gozi | 86c04f8984f540bce436da84987705137a3efb548fc46ec4b28db62be7548934

Analysis

max time kernel
143s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 18:59

Target

4793f12ab09ca31973a406b5b7f922d9_JaffaCakes118.dll
Size

239KB
MD5

4793f12ab09ca31973a406b5b7f922d9
SHA1

5c67cc128cf3ebc18b4cf3e68572915bcee75f73
SHA256

86c04f8984f540bce436da84987705137a3efb548fc46ec4b28db62be7548934
SHA512

947d31acd7d818922c395fee969cb1516c8ef43582446d8349c71ad450ccd6fb115d42be6f0a42d5783bd2d539b63b2874d86bfff94088f6cf6352181214ca05
SSDEEP

3072:E9jW9lCztEjPEUEz5od5csjgDOQNp4Mk/58Xs3gxA33K3HaisqYa7m7/1lx57eDi:E9LR4PEz5owqBExu6DWK0a7C7eDi

Score

10^/10

Family

gozi

rsa_pubkey.plain

Family

gozi

Botnet

200

samesupretendedpretended.ru

Attributes

rsa_pubkey.plain

serpent.plain

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4448 wrote to memory of 4432	4448	rundll32.exe	rundll32.exe
PID 4448 wrote to memory of 4432	4448	rundll32.exe	rundll32.exe
PID 4448 wrote to memory of 4432	4448	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4793f12ab09ca31973a406b5b7f922d9_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4793f12ab09ca31973a406b5b7f922d9_JaffaCakes118.dll,#1
2⤵
PID:4432

memory/4432-1-0x0000000002DA0000-0x0000000002DB7000-memory.dmp

Filesize
92KB

Download
memory/4432-0-0x00000000013B0000-0x00000000013C4000-memory.dmp

Filesize
80KB

Download
memory/4432-2-0x0000000002DA0000-0x0000000002DB7000-memory.dmp

Filesize
92KB

Download