gozi | 63976172037b9392781c2760c050cb02db6003d0746be591d8cc2f0eac2b5d31

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8478e7fe58477cd1cca7fe12034de589_JaffaCakes118.exe
Size

203KB
MD5

8478e7fe58477cd1cca7fe12034de589
SHA1

c9f16ea092b69a95e2851b5a6c32661e95fa67f3
SHA256

63976172037b9392781c2760c050cb02db6003d0746be591d8cc2f0eac2b5d31
SHA512

fcd48ffb4af0f091172d518a56b8b6c2a25db485ef39afe4ee2d657037dd8862e18a21480c82033981d6914fc67353ba7d483932c412f1201e02627f6dd9a321
SSDEEP

3072:96ji2dQ6v4uPXDNUj4jKBonzmLXlYVRLh0epEEZqkFBc4+uTqN76o:9Edp4uPZzGonqXGXh0bluBc4GZ5

Score

10^/10

gozi 3162 banker isfb trojan

Malware Config

Extracted

Family

gozi

Attributes

build
215165

Extracted

Family

gozi

Botnet

3162

menehleibe.com

liemuteste.com

thulligend.com

Attributes

build
215165
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 403857a49db2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000710b092a3b899fe87f673f7f6fb8eed22e878e17350a05f09ba8cc0c96a192fd000000000e8000000002000020000000be59d1b1fc1bd778ae0b8ca37a14585a97068373c9a9e1db0c3526afcba7c3cd2000000048be697fc49f6d4154cf67acdf7516867f0865814e7f866fb325996a65e6e296400000004b63d913dd06d0948e817a439042ed32c8038ddf5837e987f8a44c107b3c28546ee0ce5575abd6f89fcfecbc221a1a5ead434a89f8d4a4223802499823c7b6be	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000ad62f87f6af203ba8e51f2bc6dbb74b465199e808cc31bc2a22f6d671dbc1bf7000000000e80000000020000200000001e9e3bc31071404cd491dada3762a3c1996e8e5c9c6366f38af0efc281c816f09000000022889c24b7b5778ff0c841e2e556b40f9d0a5b22fb3c28f16f7366a6fe57bee2b75cc0201b41beec079037cac3e646d3aba39f7f4b20a6ae0e5771b7a48a78bd0a0ea27e62d1fb8ef561adcfd2b6bd81689fe222b50f66fcbfd11745f09ba8f7f9c1ff827729b698d280b04a1e35d808cb75f0aa645509b9d383cf5c83a809c0c824f22ff31bc4420b7686952a66260c400000008d9b5818088198b6410c1151130789b65005b5bd47ec99198306884e49802b34f1bbafa11072cfa2975019f55a02eff66e931c5e7380038148e50de12813aa15	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CFB285D1-1E90-11EF-A759-F637117826CF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2556 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2556 iexplore.exe
2556 iexplore.exe
2544 IEXPLORE.EXE
2544 IEXPLORE.EXE

pid	process
2556	iexplore.exe

pid	process
2556	iexplore.exe
2556	iexplore.exe
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2556 wrote to memory of 2544	2556	iexplore.exe	IEXPLORE.EXE
PID 2556 wrote to memory of 2544	2556	iexplore.exe	IEXPLORE.EXE
PID 2556 wrote to memory of 2544	2556	iexplore.exe	IEXPLORE.EXE
PID 2556 wrote to memory of 2544	2556	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\8478e7fe58477cd1cca7fe12034de589_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8478e7fe58477cd1cca7fe12034de589_JaffaCakes118.exe"
1⤵
PID:2012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8fd68fa8d26781cee355f40a2680a4dd

SHA1
70922d1f9e219a9a7560ba8b10a69a89692c215a

SHA256
122280d86b79f4a386cf06d9e20f2cb3352668a00ac0a18c9bf06a86ccb396bf

SHA512
23ac99a9ae3ba69ef3cec0c76ac3cff88256cab5f7be7d725f7dc703d42e4e23094083c02bade3ed0d0dcc1ec9d7971ff639243e831d95d6d062c4ef9350611c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
91d12af2d5f30b2d649fb0586b1b84b4

SHA1
8efbf19597a76b1f3a3dc60f87e10971aac3a116

SHA256
5b53449a59fe7151210f2325f0664551dd7023128c0cbae90e3f8c44ff46b312

SHA512
4b293760920f86de1c4325e32bdcf90ed38237716399bfa5ad6619d4b8c0475c8e16c789454ee1efb829d4628f157f42398e2685f3e29414838d52c9fbbd8488

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c1194b97454a3b3b826a4ae4ef44ad46

SHA1
2cd56dd8a274d39232ebf5bfd852a422c8f3cd6a

SHA256
49ffa4722e0f3954a98e45986a7b4eba2371007427c9d802ac372a50943d8c3c

SHA512
e3110aaecfa1471e1e966fa61574e01468e816cea3fbaab4c63facfa7ecf7537ecd80b68e96e369e018afd3e8c0c509dc7559b8ade3ab04b40c17252e72566e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
29179ed283759360096bbb07a6c4a957

SHA1
933205858ee0dd69e39790514255c57b6156cf48

SHA256
c7689187ecde8230b6b4ca37406755b273cbdd42d1e75e7643786019084dff03

SHA512
1f680639ef437af23d7a7e7f24f97e5a9b3eedcf57366db985ff322ba8814b056291d6ea5195284e457fcfe69de03871645ccfc70a6e354f346edb1eacee855e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
649d6c18f949b22fab57275084d5edcd

SHA1
67afa61f7ea4a68ee4d4b7634dc09c38b3a2bb31

SHA256
792adbc1e5dcc0b3aee763855e8fc7ec50fe8449268cd2d00cec289a1dcfb5e7

SHA512
c3a40f2ceecacc30f7ec3dd6fdcd1faa953a866410d131e6f38078621b150dee80c105c77cafdce88ac2cfca569a892f5c48260588105798e17f7690216242e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
763c3a2bc746879383a7d454527ea838

SHA1
631550f1b462fecd8fe0fdfdae96ae574c7560a8

SHA256
460079bf3595f9a340b57201e2a6f0bf57e13ab9f8736ed42cb858bc62e2c8fa

SHA512
eaa2d743c113af8995170aa1ed0465425df83ba9ff1e41029b3f0f2018309db2b03e94b52fbd644bcddc1ab31d6aa70d6844ee0635cbbdf2e9339e1d0fe8b373

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
560422c79ddbe60936ee6f1c353e13af

SHA1
fe32b7eb6ee7d3d58d5527f77be8db31d814c0c3

SHA256
c71db12d52a54b60ca161a6039d658bebbf79b1b1e7310ae28e479effb960e6f

SHA512
d0513619ca39bf5c57aa47d8bba18829182cfa5817edfc69e5004dbbe6427d09d479731aec455256375c6346b400d8a2b1c0ea6cca836aee9498d72520dea22c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
697f931535126abf82b5d1add572932a

SHA1
0830b62056cb42ad5ec475c2db4f11a0df21b023

SHA256
a76f27d962faf8f5b341128179bff9e179d960317feb8c57ad6a72b887bffef1

SHA512
6670bd4d4770ff61e538cf9c107495d5e4b72ab755761edfbda30a06ff3bc4883170dcd1d9d9db0648685593ed93a0182f8be822ee25e42acb7952d89fdc5733

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab894F.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab89ED.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8A01.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2012-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2012-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2012-8-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download
memory/2012-4-0x0000000000280000-0x000000000029B000-memory.dmp

Filesize
108KB

Download
memory/2012-2-0x0000000000435000-0x000000000043A000-memory.dmp

Filesize
20KB

Download
memory/2012-3-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2012-1-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download