General
-
Target
94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118
-
Size
429KB
-
Sample
240604-m6w55seb2v
-
MD5
94991507c04f29915d7afeb6a1ce2c0b
-
SHA1
bb71a4a11a793cd6e4554e6cfa415bc93509599d
-
SHA256
0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f
-
SHA512
b1df63faa49c0f5aed4973375e2b70da477126f1b651418be038ba66ddadee7e89cf20db56504e0d8d42a01490cc6312613c72e82056ed1ade4af6693df734b0
-
SSDEEP
12288:gErZ1tp5Be+DDqzzATxOife+iOANdt8DKxvqcldx/oVIY:gE9x5bXE8oif9U8DKRqEdx/x
Malware Config
Extracted
gozi
Extracted
gozi
10030
jscallowallowallowjcli.me
disallowjscuserallow.pw
-
build
215790
-
dga_base_url
z1.zedo.com/robots.txt
-
dga_crc
0x246640bb
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118
-
Size
429KB
-
MD5
94991507c04f29915d7afeb6a1ce2c0b
-
SHA1
bb71a4a11a793cd6e4554e6cfa415bc93509599d
-
SHA256
0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f
-
SHA512
b1df63faa49c0f5aed4973375e2b70da477126f1b651418be038ba66ddadee7e89cf20db56504e0d8d42a01490cc6312613c72e82056ed1ade4af6693df734b0
-
SSDEEP
12288:gErZ1tp5Be+DDqzzATxOife+iOANdt8DKxvqcldx/oVIY:gE9x5bXE8oif9U8DKRqEdx/x
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-