gozi | 491cae6d0db3fe37324d252588ab32ce_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

491cae6d0db3fe37324d252588ab32ce_JaffaCakes118
Size

204KB
MD5

491cae6d0db3fe37324d252588ab32ce
SHA1

ba942f7a0fa2a76a83281cfd87537d3f929ab84c
SHA256

291bf5665d0171b836b5e6ed436d31c19ff68db4c8fe97a949802df68d22ad12
SHA512

d01df7319766fa088cd05770511d4000ce55c4bc97e4b0b7d9222b3194a3be60c12adb7efacc805458f660e81ed60afc73e50c9f8eaa452e309e4465273e1d9b
SSDEEP

6144:+1IQjw4aeKiKmaC0B4yzoXkDUCYAVqlxnuwm:+C4aeKiKmajBHsyxhQ

Score

10^/10

isfb 2411 gozi

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

2411

princlegislative.su/mp_xxx/front/xxx

prophosthdor.su/mp_xxx/front/xxx

xhroompjsapi.com/mp_xxx/front/xxx

Attributes

exe_type
worker
server_id
55

rsa_pubkey.plain

serpent.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
491cae6d0db3fe37324d252588ab32ce_JaffaCakes118

Files

491cae6d0db3fe37324d252588ab32ce_JaffaCakes118
.exe windows:5 windows x86 arch:x86

e7c2629a49c1ec06ace0526eb6e9f9d0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

ZwClose
ZwOpenProcessToken
memcpy
ZwQueryInformationToken
memset
wcstombs
NtSetContextThread
RtlNtStatusToDosError
ZwQueryInformationProcess
NtGetContextThread
NtMapViewOfSection
NtUnmapViewOfSection
NtCreateSection
ZwOpenProcess
RtlRandom
mbstowcs
_strupr
RtlUnwind
NtQueryVirtualMemory

shlwapi

StrStrA
PathFindExtensionA
StrRChrA
PathCombineA
StrChrA
StrStrIA

setupapi

SetupDiGetDeviceRegistryPropertyA
SetupDiGetClassDevsA
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo

kernel32

SetWaitableTimer
CompareFileTime
HeapFree
Process32First
WaitForSingleObject
SetEvent
GetTickCount
GetWindowsDirectoryA
OpenProcess
Sleep
CreateEventA
HeapAlloc
TerminateProcess
GetSystemDirectoryA
lstrcatA
FindFirstFileA
GetLastError
lstrcmpiA
CopyFileA
FindClose
ResetEvent
Process32Next
OpenEventA
FindNextFileA
CreateToolhelp32Snapshot
GetFileTime
CreateWaitableTimerA
GetTempPathA
DeleteFileA
lstrcpyA
lstrlenA
GetModuleHandleA
HeapCreate
HeapDestroy
GetCommandLineA
ExitProcess
CloseHandle
ReadFile
CreateFileA
CreateProcessA
ResumeThread
SuspendThread
VirtualProtectEx
GetThreadContext
ExpandEnvironmentStringsW
GetTempFileNameA
CreateFileW
WriteFile
SetEndOfFile
GetFileSize
lstrcmpA
GetVersion
lstrlenW
WriteProcessMemory
GetCurrentProcessId
lstrcpynA
GetCurrentProcess
LocalFree
SetFilePointer
VirtualFree
CreateRemoteThread
ReadProcessMemory
GetModuleFileNameW
GetProcAddress
VirtualAlloc
VirtualAllocEx
GetModuleFileNameA

user32

GetShellWindow
wsprintfA
GetWindowThreadProcessId

advapi32

OpenProcessToken
LookupPrivilegeValueA
RegOpenKeyA
RegCreateKeyA
RegEnumKeyExA
AdjustTokenPrivileges
ConvertStringSecurityDescriptorToSecurityDescriptorA
RegQueryValueExA
RegCloseKey
GetSecurityInfo
RegOpenKeyExA
RegSetValueExA
SetNamedSecurityInfoA
AllocateAndInitializeSid
SetSecurityInfo
FreeSid
SetEntriesInAclA

shell32

ord92
ShellExecuteA

Sections

.text
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 164KB - Virtual size: 164KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

e7c2629a49c1ec06ace0526eb6e9f9d0

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

shlwapi

setupapi

kernel32

user32

advapi32

shell32

Sections

.text Size: 20KB - Virtual size: 20KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 4KB - Virtual size: 4KB

.bss Size: 8KB - Virtual size: 8KB

.rsrc Size: 164KB - Virtual size: 164KB

.text
Size: 20KB - Virtual size: 20KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 4KB - Virtual size: 4KB

.bss
Size: 8KB - Virtual size: 8KB

.rsrc
Size: 164KB - Virtual size: 164KB