gozi | e4de14ee872b74e8d8a9c505eed50055842ac748d7d97fa7bf6c0898e7136d50

General

Target

2edc559732a0e9e45fe8ca0121e2787e_JaffaCakes118.exe
Size

269KB
MD5

2edc559732a0e9e45fe8ca0121e2787e
SHA1

f38cb4897c111065ff830df36921ebadb3f0ad31
SHA256

e4de14ee872b74e8d8a9c505eed50055842ac748d7d97fa7bf6c0898e7136d50
SHA512

4fee361658d28068c7f5b90b476732f294b5bf6305f6450d76f91734df9a77702a0ba52a8cff0ee7ec8b3e1b4bde96fba40c6d4fcd60a92ed7d82cd70c4b1224
SSDEEP

6144:/VfmmDgASD5W/adCxsT4/YFqBcIsBGOhN/35:/VfjDmtW/adCC4/UIsBhN/5

Score

10^/10

gozi 3151 banker isfb trojan

Malware Config

Extracted

Family

gozi

Attributes

build
215165

Extracted

Family

gozi

Botnet

3151

C2

zardinglog.com

sycingshbo.com

imminesenc.com

Attributes

build
215165
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00a7a972cca2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31105740"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1909822963"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007bd2b5d2c6d91e4f8f2c8e8b7d41a415000000000200000000001066000000010000200000006219302256e26ecfd7f9abd498dd34fe56db2a08ac9254ea36f531950ca8858c000000000e8000000002000020000000daedd6f17d47030bcf682e2288f242b90b62373d58ef1c5d3a5d35f32cb85008200000005cd2119a56c6856baa66070d3846d608edd01d0c2f52c82455eb8705ed22ef28400000009fd186caf1fcef7e7cf95d5831fa3e89af0c54626f95648116e841a5ce2c8338e99a5cf8949b9458de0c5ed0257d64bf61c98409e480be6ccc26e7f8c67f3509	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31105740"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f043b372cca2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007bd2b5d2c6d91e4f8f2c8e8b7d41a41500000000020000000000106600000001000020000000967e7bf3411b8f8aeeaf29d9b150ce570609f0d9f8dba926646bf8db163554f5000000000e8000000002000020000000e25c0bf99aa94c147946a33496e388b5b74d79e62d1688396304c7bfe910a0df2000000011cc044895d1acc7646087c0a42ccfb5311fbaac8bea57029abd01b90a655dcb4000000021d87e2e9d3fc4a42e7f300a878fa5d26c99dc3a70be928493d536cb24075b06c6a7199ae7bd2c5bf2e82d8f84f470db9ce8d2f1d7d76b5dd86bfa711fc58a49	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9D7F1CB3-0EBF-11EF-BCA5-46FD0705B728} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1909822963"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2080 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2080 iexplore.exe
2080 iexplore.exe
3964 IEXPLORE.EXE
3964 IEXPLORE.EXE

pid	process
2080	iexplore.exe

pid	process
2080	iexplore.exe
2080	iexplore.exe
3964	IEXPLORE.EXE
3964	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2080 wrote to memory of 3964	2080	iexplore.exe	IEXPLORE.EXE
PID 2080 wrote to memory of 3964	2080	iexplore.exe	IEXPLORE.EXE
PID 2080 wrote to memory of 3964	2080	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\2edc559732a0e9e45fe8ca0121e2787e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2edc559732a0e9e45fe8ca0121e2787e_JaffaCakes118.exe"
1⤵
PID:5016

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5016-0-0x00000000001B0000-0x0000000000203000-memory.dmp

Filesize
332KB

Download
memory/5016-1-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/5016-2-0x00000000023D0000-0x00000000023EB000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads