gozi | d4fd84db4cd115337bc9d97179df644966942b5f0574e0df6551cf32cfd869a2

General

Target

EacDriverBE.exe
Size

11KB
MD5

c6b2c74b647dcbbea223c51925c5c7dd
SHA1

071fa2b1394d2c95553149fd5eb643e0291927b3
SHA256

c5f1d37d96ed0788783f626a376144f85887a182155fed3b637744d9d9215a22
SHA512

ff1d378751d2722c165293b1dbefccc9aad42cb653f20178bbcbbc3318d6da0592e9099b7030f268c7cd60bc3e782ed2d66ddbf485391596f659b1e4c3c47b6c
SSDEEP

192:5S8JnK2fj6JIFjsJwpVwP456gijoVIgMa42JjrUxF59ooFIda:5S92L5FIJw/wgAjE7MeJvYooFi

Score

10^/10

gozi banker isfb trojan

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Executes dropped EXE 2 IoCs

Processes:

skn4f5g0.exeo0no53td.exe

pid process

3456 skn4f5g0.exe
2544 o0no53td.exe
Loads dropped DLL 1 IoCs

Processes:

EacDriverBE.exe

pid process

600 EacDriverBE.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

9 discord.com
1 raw.githubusercontent.com
2 raw.githubusercontent.com
8 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 checkip.amazonaws.com

pid	process
3456	skn4f5g0.exe
2544	o0no53td.exe

flow	ioc
9	discord.com
1	raw.githubusercontent.com
2	raw.githubusercontent.com
8	discord.com

flow	ioc
11	checkip.amazonaws.com

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2040 schtasks.exe

pid	process
2040	schtasks.exe

Modifies registry class 7 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\consoledamage374.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\ms-settings\shell\open\command	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

EacDriverBE.exeskn4f5g0.exe

pid	process
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
3456	skn4f5g0.exe
3456	skn4f5g0.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe
600	EacDriverBE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3404 Explorer.EXE

pid	process
3404	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

EacDriverBE.exeskn4f5g0.exeExplorer.EXEtaskmgr.exeo0no53td.exe

description	pid	process
Token: SeDebugPrivilege	600	EacDriverBE.exe
Token: SeDebugPrivilege	3456	skn4f5g0.exe
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeDebugPrivilege	392	taskmgr.exe
Token: SeSystemProfilePrivilege	392	taskmgr.exe
Token: SeCreateGlobalPrivilege	392	taskmgr.exe
Token: SeDebugPrivilege	2544	o0no53td.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

ComputerDefaults.exetaskmgr.exeExplorer.EXE

pid	process
4908	ComputerDefaults.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
3404	Explorer.EXE
3404	Explorer.EXE
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe

Suspicious use of SendNotifyMessage 44 IoCs

Processes:

taskmgr.exeExplorer.EXE

pid	process
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

EacDriverBE.execmd.execmd.exeskn4f5g0.exeExplorer.EXEo0no53td.exe

description	pid	process	target process
PID 600 wrote to memory of 1940	600	EacDriverBE.exe	reg.exe
PID 600 wrote to memory of 1940	600	EacDriverBE.exe	reg.exe
PID 600 wrote to memory of 1940	600	EacDriverBE.exe	reg.exe
PID 600 wrote to memory of 752	600	EacDriverBE.exe	reg.exe
PID 600 wrote to memory of 752	600	EacDriverBE.exe	reg.exe
PID 600 wrote to memory of 752	600	EacDriverBE.exe	reg.exe
PID 600 wrote to memory of 3076	600	EacDriverBE.exe	cmd.exe
PID 600 wrote to memory of 3076	600	EacDriverBE.exe	cmd.exe
PID 600 wrote to memory of 3076	600	EacDriverBE.exe	cmd.exe
PID 3076 wrote to memory of 4908	3076	cmd.exe	ComputerDefaults.exe
PID 3076 wrote to memory of 4908	3076	cmd.exe	ComputerDefaults.exe
PID 3076 wrote to memory of 4908	3076	cmd.exe	ComputerDefaults.exe
PID 600 wrote to memory of 1900	600	EacDriverBE.exe	cmd.exe
PID 600 wrote to memory of 1900	600	EacDriverBE.exe	cmd.exe
PID 600 wrote to memory of 1900	600	EacDriverBE.exe	cmd.exe
PID 1900 wrote to memory of 2040	1900	cmd.exe	schtasks.exe
PID 1900 wrote to memory of 2040	1900	cmd.exe	schtasks.exe
PID 1900 wrote to memory of 2040	1900	cmd.exe	schtasks.exe
PID 600 wrote to memory of 3456	600	EacDriverBE.exe	skn4f5g0.exe
PID 600 wrote to memory of 3456	600	EacDriverBE.exe	skn4f5g0.exe
PID 3456 wrote to memory of 3404	3456	skn4f5g0.exe	Explorer.EXE
PID 3456 wrote to memory of 3404	3456	skn4f5g0.exe	Explorer.EXE
PID 3456 wrote to memory of 3404	3456	skn4f5g0.exe	Explorer.EXE
PID 3456 wrote to memory of 3404	3456	skn4f5g0.exe	Explorer.EXE
PID 3456 wrote to memory of 3404	3456	skn4f5g0.exe	Explorer.EXE
PID 3456 wrote to memory of 3404	3456	skn4f5g0.exe	Explorer.EXE
PID 3456 wrote to memory of 3404	3456	skn4f5g0.exe	Explorer.EXE
PID 3456 wrote to memory of 3404	3456	skn4f5g0.exe	Explorer.EXE
PID 3456 wrote to memory of 3404	3456	skn4f5g0.exe	Explorer.EXE
PID 3456 wrote to memory of 3404	3456	skn4f5g0.exe	Explorer.EXE
PID 3456 wrote to memory of 3404	3456	skn4f5g0.exe	Explorer.EXE
PID 3456 wrote to memory of 3404	3456	skn4f5g0.exe	Explorer.EXE
PID 3456 wrote to memory of 3404	3456	skn4f5g0.exe	Explorer.EXE
PID 3404 wrote to memory of 392	3404	Explorer.EXE	taskmgr.exe
PID 3404 wrote to memory of 392	3404	Explorer.EXE	taskmgr.exe
PID 600 wrote to memory of 2544	600	EacDriverBE.exe	o0no53td.exe
PID 600 wrote to memory of 2544	600	EacDriverBE.exe	o0no53td.exe
PID 2544 wrote to memory of 392	2544	o0no53td.exe	taskmgr.exe
PID 2544 wrote to memory of 392	2544	o0no53td.exe	taskmgr.exe
PID 2544 wrote to memory of 392	2544	o0no53td.exe	taskmgr.exe
PID 2544 wrote to memory of 392	2544	o0no53td.exe	taskmgr.exe
PID 2544 wrote to memory of 392	2544	o0no53td.exe	taskmgr.exe
PID 2544 wrote to memory of 392	2544	o0no53td.exe	taskmgr.exe
PID 2544 wrote to memory of 392	2544	o0no53td.exe	taskmgr.exe
PID 2544 wrote to memory of 392	2544	o0no53td.exe	taskmgr.exe
PID 2544 wrote to memory of 392	2544	o0no53td.exe	taskmgr.exe
PID 2544 wrote to memory of 392	2544	o0no53td.exe	taskmgr.exe
PID 2544 wrote to memory of 392	2544	o0no53td.exe	taskmgr.exe
PID 2544 wrote to memory of 392	2544	o0no53td.exe	taskmgr.exe
PID 2544 wrote to memory of 392	2544	o0no53td.exe	taskmgr.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3404

C:\Users\Admin\AppData\Local\Temp\EacDriverBE.exe
"C:\Users\Admin\AppData\Local\Temp\EacDriverBE.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\consoledamage374.vbs" /f
3⤵
- Modifies registry class
PID:1940

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
3⤵
- Modifies registry class
PID:752

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C computerdefaults.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\SysWOW64\ComputerDefaults.exe
computerdefaults.exe
4⤵
- Suspicious use of FindShellTrayWindow
PID:4908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN JavaAutoUpdateTask_wwf7vChHJBMBk7lWy050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\wwf7vChHJBMBk7lWy050MX.exe" /RL HIGHEST /IT
3⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN JavaAutoUpdateTask_wwf7vChHJBMBk7lWy050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\wwf7vChHJBMBk7lWy050MX.exe" /RL HIGHEST /IT
4⤵
- Creates scheduled task(s)
PID:2040

C:\Users\Admin\AppData\Local\Temp\skn4f5g0.exe
"C:\Users\Admin\AppData\Local\Temp\skn4f5g0.exe" explorer.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456

C:\Users\Admin\AppData\Local\Temp\o0no53td.exe
"C:\Users\Admin\AppData\Local\Temp\o0no53td.exe" Taskmgr.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\skn4f5g0.exe
Filesize
124KB

MD5
e898826598a138f86f2aa80c0830707a

SHA1
1e912a5671f7786cc077f83146a0484e5a78729c

SHA256
df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a

SHA512
6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll
Filesize
1.4MB

MD5
6f2fdecc48e7d72ca1eb7f17a97e59ad

SHA1
fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056

SHA256
70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809

SHA512
fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b

Download Submit
memory/392-57-0x000002140B810000-0x000002140B818000-memory.dmp

Filesize
32KB

Download
memory/392-52-0x000002140B810000-0x000002140B818000-memory.dmp

Filesize
32KB

Download
memory/392-54-0x00007FF6D40F0000-0x00007FF6D421C000-memory.dmp

Filesize
1.2MB

Download
memory/392-56-0x000002140B810000-0x000002140B818000-memory.dmp

Filesize
32KB

Download
memory/392-55-0x00007FF80CB90000-0x00007FF80D282000-memory.dmp

Filesize
6.9MB

Download
memory/600-37-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/600-4-0x0000000004940000-0x00000000049D2000-memory.dmp

Filesize
584KB

Download
memory/600-9-0x000000000A3F0000-0x000000000AFF0000-memory.dmp

Filesize
12.0MB

Download
memory/600-16-0x0000000073C1E000-0x0000000073C1F000-memory.dmp

Filesize
4KB

Download
memory/600-6-0x0000000004F30000-0x000000000542E000-memory.dmp

Filesize
5.0MB

Download
memory/600-10-0x0000000011140000-0x0000000011DE2000-memory.dmp

Filesize
12.6MB

Download
memory/600-63-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/600-1-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/600-2-0x0000000000AF0000-0x0000000000B0A000-memory.dmp

Filesize
104KB

Download
memory/600-3-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/600-36-0x0000000007410000-0x0000000007422000-memory.dmp

Filesize
72KB

Download
memory/600-0-0x0000000073C1E000-0x0000000073C1F000-memory.dmp

Filesize
4KB

Download
memory/600-5-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/3404-23-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/3404-30-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/3404-24-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3404-27-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/3404-29-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads