gozi | 4897564a8c3fd201eb272b044f8c17a2518e6cc10fa6d1bbff806b4f012805ec

General

Target

8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
Size

534KB
MD5

8541c3e5a2fea353fab1657575993319
SHA1

95383648af291e339dfa628a3950686e822e93d5
SHA256

4897564a8c3fd201eb272b044f8c17a2518e6cc10fa6d1bbff806b4f012805ec
SHA512

0ce82bf2397186e93d1f5f0f66576536dd66462d940b781a8e0f0e52041d3d3ca604dbfd15a3c4ee196780ecf23d9145edb997d9927a9f2261aaecb305ab7fe4
SSDEEP

12288:8urQ2eY45lYMxuqLOjy9lmbCKyBXUe7S/kVpprgPs:nGlY8xheO/ke7SaR

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Attributes

build
215798

rsa_pubkey.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Executes dropped EXE 2 IoCs

Processes:

cmickmgr.execmickmgr.exe

pid process

2704 cmickmgr.exe
2680 cmickmgr.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2536 cmd.exe
2536 cmd.exe

pid	process
2704	cmickmgr.exe
2680	cmickmgr.exe

pid	process
2536	cmd.exe
2536	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\compOMEX = "C:\\Users\\Admin\\AppData\\Roaming\\bitsupnp\\cmickmgr.exe"	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

8541c3e5a2fea353fab1657575993319_JaffaCakes118.execmickmgr.execmickmgr.exesvchost.exe

description	pid	process	target process
PID 1936 set thread context of 2296	1936	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
PID 2704 set thread context of 2680	2704	cmickmgr.exe	cmickmgr.exe
PID 2680 set thread context of 2892	2680	cmickmgr.exe	svchost.exe
PID 2892 set thread context of 1204	2892	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cmickmgr.exeExplorer.EXE

pid process

2680 cmickmgr.exe
1204 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

cmickmgr.exesvchost.exe

pid process

2680 cmickmgr.exe
2892 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE

pid	process
2680	cmickmgr.exe
1204	Explorer.EXE

pid	process
2680	cmickmgr.exe
2892	svchost.exe

pid	process
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe8541c3e5a2fea353fab1657575993319_JaffaCakes118.execmd.execmd.execmickmgr.execmickmgr.exesvchost.exe

description	pid	process	target process
PID 1936 wrote to memory of 2296	1936	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
PID 1936 wrote to memory of 2296	1936	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
PID 1936 wrote to memory of 2296	1936	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
PID 1936 wrote to memory of 2296	1936	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
PID 1936 wrote to memory of 2296	1936	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
PID 1936 wrote to memory of 2296	1936	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
PID 1936 wrote to memory of 2296	1936	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
PID 1936 wrote to memory of 2296	1936	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
PID 1936 wrote to memory of 2296	1936	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
PID 1936 wrote to memory of 2296	1936	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
PID 1936 wrote to memory of 2296	1936	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
PID 2296 wrote to memory of 2912	2296	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe	cmd.exe
PID 2296 wrote to memory of 2912	2296	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe	cmd.exe
PID 2296 wrote to memory of 2912	2296	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe	cmd.exe
PID 2296 wrote to memory of 2912	2296	8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe	cmd.exe
PID 2912 wrote to memory of 2536	2912	cmd.exe	cmd.exe
PID 2912 wrote to memory of 2536	2912	cmd.exe	cmd.exe
PID 2912 wrote to memory of 2536	2912	cmd.exe	cmd.exe
PID 2912 wrote to memory of 2536	2912	cmd.exe	cmd.exe
PID 2536 wrote to memory of 2704	2536	cmd.exe	cmickmgr.exe
PID 2536 wrote to memory of 2704	2536	cmd.exe	cmickmgr.exe
PID 2536 wrote to memory of 2704	2536	cmd.exe	cmickmgr.exe
PID 2536 wrote to memory of 2704	2536	cmd.exe	cmickmgr.exe
PID 2704 wrote to memory of 2680	2704	cmickmgr.exe	cmickmgr.exe
PID 2704 wrote to memory of 2680	2704	cmickmgr.exe	cmickmgr.exe
PID 2704 wrote to memory of 2680	2704	cmickmgr.exe	cmickmgr.exe
PID 2704 wrote to memory of 2680	2704	cmickmgr.exe	cmickmgr.exe
PID 2704 wrote to memory of 2680	2704	cmickmgr.exe	cmickmgr.exe
PID 2704 wrote to memory of 2680	2704	cmickmgr.exe	cmickmgr.exe
PID 2704 wrote to memory of 2680	2704	cmickmgr.exe	cmickmgr.exe
PID 2704 wrote to memory of 2680	2704	cmickmgr.exe	cmickmgr.exe
PID 2704 wrote to memory of 2680	2704	cmickmgr.exe	cmickmgr.exe
PID 2704 wrote to memory of 2680	2704	cmickmgr.exe	cmickmgr.exe
PID 2704 wrote to memory of 2680	2704	cmickmgr.exe	cmickmgr.exe
PID 2680 wrote to memory of 2892	2680	cmickmgr.exe	svchost.exe
PID 2680 wrote to memory of 2892	2680	cmickmgr.exe	svchost.exe
PID 2680 wrote to memory of 2892	2680	cmickmgr.exe	svchost.exe
PID 2680 wrote to memory of 2892	2680	cmickmgr.exe	svchost.exe
PID 2680 wrote to memory of 2892	2680	cmickmgr.exe	svchost.exe
PID 2680 wrote to memory of 2892	2680	cmickmgr.exe	svchost.exe
PID 2680 wrote to memory of 2892	2680	cmickmgr.exe	svchost.exe
PID 2892 wrote to memory of 1204	2892	svchost.exe	Explorer.EXE
PID 2892 wrote to memory of 1204	2892	svchost.exe	Explorer.EXE
PID 2892 wrote to memory of 1204	2892	svchost.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1204

C:\Users\Admin\AppData\Local\Temp\8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8541c3e5a2fea353fab1657575993319_JaffaCakes118.exe"
3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\62A\8315.bat" "C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe" "C:\Users\Admin\AppData\Local\Temp\8541C3~1.EXE""
4⤵
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe" "C:\Users\Admin\AppData\Local\Temp\8541C3~1.EXE""
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe
"C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe" "C:\Users\Admin\AppData\Local\Temp\8541C3~1.EXE"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe
"C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2892

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\62A\8315.bat
Filesize
112B

MD5
7aa059f9897c2eb366c71746ca68f865

SHA1
1bdba8189b8af9e2574c076c6730df61b96fc5e6

SHA256
7ebf28f854ca9a80480b0f64eb17d496861fe5a75b175b58038e2080ac7fef6e

SHA512
19db65d6edb15a062bacc78e764929d365cf5e239a57f4aaac2ede9c7717c13b145059fcf0cefcda15649c68eff0a27b2dcbbbd137c79bcb3e49f899626334ca

Download Submit
C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe
Filesize
534KB

MD5
8541c3e5a2fea353fab1657575993319

SHA1
95383648af291e339dfa628a3950686e822e93d5

SHA256
4897564a8c3fd201eb272b044f8c17a2518e6cc10fa6d1bbff806b4f012805ec

SHA512
0ce82bf2397186e93d1f5f0f66576536dd66462d940b781a8e0f0e52041d3d3ca604dbfd15a3c4ee196780ecf23d9145edb997d9927a9f2261aaecb305ab7fe4

Download Submit
memory/1204-61-0x0000000005110000-0x0000000005214000-memory.dmp

Filesize
1.0MB

Download
memory/1204-62-0x0000000005110000-0x0000000005214000-memory.dmp

Filesize
1.0MB

Download
memory/1204-63-0x0000000005110000-0x0000000005214000-memory.dmp

Filesize
1.0MB

Download
memory/1204-64-0x0000000005110000-0x0000000005214000-memory.dmp

Filesize
1.0MB

Download
memory/1204-52-0x0000000005110000-0x0000000005214000-memory.dmp

Filesize
1.0MB

Download
memory/2296-17-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2296-6-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2296-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2296-4-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2296-27-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2296-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2296-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2296-10-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2296-8-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2296-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2296-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2680-51-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2680-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2680-45-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2892-53-0x00000000003E0000-0x00000000004E4000-memory.dmp

Filesize
1.0MB

Download
memory/2892-47-0x00000000003E0000-0x00000000004E4000-memory.dmp

Filesize
1.0MB

Download
memory/2892-46-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads