gozi | 0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f

General

Target

94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe
Size

429KB
MD5

94991507c04f29915d7afeb6a1ce2c0b
SHA1

bb71a4a11a793cd6e4554e6cfa415bc93509599d
SHA256

0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f
SHA512

b1df63faa49c0f5aed4973375e2b70da477126f1b651418be038ba66ddadee7e89cf20db56504e0d8d42a01490cc6312613c72e82056ed1ade4af6693df734b0
SSDEEP

12288:gErZ1tp5Be+DDqzzATxOife+iOANdt8DKxvqcldx/oVIY:gE9x5bXE8oif9U8DKRqEdx/x

Score

10^/10

gozi 10030 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

10030

C2

jscallowallowallowjcli.me

disallowjscuserallow.pw

Attributes

build
215790
dga_base_url
z1.zedo.com/robots.txt
dga_crc
0x246640bb
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Deletes itself 1 IoCs

pid	Process
2612	cmickmgr.exe

Executes dropped EXE 1 IoCs

pid	Process
2612	cmickmgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2592	cmd.exe
2592	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\compOMEX = "C:\\Users\\Admin\\AppData\\Roaming\\bitsupnp\\cmickmgr.exe"	94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2612 set thread context of 2748	2612	cmickmgr.exe	32
PID 2748 set thread context of 1152	2748	svchost.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2612	cmickmgr.exe
1152	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2612	cmickmgr.exe
2748	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1152	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2244	3012	94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe	28
PID 3012 wrote to memory of 2244	3012	94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe	28
PID 3012 wrote to memory of 2244	3012	94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe	28
PID 3012 wrote to memory of 2244	3012	94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2592	2244	cmd.exe	30
PID 2244 wrote to memory of 2592	2244	cmd.exe	30
PID 2244 wrote to memory of 2592	2244	cmd.exe	30
PID 2244 wrote to memory of 2592	2244	cmd.exe	30
PID 2592 wrote to memory of 2612	2592	cmd.exe	31
PID 2592 wrote to memory of 2612	2592	cmd.exe	31
PID 2592 wrote to memory of 2612	2592	cmd.exe	31
PID 2592 wrote to memory of 2612	2592	cmd.exe	31
PID 2612 wrote to memory of 2748	2612	cmickmgr.exe	32
PID 2612 wrote to memory of 2748	2612	cmickmgr.exe	32
PID 2612 wrote to memory of 2748	2612	cmickmgr.exe	32
PID 2612 wrote to memory of 2748	2612	cmickmgr.exe	32
PID 2612 wrote to memory of 2748	2612	cmickmgr.exe	32
PID 2612 wrote to memory of 2748	2612	cmickmgr.exe	32
PID 2612 wrote to memory of 2748	2612	cmickmgr.exe	32
PID 2748 wrote to memory of 1152	2748	svchost.exe	20
PID 2748 wrote to memory of 1152	2748	svchost.exe	20
PID 2748 wrote to memory of 1152	2748	svchost.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1152
- C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\3276\193B.bat" "C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ""C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE""
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE"
        5⤵
        Deletes itself
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3276\193B.bat

Filesize
112B

MD5
bb9f000363ac2c29e82a92a62b562a97

SHA1
4936738f69c5f711c954ad74b64525bd5574ce05

SHA256
2e6cacd97bded703a44a12b24e9f987d3dcc93e3835567375ea521592931dd08

SHA512
6eb89109fafc416311c0cb4bb05cdca7921c94efca520bae276c922d89f4388ae507e8bcaddc57236a0e7202af340ac1d54df827ee298c2537fee2fc5864d605

Download Submit
C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe

Filesize
429KB

MD5
94991507c04f29915d7afeb6a1ce2c0b

SHA1
bb71a4a11a793cd6e4554e6cfa415bc93509599d

SHA256
0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f

SHA512
b1df63faa49c0f5aed4973375e2b70da477126f1b651418be038ba66ddadee7e89cf20db56504e0d8d42a01490cc6312613c72e82056ed1ade4af6693df734b0

Download Submit
memory/1152-30-0x0000000005290000-0x0000000005391000-memory.dmp

Filesize
1.0MB

Download
memory/1152-45-0x0000000005290000-0x0000000005391000-memory.dmp

Filesize
1.0MB

Download
memory/1152-36-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1152-37-0x0000000005290000-0x0000000005391000-memory.dmp

Filesize
1.0MB

Download
memory/1152-40-0x0000000005290000-0x0000000005391000-memory.dmp

Filesize
1.0MB

Download
memory/1152-42-0x0000000005290000-0x0000000005391000-memory.dmp

Filesize
1.0MB

Download
memory/1152-43-0x0000000005290000-0x0000000005391000-memory.dmp

Filesize
1.0MB

Download
memory/1152-39-0x0000000005290000-0x0000000005391000-memory.dmp

Filesize
1.0MB

Download
memory/2612-18-0x0000000000330000-0x0000000000395000-memory.dmp

Filesize
404KB

Download
memory/2612-28-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2612-29-0x0000000000330000-0x0000000000395000-memory.dmp

Filesize
404KB

Download
memory/2748-26-0x0000000000470000-0x0000000000571000-memory.dmp

Filesize
1.0MB

Download
memory/2748-23-0x0000000000470000-0x0000000000571000-memory.dmp

Filesize
1.0MB

Download
memory/2748-22-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2748-21-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/2748-34-0x0000000000470000-0x0000000000571000-memory.dmp

Filesize
1.0MB

Download
memory/3012-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3012-12-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3012-2-0x00000000004F0000-0x0000000000555000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads