gozi | 92c29cbb855e9063061dcfc9c205a672c69a405633f0b1781518f3801ca16bb3

General

Target

2df2ce148f8cadd995b146606ab02fef_JaffaCakes118.exe
Size

292KB
MD5

2df2ce148f8cadd995b146606ab02fef
SHA1

bf7344140b981bdc24b8f065fab6dda5c3419147
SHA256

92c29cbb855e9063061dcfc9c205a672c69a405633f0b1781518f3801ca16bb3
SHA512

017ff03b8e83ce0541a6a4e7a0581ee1d660188d3bc2481919d465ecc02036ee384817a9d99dc9139382a239622b8f79e0bd83b8808966c907f074ef02b54ffc
SSDEEP

3072:vKF4z5RUYfiu79iq1YHJiHFvdHw2LGQKihrieFPgjySz9UNottJ5//5lfr2qR:vKF4z5RBfwgtHjGwijyloF72qR

Score

10^/10

gozi 2000 banker isfb trojan

Malware Config

Extracted

Family

gozi

Botnet

2000

C2

g2.ex100p.at/webstore

beetfeetlife.bit/webstore

in.termas.at/webstore

ax.ikobut.at/webstore

sm.dvloop.at/webstore

extra.avareg.cn/webstore

api.ex100p.at/webstore

foo.avaregio.at/webstore

op.basedok.at/webstore

f1.cnboal.at/webstore

xxx.lapoder.at/webstore

core.cnboal.at/webstore

pop.muongo.at/webstore

Attributes

build
217061
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
dns_servers
192.71.245.208

8.8.8.8

178.17.170.179

82.196.9.45

151.80.222.79

68.183.70.217

217.144.135.7

158.69.160.164

207.148.83.241

5.189.170.196

217.144.132.148

94.247.43.254

188.165.200.156

159.89.249.249

150.249.149.222
exe_type
loader
server_id
550

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Unexpected DNS network traffic destination 15 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	94.247.43.254
Destination IP	217.144.132.148
Destination IP	151.80.222.79
Destination IP	150.249.149.222
Destination IP	159.89.249.249
Destination IP	158.69.160.164
Destination IP	207.148.83.241
Destination IP	5.189.170.196
Destination IP	192.71.245.208
Destination IP	217.144.135.7
Destination IP	192.71.245.208
Destination IP	178.17.170.179
Destination IP	82.196.9.45
Destination IP	68.183.70.217
Destination IP	188.165.200.156

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9A738B2B-0E9C-11EF-B8C0-5A63B3EA338B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2312 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2312 iexplore.exe
2312 iexplore.exe
1336 IEXPLORE.EXE
1336 IEXPLORE.EXE

pid	process
2312	iexplore.exe

pid	process
2312	iexplore.exe
2312	iexplore.exe
1336	IEXPLORE.EXE
1336	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2312 wrote to memory of 1336	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 1336	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 1336	2312	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\2df2ce148f8cadd995b146606ab02fef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2df2ce148f8cadd995b146606ab02fef_JaffaCakes118.exe"
1⤵
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4120,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
1⤵
PID:4776

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4896

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2892-1-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2892-2-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2892-3-0x00000000020B0000-0x00000000020CB000-memory.dmp

Filesize
108KB

Download
memory/2892-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2892-8-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads