Overview

overview

10

Static

static

3

8541c3e5a2...18.exe

windows7-x64

10

8541c3e5a2...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8541c3e5a2fea353fab1657575993319_JaffaCakes118

  • Size

    534KB

  • Sample

    240530-3c1t8seh34

  • MD5

    8541c3e5a2fea353fab1657575993319

  • SHA1

    95383648af291e339dfa628a3950686e822e93d5

  • SHA256

    4897564a8c3fd201eb272b044f8c17a2518e6cc10fa6d1bbff806b4f012805ec

  • SHA512

    0ce82bf2397186e93d1f5f0f66576536dd66462d940b781a8e0f0e52041d3d3ca604dbfd15a3c4ee196780ecf23d9145edb997d9927a9f2261aaecb305ab7fe4

  • SSDEEP

    12288:8urQ2eY45lYMxuqLOjy9lmbCKyBXUe7S/kVpprgPs:nGlY8xheO/ke7SaR

Score
10/10
gozibankerisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215798

rsa_pubkey.plain

Targets

    • Target

      8541c3e5a2fea353fab1657575993319_JaffaCakes118

    • Size

      534KB

    • MD5

      8541c3e5a2fea353fab1657575993319

    • SHA1

      95383648af291e339dfa628a3950686e822e93d5

    • SHA256

      4897564a8c3fd201eb272b044f8c17a2518e6cc10fa6d1bbff806b4f012805ec

    • SHA512

      0ce82bf2397186e93d1f5f0f66576536dd66462d940b781a8e0f0e52041d3d3ca604dbfd15a3c4ee196780ecf23d9145edb997d9927a9f2261aaecb305ab7fe4

    • SSDEEP

      12288:8urQ2eY45lYMxuqLOjy9lmbCKyBXUe7S/kVpprgPs:nGlY8xheO/ke7SaR

    Score
    10/10
    gozibankerisfbpersistencetrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks