gozi | 4a0bd71db44ebca42e13f2556479cda473940438bd0bd7629aaefc684e99f0c1

General

Target

3a5e164612d1b0edd9a7869ed9f5a86a_JaffaCakes118.exe
Size

203KB
MD5

3a5e164612d1b0edd9a7869ed9f5a86a
SHA1

17e36bfd5d916ea0ee8a465b8c565054d1a26107
SHA256

4a0bd71db44ebca42e13f2556479cda473940438bd0bd7629aaefc684e99f0c1
SHA512

6f9b6e33d613d51c73c02fb1bc9570a01f7177fa3e9a4bda3bfadc27febdb8b016399a5dfa11b5dd02c48fb7247792b6c2aefbd5274ff098742936a5585c8df8
SSDEEP

3072:91ji2dQ6v4uPXDNUj4jKBonzmLXlYVRLh0epEEZqkFBc4+uTqN76o:9Zdp4uPZzGonqXGXh0bluBc4GZ5

Score

10^/10

gozi 3162 banker isfb trojan

Malware Config

Extracted

Family

gozi

Attributes

build
215165

Extracted

Family

gozi

Botnet

3162

C2

menehleibe.com

liemuteste.com

thulligend.com

Attributes

build
215165
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "755351658"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31106161"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31106161"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef8626000000000200000000001066000000010000200000002c0649f23b90e1f00b9a48a1f45662d4ad849929ee9001a3fc5a700e53a67c50000000000e80000000020000200000001db9ebc8ea50816e686c61185e9ef74e20ef0417aeee590499256d177495e664200000002d227281f58dcd9a203615f02bdafc73a5cf43cf5e8aeafb78573cf596b6ec0f40000000e238c592ffc42f9924eb3778870c5495e33f86b03704319607b7627287145ac6b373cf10511c01acd5247550446c051e7b6b8f4ec0d652951ba80e6876d8f3ec	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "755351658"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a01bb62d71a4da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8091bf2d71a4da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{58AF4759-1064-11EF-9519-66D3FDB32ECD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef862600000000020000000000106600000001000020000000c447a2d25d2f1eca8f2810274aed79523e0949c957e4f7e23618c80b8bc9da95000000000e80000000020000200000005cfe3a0ed1081a5432d3e6c4e80939477dacc82768abb26f988aab8b898d1bac20000000b798f97403677c290a8d8a4ee9d04b482004164559c551cef0645fb9bdd23d1040000000a423852aa5520c32879a22220ba73df4654dcd79b3c47ddf1837c882ad9892736362043d8b8f03db0ee75b6192ba3f6b70ef7faebe0d03e69dc747e609c5be70	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2744 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2744 iexplore.exe
2744 iexplore.exe
1492 IEXPLORE.EXE
1492 IEXPLORE.EXE

pid	process
2744	iexplore.exe

pid	process
2744	iexplore.exe
2744	iexplore.exe
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2744 wrote to memory of 1492	2744	iexplore.exe	IEXPLORE.EXE
PID 2744 wrote to memory of 1492	2744	iexplore.exe	IEXPLORE.EXE
PID 2744 wrote to memory of 1492	2744	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\3a5e164612d1b0edd9a7869ed9f5a86a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a5e164612d1b0edd9a7869ed9f5a86a_JaffaCakes118.exe"
1⤵
PID:1624

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1624-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-1-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-3-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-2-0x0000000000435000-0x000000000043A000-memory.dmp

Filesize
20KB

Download
memory/1624-4-0x00000000024C0000-0x00000000024DB000-memory.dmp

Filesize
108KB

Download
memory/1624-14-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads