General
-
Target
85ae6322075411aa058d86bba298d96f_JaffaCakes118
-
Size
458KB
-
Sample
240531-cgymkacd43
-
MD5
85ae6322075411aa058d86bba298d96f
-
SHA1
ef53ad12f809d57121638e2bc60cb41020f866c0
-
SHA256
84b36e91505fbdfb8cf9b4f04ae8058bcfdcbcd3bb1c3a8f990f7dfff50175c2
-
SHA512
404d2b6081f871e025a1765d26328641112aee55054e4bed623e1f0b3cbe5811ff9c809c9a3d5abf90634b16333cfcd6476a6b784792093939be7c22d350ae72
-
SSDEEP
12288:kVtmGVrCyb33+udup8l6Gx9nL0ybAAblG0Hd:kVthGs+U88l6GX0ybAAblG09
Malware Config
Extracted
gozi
Extracted
gozi
1000
epowjeynol4k7dze.onion
http://sweetlights.at
http://mushroomstreveler.at
-
build
217027
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
85ae6322075411aa058d86bba298d96f_JaffaCakes118
-
Size
458KB
-
MD5
85ae6322075411aa058d86bba298d96f
-
SHA1
ef53ad12f809d57121638e2bc60cb41020f866c0
-
SHA256
84b36e91505fbdfb8cf9b4f04ae8058bcfdcbcd3bb1c3a8f990f7dfff50175c2
-
SHA512
404d2b6081f871e025a1765d26328641112aee55054e4bed623e1f0b3cbe5811ff9c809c9a3d5abf90634b16333cfcd6476a6b784792093939be7c22d350ae72
-
SSDEEP
12288:kVtmGVrCyb33+udup8l6Gx9nL0ybAAblG0Hd:kVthGs+U88l6GX0ybAAblG09
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-