Overview

overview

10

Static

static

3

94991507c0...18.exe

windows7-x64

10

94991507c0...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118

  • Size

    429KB

  • Sample

    240604-m6w55seb2v

  • MD5

    94991507c04f29915d7afeb6a1ce2c0b

  • SHA1

    bb71a4a11a793cd6e4554e6cfa415bc93509599d

  • SHA256

    0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f

  • SHA512

    b1df63faa49c0f5aed4973375e2b70da477126f1b651418be038ba66ddadee7e89cf20db56504e0d8d42a01490cc6312613c72e82056ed1ade4af6693df734b0

  • SSDEEP

    12288:gErZ1tp5Be+DDqzzATxOife+iOANdt8DKxvqcldx/oVIY:gE9x5bXE8oif9U8DKRqEdx/x

Score
10/10
gozi10030bankerisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

10030

C2

jscallowallowallowjcli.me

disallowjscuserallow.pw
Attributes
  • build

    215790

  • dga_base_url

    z1.zedo.com/robots.txt

  • dga_crc

    0x246640bb

  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118

    • Size

      429KB

    • MD5

      94991507c04f29915d7afeb6a1ce2c0b

    • SHA1

      bb71a4a11a793cd6e4554e6cfa415bc93509599d

    • SHA256

      0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f

    • SHA512

      b1df63faa49c0f5aed4973375e2b70da477126f1b651418be038ba66ddadee7e89cf20db56504e0d8d42a01490cc6312613c72e82056ed1ade4af6693df734b0

    • SSDEEP

      12288:gErZ1tp5Be+DDqzzATxOife+iOANdt8DKxvqcldx/oVIY:gE9x5bXE8oif9U8DKRqEdx/x

    Score
    10/10
    gozi10030bankerisfbpersistencetrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks