003FB000-memory.dmp

Filesize
108KB

Download
memory/2228-2-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download