General

  • Target

    3ba3d648ca74d5bd772f483c4a9d22fd_JaffaCakes118

  • Size

    764KB

  • Sample

    240512-xsl35aef56

  • MD5

    3ba3d648ca74d5bd772f483c4a9d22fd

  • SHA1

    c2de8076341421ddbc42dce2421b55eef65cf7c4

  • SHA256

    dcf378c464b7206e115e6ca75db611d0139eac32efe516843f30e8f7081c6b4a

  • SHA512

    956449e72ba7599ba28b71b9ac9ebbe0e8086953f5290e5394b3c299878841d1aabbb4364675b8352815508f0c8d40796542eb8c15b242349611230de14cf613

  • SSDEEP

    12288:1g85EoktIBKProGyVqaybmLp9N2dWELilk1EdKdf1t+dNyysAtqzq3GLX+X4Dg:e8J6dProG+qayC12PLmDdqf2doys4qG3

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

300

C2

http://aaxvkah7dudzoloq.onion

http://lissavets.at

http://tahhir.at

http://limpopo.at

http://estate-advice.at

Attributes
  • build

    217107

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      cav3cab.dll

    • Size

      1.0MB

    • MD5

      eff6cec9d94195747f5df45c78074f7d

    • SHA1

      fb413fe8d9ea0f9c55e8615de737094cbf4f2d0b

    • SHA256

      43f843ac28b5d6b36f43e6df9130ee1b2107638c3fce0db982bf83940f946364

    • SHA512

      7ea6d81b594bc3c1a1bd8bc89f5a3bf3d857b730371f133d7626bf7d085edc5373a4f8eecb030a509598383ebaad8eaeca14f7d8421512d6859b0c0b8e8189a7

    • SSDEEP

      12288:3W2sluOeKWvMW2r2wL37YzBJSrT352FJTZagJtaKQqBB2Tud4XI53jkheoix:3WhlxeVvr2LYzw352f5wCLTIhix

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      info_03_03.doc

    • Size

      122KB

    • MD5

      c719f640ec5d01d146a7591282160ceb

    • SHA1

      3bce005dd3e50ef9e0fc884b0d6e9df719b453e8

    • SHA256

      e437d83f688c0d5b7937df9636bdb60756e65e902c1341d4b2b1109f9a7a00d7

    • SHA512

      f88acc7db24feba428b2e30331c618d18af21e7c61c05e2f2f6187cc628f6e38000b20179532b71677824bd1cbd131a104b8bc099f481d7385fcd955da267178

    • SSDEEP

      1536:fQnmpNwNPXIDtD9BnfEbS9asziTtOJ2WJDGmTTkPEko8WltDrKigmIkLxBIaz+To:fQ6wZbbS9+32KStfKigeU7znMMDXG

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Target

      run.bat

    • Size

      30B

    • MD5

      faf8c0f3b9e854b0cae85850b3576572

    • SHA1

      26f0f7765b315a8c0de19db80b977aad38c5b120

    • SHA256

      0e4387c13ff166e8b1001cfd888d1dccd4e24ccf951ed62924a79a5cf56b00b8

    • SHA512

      56547db51212e5e0e05de3f40101bb69f56e5eab2839165c11679d9210b821188345fbe84be581938d722f0e872752910deab1e96723862af60fe4c7fe1208b3

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks