gozi | 9b615cbd7e76bd7ba8eb200282d80eeb80acf6d7093b91eb539b61fe5f56f94d | Triage

Submit
Reports

Overview

overview

Static

static

3

6695e787f1...18.exe

windows7-x64

6695e787f1...18.exe

windows10-2004-x64

Sharing

General

Target

6695e787f16834aba9284a71dbb79820_JaffaCakes118
Size

245KB
Sample

240522-j1dvtshc4s
MD5

6695e787f16834aba9284a71dbb79820
SHA1

e6e8ec98c4461a9b30ef88a8ef62912558ecb79a
SHA256

9b615cbd7e76bd7ba8eb200282d80eeb80acf6d7093b91eb539b61fe5f56f94d
SHA512

54d70f84b4f5380afd7e06ae9fd159bb31b6eae426ab36e362b41621b96c8759cf8282b8e9f44c494d06de2406a915d9cb886e053f0d30b33715f5145aa41f1e
SSDEEP

6144:9UE++GgnpJVavnLXjcKvgNclkJh5aY3+mr1:9zZGgdavnVvc5aYumr

Score

10^/10

gozi 1000 banker isfb persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6695e787f16834aba9284a71dbb79820_JaffaCakes118.exe

Resource

win7-20240419-en

gozi 1000 banker isfb persistence trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

6695e787f16834aba9284a71dbb79820_JaffaCakes118.exe

Resource

win10v2004-20240426-en

gozi 1000 banker isfb persistence trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

goliathuz.com

musicvideoporntip3s.ru

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  6695e787f16834aba9284a71dbb79820_JaffaCakes118
- Size
  
  245KB
- MD5
  
  6695e787f16834aba9284a71dbb79820
- SHA1
  
  e6e8ec98c4461a9b30ef88a8ef62912558ecb79a
- SHA256
  
  9b615cbd7e76bd7ba8eb200282d80eeb80acf6d7093b91eb539b61fe5f56f94d
- SHA512
  
  54d70f84b4f5380afd7e06ae9fd159bb31b6eae426ab36e362b41621b96c8759cf8282b8e9f44c494d06de2406a915d9cb886e053f0d30b33715f5145aa41f1e
- SSDEEP
  
  6144:9UE++GgnpJVavnLXjcKvgNclkJh5aY3+mr1:9zZGgdavnVvc5aYumr
Score

10^/10

gozi 1000 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gozi1000bankerisfbpersistencetrojan

behavioral2

gozi1000bankerisfbpersistencetrojan

© 2018-2024

Terms | Privacy