General
-
Target
41a8374be557af3621718e88004fdc46_JaffaCakes118
-
Size
123KB
-
Sample
240514-qpkbsshc42
-
MD5
41a8374be557af3621718e88004fdc46
-
SHA1
71af660530aeae5bb4c40174a6b3d25356c62aba
-
SHA256
5a903ed3e4e589bdf870851a44617b3f907485fab40662e4726e2f40fcdcc2d0
-
SHA512
73ab550d59452750cbff6d49b7016e3408e16bb7db0412a419e429ad2b514b872055293644699ba3ba8cbb97d61adf03632e5a3d70c516bf4b30665013660355
-
SSDEEP
3072:g9nY+T1R66DKvurYSYUvl2dpt+ctd7yP:K5R6p2cSxwwko
Malware Config
Extracted
gozi
-
build
217061
Extracted
gozi
1000
intro.tir001.at/rpc
doa.quappak.at/rpc
api.siperskon.at/rpc
io.tir001.at/rpc
ytruieowphf.bit/rpc
u2.ceelop.at/rpc
enter.nokartoon.at/rpc
api.nwq2000.at/rpc
cd.iqwoker.at/rpc
api.fin150.at/rpc
chat.loop1000.at/rpc
chat.iqwoker.at/rpc
mahono.cn/rpc
-
build
217061
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
dns_servers
192.71.245.208
8.8.8.8
178.17.170.179
82.196.9.45
151.80.222.79
68.183.70.217
217.144.135.7
158.69.160.164
207.148.83.241
5.189.170.196
217.144.132.148
94.247.43.254
188.165.200.156
159.89.249.249
150.249.149.222
-
exe_type
loader
-
server_id
150
Targets
-
-
Target
41a8374be557af3621718e88004fdc46_JaffaCakes118
-
Size
123KB
-
MD5
41a8374be557af3621718e88004fdc46
-
SHA1
71af660530aeae5bb4c40174a6b3d25356c62aba
-
SHA256
5a903ed3e4e589bdf870851a44617b3f907485fab40662e4726e2f40fcdcc2d0
-
SHA512
73ab550d59452750cbff6d49b7016e3408e16bb7db0412a419e429ad2b514b872055293644699ba3ba8cbb97d61adf03632e5a3d70c516bf4b30665013660355
-
SSDEEP
3072:g9nY+T1R66DKvurYSYUvl2dpt+ctd7yP:K5R6p2cSxwwko
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-