gozi | 3eec66b77b94ef402c0b11c496df2f27867d0406dc59540d0bfaff4b271ecc2b

General

Target

69fb0b7092d4f247ac065abc6b06042bJaffaCakes118.exe
Size

586KB
MD5

69fb0b7092d4f247ac065abc6b06042b
SHA1

8d8d9b846e2f4624063806291c5875953d67457c
SHA256

3eec66b77b94ef402c0b11c496df2f27867d0406dc59540d0bfaff4b271ecc2b
SHA512

4f06d42fed4c033b1d835f0b7fc79450a8432c1168f4232d5534f26ec9bc07f5ed6df0a33736f41849b37be3279d23b0fa2b77dfb68ab92caaab9d3ec33a6b78
SSDEEP

12288:osiOZO5I+h2gOoIMUUtN5y1iyqTU/zWjdp9fs:+eO5I22lMUUEiyqM+dp9f

Score

10^/10

gozi 1100 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1100

C2

cyajon.at/krp3cmg

outaplaceshave.cn/krp3cmg

nozakin.at/krp3cmg

hothegivforsuffer.cn/krp3cmg

austrinok.at/krp3cmg

comerail.su/krp3cmg

ambieko.at/krp3cmg

justiceseasfriends.cn/krp3cmg

semitrol.at/krp3cmg

goinumder.su/krp3cmg

arexan.at/krp3cmg

trepeatedandequal.cn/krp3cmg

golovor.at/krp3cmg

therepalon.su/krp3cmg

creatortherefore.cn/krp3cmg

Attributes

build
214798
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
exe_type
worker
server_id
110

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

efsuSAPI.exe

pid process

2536 efsuSAPI.exe
Executes dropped EXE 1 IoCs

Processes:

efsuSAPI.exe

pid process

2536 efsuSAPI.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2540 cmd.exe

pid	process
2536	efsuSAPI.exe

pid	process
2536	efsuSAPI.exe

pid	process
2540	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

69fb0b7092d4f247ac065abc6b06042bJaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\d3d8GDFs = "C:\\Users\\Admin\\AppData\\Roaming\\Devilu32\\efsuSAPI.exe"	69fb0b7092d4f247ac065abc6b06042bJaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

efsuSAPI.exesvchost.exe

description	pid	process	target process
PID 2536 set thread context of 2560	2536	efsuSAPI.exe	svchost.exe
PID 2560 set thread context of 1204	2560	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

efsuSAPI.exeExplorer.EXE

pid process

2536 efsuSAPI.exe
1204 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

efsuSAPI.exesvchost.exe

pid process

2536 efsuSAPI.exe
2560 svchost.exe

pid	process
2536	efsuSAPI.exe
1204	Explorer.EXE

pid	process
2536	efsuSAPI.exe
2560	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

69fb0b7092d4f247ac065abc6b06042bJaffaCakes118.execmd.execmd.exeefsuSAPI.exesvchost.exe

description	pid	process	target process
PID 2220 wrote to memory of 2620	2220	69fb0b7092d4f247ac065abc6b06042bJaffaCakes118.exe	cmd.exe
PID 2220 wrote to memory of 2620	2220	69fb0b7092d4f247ac065abc6b06042bJaffaCakes118.exe	cmd.exe
PID 2220 wrote to memory of 2620	2220	69fb0b7092d4f247ac065abc6b06042bJaffaCakes118.exe	cmd.exe
PID 2220 wrote to memory of 2620	2220	69fb0b7092d4f247ac065abc6b06042bJaffaCakes118.exe	cmd.exe
PID 2620 wrote to memory of 2540	2620	cmd.exe	cmd.exe
PID 2620 wrote to memory of 2540	2620	cmd.exe	cmd.exe
PID 2620 wrote to memory of 2540	2620	cmd.exe	cmd.exe
PID 2620 wrote to memory of 2540	2620	cmd.exe	cmd.exe
PID 2540 wrote to memory of 2536	2540	cmd.exe	efsuSAPI.exe
PID 2540 wrote to memory of 2536	2540	cmd.exe	efsuSAPI.exe
PID 2540 wrote to memory of 2536	2540	cmd.exe	efsuSAPI.exe
PID 2540 wrote to memory of 2536	2540	cmd.exe	efsuSAPI.exe
PID 2536 wrote to memory of 2560	2536	efsuSAPI.exe	svchost.exe
PID 2536 wrote to memory of 2560	2536	efsuSAPI.exe	svchost.exe
PID 2536 wrote to memory of 2560	2536	efsuSAPI.exe	svchost.exe
PID 2536 wrote to memory of 2560	2536	efsuSAPI.exe	svchost.exe
PID 2536 wrote to memory of 2560	2536	efsuSAPI.exe	svchost.exe
PID 2536 wrote to memory of 2560	2536	efsuSAPI.exe	svchost.exe
PID 2536 wrote to memory of 2560	2536	efsuSAPI.exe	svchost.exe
PID 2560 wrote to memory of 1204	2560	svchost.exe	Explorer.EXE
PID 2560 wrote to memory of 1204	2560	svchost.exe	Explorer.EXE
PID 2560 wrote to memory of 1204	2560	svchost.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1204

C:\Users\Admin\AppData\Local\Temp\69fb0b7092d4f247ac065abc6b06042bJaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69fb0b7092d4f247ac065abc6b06042bJaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7D8A\3EC5.bat" "C:\Users\Admin\AppData\Roaming\Devilu32\efsuSAPI.exe" "C:\Users\Admin\AppData\Local\Temp\69FB0B~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\Devilu32\efsuSAPI.exe" "C:\Users\Admin\AppData\Local\Temp\69FB0B~1.EXE""
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Roaming\Devilu32\efsuSAPI.exe
"C:\Users\Admin\AppData\Roaming\Devilu32\efsuSAPI.exe" "C:\Users\Admin\AppData\Local\Temp\69FB0B~1.EXE"
5⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7D8A\3EC5.bat
Filesize
112B

MD5
56bc8ee60dd96192b1bfba33b7d97340

SHA1
3b2e8d751776169b8eeb3faab0ecd7c1beeb20e5

SHA256
927fd231d4fc44122d92afc75e751e5df7ad6657e7e4245cae1a49829e972112

SHA512
f6cb41f0286cda8e3d9a3ff36c02024236f463c17476ac304d5b2a8a85acd1773ced9dda6f9f37abd7d823df80b734c6f8ea6ea1ad2cc7150e5d2af6e4075f17

Download Submit
\Users\Admin\AppData\Roaming\Devilu32\efsuSAPI.exe
Filesize
586KB

MD5
69fb0b7092d4f247ac065abc6b06042b

SHA1
8d8d9b846e2f4624063806291c5875953d67457c

SHA256
3eec66b77b94ef402c0b11c496df2f27867d0406dc59540d0bfaff4b271ecc2b

SHA512
4f06d42fed4c033b1d835f0b7fc79450a8432c1168f4232d5534f26ec9bc07f5ed6df0a33736f41849b37be3279d23b0fa2b77dfb68ab92caaab9d3ec33a6b78

Download Submit
memory/1204-37-0x0000000004270000-0x00000000042F9000-memory.dmp

Filesize
548KB

Download
memory/1204-28-0x0000000004270000-0x00000000042F9000-memory.dmp

Filesize
548KB

Download
memory/1204-44-0x0000000004270000-0x00000000042F9000-memory.dmp

Filesize
548KB

Download
memory/1204-43-0x0000000004270000-0x00000000042F9000-memory.dmp

Filesize
548KB

Download
memory/1204-42-0x0000000004270000-0x00000000042F9000-memory.dmp

Filesize
548KB

Download
memory/1204-41-0x0000000004270000-0x00000000042F9000-memory.dmp

Filesize
548KB

Download
memory/1204-38-0x0000000004270000-0x00000000042F9000-memory.dmp

Filesize
548KB

Download
memory/1204-39-0x0000000004270000-0x00000000042F9000-memory.dmp

Filesize
548KB

Download
memory/1204-40-0x0000000004270000-0x00000000042F9000-memory.dmp

Filesize
548KB

Download
memory/2220-0-0x0000000003650000-0x00000000036A4000-memory.dmp

Filesize
336KB

Download
memory/2220-3-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2220-1-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2220-15-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2220-2-0x0000000003650000-0x00000000036A4000-memory.dmp

Filesize
336KB

Download
memory/2220-4-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2536-27-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2536-20-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2560-24-0x00000000001F0000-0x0000000000279000-memory.dmp

Filesize
548KB

Download
memory/2560-22-0x000007FFFFFD6000-0x000007FFFFFD7000-memory.dmp

Filesize
4KB

Download
memory/2560-34-0x00000000001F0000-0x0000000000279000-memory.dmp

Filesize
548KB

Download
memory/2560-32-0x00000000001F0000-0x0000000000279000-memory.dmp

Filesize
548KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads