gozi | 3eec66b77b94ef402c0b11c496df2f27867d0406dc59540d0bfaff4b271ecc2b

General

Target

69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe
Size

586KB
MD5

69fb0b7092d4f247ac065abc6b06042b
SHA1

8d8d9b846e2f4624063806291c5875953d67457c
SHA256

3eec66b77b94ef402c0b11c496df2f27867d0406dc59540d0bfaff4b271ecc2b
SHA512

4f06d42fed4c033b1d835f0b7fc79450a8432c1168f4232d5534f26ec9bc07f5ed6df0a33736f41849b37be3279d23b0fa2b77dfb68ab92caaab9d3ec33a6b78
SSDEEP

12288:osiOZO5I+h2gOoIMUUtN5y1iyqTU/zWjdp9fs:+eO5I22lMUUEiyqM+dp9f

Score

10^/10

gozi 1100 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1100

C2

cyajon.at/krp3cmg

outaplaceshave.cn/krp3cmg

nozakin.at/krp3cmg

hothegivforsuffer.cn/krp3cmg

austrinok.at/krp3cmg

comerail.su/krp3cmg

ambieko.at/krp3cmg

justiceseasfriends.cn/krp3cmg

semitrol.at/krp3cmg

goinumder.su/krp3cmg

arexan.at/krp3cmg

trepeatedandequal.cn/krp3cmg

golovor.at/krp3cmg

therepalon.su/krp3cmg

creatortherefore.cn/krp3cmg

Attributes

build
214798
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
exe_type
worker
server_id
110

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

adpranui.exe

pid process

2288 adpranui.exe
Executes dropped EXE 1 IoCs

Processes:

adpranui.exe

pid process

2288 adpranui.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

3060 cmd.exe

pid	process
2288	adpranui.exe

pid	process
2288	adpranui.exe

pid	process
3060	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\bitstLib = "C:\\Users\\Admin\\AppData\\Roaming\\BioCxRes\\adpranui.exe"	69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

adpranui.exesvchost.exe

description	pid	process	target process
PID 2288 set thread context of 2568	2288	adpranui.exe	svchost.exe
PID 2568 set thread context of 1200	2568	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

adpranui.exeExplorer.EXE

pid process

2288 adpranui.exe
1200 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

adpranui.exesvchost.exe

pid process

2288 adpranui.exe
2568 svchost.exe

pid	process
2288	adpranui.exe
1200	Explorer.EXE

pid	process
2288	adpranui.exe
2568	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.execmd.execmd.exeadpranui.exesvchost.exe

description	pid	process	target process
PID 2956 wrote to memory of 2984	2956	69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe	cmd.exe
PID 2956 wrote to memory of 2984	2956	69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe	cmd.exe
PID 2956 wrote to memory of 2984	2956	69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe	cmd.exe
PID 2956 wrote to memory of 2984	2956	69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe	cmd.exe
PID 2984 wrote to memory of 3060	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 3060	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 3060	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 3060	2984	cmd.exe	cmd.exe
PID 3060 wrote to memory of 2288	3060	cmd.exe	adpranui.exe
PID 3060 wrote to memory of 2288	3060	cmd.exe	adpranui.exe
PID 3060 wrote to memory of 2288	3060	cmd.exe	adpranui.exe
PID 3060 wrote to memory of 2288	3060	cmd.exe	adpranui.exe
PID 2288 wrote to memory of 2568	2288	adpranui.exe	svchost.exe
PID 2288 wrote to memory of 2568	2288	adpranui.exe	svchost.exe
PID 2288 wrote to memory of 2568	2288	adpranui.exe	svchost.exe
PID 2288 wrote to memory of 2568	2288	adpranui.exe	svchost.exe
PID 2288 wrote to memory of 2568	2288	adpranui.exe	svchost.exe
PID 2288 wrote to memory of 2568	2288	adpranui.exe	svchost.exe
PID 2288 wrote to memory of 2568	2288	adpranui.exe	svchost.exe
PID 2568 wrote to memory of 1200	2568	svchost.exe	Explorer.EXE
PID 2568 wrote to memory of 1200	2568	svchost.exe	Explorer.EXE
PID 2568 wrote to memory of 1200	2568	svchost.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1200
- C:\Users\Admin\AppData\Local\Temp\69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\64EC\3276.bat" "C:\Users\Admin\AppData\Roaming\BioCxRes\adpranui.exe" "C:\Users\Admin\AppData\Local\Temp\69FB0B~1.EXE""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ""C:\Users\Admin\AppData\Roaming\BioCxRes\adpranui.exe" "C:\Users\Admin\AppData\Local\Temp\69FB0B~1.EXE""
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Users\Admin\AppData\Roaming\BioCxRes\adpranui.exe
        
        "C:\Users\Admin\AppData\Roaming\BioCxRes\adpranui.exe" "C:\Users\Admin\AppData\Local\Temp\69FB0B~1.EXE"
        5⤵
        Deletes itself
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2288
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\64EC\3276.bat

Filesize
112B

MD5
80aff54145da7f612f6cfcc1afa76d25

SHA1
ebbfdf0d1268e6cdacbb189d89df053530bbc4c2

SHA256
20fde547600247d0882918933f282ddcfd96173b8fef6d5c93487edd96b2303a

SHA512
67280590794b6736d9876dbec869d9e9b5c7d34820266bfdd785e72477840a9721c235af7c8ace6970f1c700b099ff47a49ef4f91d76ba53710aa5f9faa3c63f

Download Submit
\Users\Admin\AppData\Roaming\BioCxRes\adpranui.exe

Filesize
586KB

MD5
69fb0b7092d4f247ac065abc6b06042b

SHA1
8d8d9b846e2f4624063806291c5875953d67457c

SHA256
3eec66b77b94ef402c0b11c496df2f27867d0406dc59540d0bfaff4b271ecc2b

SHA512
4f06d42fed4c033b1d835f0b7fc79450a8432c1168f4232d5534f26ec9bc07f5ed6df0a33736f41849b37be3279d23b0fa2b77dfb68ab92caaab9d3ec33a6b78

Download Submit
memory/1200-38-0x0000000004ED0000-0x0000000004F59000-memory.dmp

Filesize
548KB

Download
memory/1200-28-0x0000000004ED0000-0x0000000004F59000-memory.dmp

Filesize
548KB

Download
memory/1200-44-0x0000000004ED0000-0x0000000004F59000-memory.dmp

Filesize
548KB

Download
memory/1200-43-0x0000000004ED0000-0x0000000004F59000-memory.dmp

Filesize
548KB

Download
memory/1200-42-0x0000000004ED0000-0x0000000004F59000-memory.dmp

Filesize
548KB

Download
memory/1200-41-0x0000000004ED0000-0x0000000004F59000-memory.dmp

Filesize
548KB

Download
memory/1200-39-0x0000000004ED0000-0x0000000004F59000-memory.dmp

Filesize
548KB

Download
memory/1200-37-0x0000000004ED0000-0x0000000004F59000-memory.dmp

Filesize
548KB

Download
memory/1200-36-0x0000000004ED0000-0x0000000004F59000-memory.dmp

Filesize
548KB

Download
memory/2288-27-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2288-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2568-23-0x0000000000420000-0x00000000004A9000-memory.dmp

Filesize
548KB

Download
memory/2568-22-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

Filesize
4KB

Download
memory/2568-32-0x0000000000420000-0x00000000004A9000-memory.dmp

Filesize
548KB

Download
memory/2956-1-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2956-2-0x0000000003650000-0x00000000036A4000-memory.dmp

Filesize
336KB

Download
memory/2956-3-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2956-15-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2956-0-0x0000000003650000-0x00000000036A4000-memory.dmp

Filesize
336KB

Download
memory/2956-5-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads