gozi | 5e20dcc938ce2e061104b90a90c2f8d14f814f674184519ee8c1c018ce5faa6d

General

Target

60a6e455ef240b89acdeda979beb376e_JaffaCakes118.dll
Size

1.1MB
MD5

60a6e455ef240b89acdeda979beb376e
SHA1

2bc1d323670a03676107c5c5cc773eb34d72bc18
SHA256

5e20dcc938ce2e061104b90a90c2f8d14f814f674184519ee8c1c018ce5faa6d
SHA512

b83e08bbd47b6ef520bc22509dfface44c9e527d10f753d099e0ddb52b22bf92679bda62459cbc8b519345c3f1fc18bada907f63849436623fb47c81b9a4dd98
SSDEEP

24576:umpC5XQ4oIJW7mmCi1t1Ajn9V6YmA7tOJLbXq7:uPQ4oIQR1LHYnOJ3q7

Score

10^/10

gozi 1000 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://shoshanna.at

http://buismashallah.at

Attributes

build
217027
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\comuobby = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AsfeOKSE\\adsnprov.dll\",DllRegisterServer"	Explorer.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 2220 set thread context of 2712	2220	rundll32.exe	control.exe
PID 2712 set thread context of 1200	2712	control.exe	Explorer.EXE
PID 2712 set thread context of 2444	2712	control.exe	rundll32.exe
PID 1200 set thread context of 1668	1200	Explorer.EXE	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeExplorer.EXE

pid process

2220 rundll32.exe
1200 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

pid process

2220 rundll32.exe
2712 control.exe
2712 control.exe
1200 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE

pid	process
2220	rundll32.exe
1200	Explorer.EXE

pid	process
2220	rundll32.exe
2712	control.exe
2712	control.exe
1200	Explorer.EXE

pid	process
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 328 wrote to memory of 2220	328	rundll32.exe	rundll32.exe
PID 328 wrote to memory of 2220	328	rundll32.exe	rundll32.exe
PID 328 wrote to memory of 2220	328	rundll32.exe	rundll32.exe
PID 328 wrote to memory of 2220	328	rundll32.exe	rundll32.exe
PID 328 wrote to memory of 2220	328	rundll32.exe	rundll32.exe
PID 328 wrote to memory of 2220	328	rundll32.exe	rundll32.exe
PID 328 wrote to memory of 2220	328	rundll32.exe	rundll32.exe
PID 2220 wrote to memory of 2712	2220	rundll32.exe	control.exe
PID 2220 wrote to memory of 2712	2220	rundll32.exe	control.exe
PID 2220 wrote to memory of 2712	2220	rundll32.exe	control.exe
PID 2220 wrote to memory of 2712	2220	rundll32.exe	control.exe
PID 2220 wrote to memory of 2712	2220	rundll32.exe	control.exe
PID 2220 wrote to memory of 2712	2220	rundll32.exe	control.exe
PID 2220 wrote to memory of 2712	2220	rundll32.exe	control.exe
PID 2712 wrote to memory of 1200	2712	control.exe	Explorer.EXE
PID 2712 wrote to memory of 1200	2712	control.exe	Explorer.EXE
PID 2712 wrote to memory of 1200	2712	control.exe	Explorer.EXE
PID 2712 wrote to memory of 2444	2712	control.exe	rundll32.exe
PID 2712 wrote to memory of 2444	2712	control.exe	rundll32.exe
PID 2712 wrote to memory of 2444	2712	control.exe	rundll32.exe
PID 2712 wrote to memory of 2444	2712	control.exe	rundll32.exe
PID 2712 wrote to memory of 2444	2712	control.exe	rundll32.exe
PID 2712 wrote to memory of 2444	2712	control.exe	rundll32.exe
PID 1200 wrote to memory of 1820	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1820	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1820	1200	Explorer.EXE	cmd.exe
PID 1820 wrote to memory of 1852	1820	cmd.exe	nslookup.exe
PID 1820 wrote to memory of 1852	1820	cmd.exe	nslookup.exe
PID 1820 wrote to memory of 1852	1820	cmd.exe	nslookup.exe
PID 1200 wrote to memory of 1960	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1960	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1960	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1668	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1668	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1668	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1668	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1668	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1668	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1668	1200	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\60a6e455ef240b89acdeda979beb376e_JaffaCakes118.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\60a6e455ef240b89acdeda979beb376e_JaffaCakes118.dll,#1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
5⤵
PID:2444

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\4BCC.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:1852

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4BCC.bi1"
2⤵
PID:1960

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4BCC.bi1
Filesize
111B

MD5
17900f543f673fc2e57bb0116a6af5af

SHA1
4738418078e5213f660191c7fbfc5bc0beb5a6eb

SHA256
3d644ae23d5a90d7b4caf7dcfededf77593dcf8fe55052fd945768ca94a426a3

SHA512
847ee496601bc4eda51933a0353a63fa13b53dbe419b2d2a5c7325ab7bcefddcc25c83680cc3f2a38a015e3e8cd4940c38d2a52702a2da60f510ebdeab80dbc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BCC.bi1
Filesize
122B

MD5
86ae6b510c19228190f4b797503ce192

SHA1
0a6c67bc4f36fcdaa7a553f9ff9ae439f13b32d1

SHA256
be8c30a0e245b6d86db1e7bdf04b8cfa3117846d5b88f6d476066041eaea1c3a

SHA512
bec76ed958ccf192f26b2eb9250f02ce2cf04318cc4f51d30cbbd24b96de172f4f26bbac018938ebd2f7c38f70e70def8d8f6b0e9b473b3a32bbe252449e3dd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AsfeOKSE\adsnprov.dll
Filesize
1.1MB

MD5
60a6e455ef240b89acdeda979beb376e

SHA1
2bc1d323670a03676107c5c5cc773eb34d72bc18

SHA256
5e20dcc938ce2e061104b90a90c2f8d14f814f674184519ee8c1c018ce5faa6d

SHA512
b83e08bbd47b6ef520bc22509dfface44c9e527d10f753d099e0ddb52b22bf92679bda62459cbc8b519345c3f1fc18bada907f63849436623fb47c81b9a4dd98

Download Submit
memory/1200-26-0x0000000004BF0000-0x0000000004CA1000-memory.dmp

Filesize
708KB

Download
memory/1200-33-0x0000000004BF0000-0x0000000004CA1000-memory.dmp

Filesize
708KB

Download
memory/1200-58-0x0000000004BF0000-0x0000000004CA1000-memory.dmp

Filesize
708KB

Download
memory/1200-36-0x0000000004BF0000-0x0000000004CA1000-memory.dmp

Filesize
708KB

Download
memory/1200-63-0x0000000004BF0000-0x0000000004CA1000-memory.dmp

Filesize
708KB

Download
memory/1200-35-0x0000000004BF0000-0x0000000004CA1000-memory.dmp

Filesize
708KB

Download
memory/1200-32-0x0000000004BF0000-0x0000000004CA1000-memory.dmp

Filesize
708KB

Download
memory/1200-62-0x0000000004BF0000-0x0000000004CA1000-memory.dmp

Filesize
708KB

Download
memory/1200-34-0x0000000004BF0000-0x0000000004CA1000-memory.dmp

Filesize
708KB

Download
memory/1200-43-0x0000000004BF0000-0x0000000004CA1000-memory.dmp

Filesize
708KB

Download
memory/1200-42-0x0000000004BF0000-0x0000000004CA1000-memory.dmp

Filesize
708KB

Download
memory/1200-64-0x0000000004BF0000-0x0000000004CA1000-memory.dmp

Filesize
708KB

Download
memory/1200-39-0x0000000004BF0000-0x0000000004CA1000-memory.dmp

Filesize
708KB

Download
memory/1200-38-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1200-37-0x0000000004BF0000-0x0000000004CA1000-memory.dmp

Filesize
708KB

Download
memory/1668-59-0x0000000000190000-0x0000000000234000-memory.dmp

Filesize
656KB

Download
memory/2220-23-0x00000000022D0000-0x0000000002CF5000-memory.dmp

Filesize
10.1MB

Download
memory/2220-7-0x0000000000290000-0x00000000002DA000-memory.dmp

Filesize
296KB

Download
memory/2220-2-0x00000000022D0000-0x0000000002CF5000-memory.dmp

Filesize
10.1MB

Download
memory/2220-0-0x00000000022D0000-0x0000000002CF5000-memory.dmp

Filesize
10.1MB

Download
memory/2220-5-0x00000000022D0000-0x0000000002CF5000-memory.dmp

Filesize
10.1MB

Download
memory/2220-4-0x00000000023DE000-0x00000000023E4000-memory.dmp

Filesize
24KB

Download
memory/2220-3-0x00000000022D0000-0x0000000002CF5000-memory.dmp

Filesize
10.1MB

Download
memory/2220-14-0x0000000000290000-0x00000000002DA000-memory.dmp

Filesize
296KB

Download
memory/2444-50-0x0000000001DC0000-0x0000000001E71000-memory.dmp

Filesize
708KB

Download
memory/2444-49-0x0000000001DC0000-0x0000000001E71000-memory.dmp

Filesize
708KB

Download
memory/2444-45-0x0000000001DC0000-0x0000000001E71000-memory.dmp

Filesize
708KB

Download
memory/2444-44-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

Filesize
4KB

Download
memory/2712-25-0x0000000001AF0000-0x0000000001BA1000-memory.dmp

Filesize
708KB

Download
memory/2712-53-0x0000000001AF0000-0x0000000001BA1000-memory.dmp

Filesize
708KB

Download
memory/2712-16-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

Filesize
4KB

Download
memory/2712-17-0x0000000001AF0000-0x0000000001BA1000-memory.dmp

Filesize
708KB

Download
memory/2712-30-0x0000000001AF0000-0x0000000001BA1000-memory.dmp

Filesize
708KB

Download
memory/2712-24-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads