General

  • Target

    3c353ccc861ddd2790a37d486dc6cf33_JaffaCakes118

  • Size

    618KB

  • Sample

    240513-w5fanshg43

  • MD5

    3c353ccc861ddd2790a37d486dc6cf33

  • SHA1

    3d2918876d189c684ac824c901710c462c37a302

  • SHA256

    dfd77534fbd49aa51b69531359ad0e8c4cdeade7fce322c410b8c844400241c3

  • SHA512

    9ffcf68af702ef60a6722b6af77295c7930c3ae896222317fa3c27a0c8a25197f3bf0a5427dada719f96b9a771394b0d22c899042f9f6e5a8067339151ca183d

  • SSDEEP

    12288:m7MAbTmGdzc6PVXjFsflG0z+H9YUr5PvfbZzwX1:67fmGzlVzafk0zUr51zwX

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

130

C2

http://bt2e3wov5mmesooc.onion

freedomhouse.ac.ug

freedomhouse32.ug

Attributes
  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • dns_servers

    107.174.86.134

    107.175.127.22

  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      3c353ccc861ddd2790a37d486dc6cf33_JaffaCakes118

    • Size

      618KB

    • MD5

      3c353ccc861ddd2790a37d486dc6cf33

    • SHA1

      3d2918876d189c684ac824c901710c462c37a302

    • SHA256

      dfd77534fbd49aa51b69531359ad0e8c4cdeade7fce322c410b8c844400241c3

    • SHA512

      9ffcf68af702ef60a6722b6af77295c7930c3ae896222317fa3c27a0c8a25197f3bf0a5427dada719f96b9a771394b0d22c899042f9f6e5a8067339151ca183d

    • SSDEEP

      12288:m7MAbTmGdzc6PVXjFsflG0z+H9YUr5PvfbZzwX1:67fmGzlVzafk0zUr51zwX

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks