gozi | 0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f

General

Target

94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe
Size

429KB
MD5

94991507c04f29915d7afeb6a1ce2c0b
SHA1

bb71a4a11a793cd6e4554e6cfa415bc93509599d
SHA256

0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f
SHA512

b1df63faa49c0f5aed4973375e2b70da477126f1b651418be038ba66ddadee7e89cf20db56504e0d8d42a01490cc6312613c72e82056ed1ade4af6693df734b0
SSDEEP

12288:gErZ1tp5Be+DDqzzATxOife+iOANdt8DKxvqcldx/oVIY:gE9x5bXE8oif9U8DKRqEdx/x

Score

10^/10

gozi 10030 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

10030

C2

jscallowallowallowjcli.me

disallowjscuserallow.pw

Attributes

build
215790
dga_base_url
z1.zedo.com/robots.txt
dga_crc
0x246640bb
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

cmickmgr.exe

pid process

2612 cmickmgr.exe
Executes dropped EXE 1 IoCs

Processes:

cmickmgr.exe

pid process

2612 cmickmgr.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2592 cmd.exe
2592 cmd.exe

pid	process
2612	cmickmgr.exe

pid	process
2612	cmickmgr.exe

pid	process
2592	cmd.exe
2592	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\compOMEX = "C:\\Users\\Admin\\AppData\\Roaming\\bitsupnp\\cmickmgr.exe"	94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cmickmgr.exesvchost.exe

description	pid	process	target process
PID 2612 set thread context of 2748	2612	cmickmgr.exe	svchost.exe
PID 2748 set thread context of 1152	2748	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cmickmgr.exeExplorer.EXE

pid process

2612 cmickmgr.exe
1152 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

cmickmgr.exesvchost.exe

pid process

2612 cmickmgr.exe
2748 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1152 Explorer.EXE

pid	process
2612	cmickmgr.exe
1152	Explorer.EXE

pid	process
2612	cmickmgr.exe
2748	svchost.exe

pid	process
1152	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.execmd.execmd.execmickmgr.exesvchost.exe

description	pid	process	target process
PID 3012 wrote to memory of 2244	3012	94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe	cmd.exe
PID 3012 wrote to memory of 2244	3012	94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe	cmd.exe
PID 3012 wrote to memory of 2244	3012	94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe	cmd.exe
PID 3012 wrote to memory of 2244	3012	94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe	cmd.exe
PID 2244 wrote to memory of 2592	2244	cmd.exe	cmd.exe
PID 2244 wrote to memory of 2592	2244	cmd.exe	cmd.exe
PID 2244 wrote to memory of 2592	2244	cmd.exe	cmd.exe
PID 2244 wrote to memory of 2592	2244	cmd.exe	cmd.exe
PID 2592 wrote to memory of 2612	2592	cmd.exe	cmickmgr.exe
PID 2592 wrote to memory of 2612	2592	cmd.exe	cmickmgr.exe
PID 2592 wrote to memory of 2612	2592	cmd.exe	cmickmgr.exe
PID 2592 wrote to memory of 2612	2592	cmd.exe	cmickmgr.exe
PID 2612 wrote to memory of 2748	2612	cmickmgr.exe	svchost.exe
PID 2612 wrote to memory of 2748	2612	cmickmgr.exe	svchost.exe
PID 2612 wrote to memory of 2748	2612	cmickmgr.exe	svchost.exe
PID 2612 wrote to memory of 2748	2612	cmickmgr.exe	svchost.exe
PID 2612 wrote to memory of 2748	2612	cmickmgr.exe	svchost.exe
PID 2612 wrote to memory of 2748	2612	cmickmgr.exe	svchost.exe
PID 2612 wrote to memory of 2748	2612	cmickmgr.exe	svchost.exe
PID 2748 wrote to memory of 1152	2748	svchost.exe	Explorer.EXE
PID 2748 wrote to memory of 1152	2748	svchost.exe	Explorer.EXE
PID 2748 wrote to memory of 1152	2748	svchost.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\3276\193B.bat" "C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE""
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592

C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe
"C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE"
5⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2748

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3276\193B.bat
Filesize
112B

MD5
bb9f000363ac2c29e82a92a62b562a97

SHA1
4936738f69c5f711c954ad74b64525bd5574ce05

SHA256
2e6cacd97bded703a44a12b24e9f987d3dcc93e3835567375ea521592931dd08

SHA512
6eb89109fafc416311c0cb4bb05cdca7921c94efca520bae276c922d89f4388ae507e8bcaddc57236a0e7202af340ac1d54df827ee298c2537fee2fc5864d605

Download Submit
C:\Users\Admin\AppData\Roaming\bitsupnp\cmickmgr.exe
Filesize
429KB

MD5
94991507c04f29915d7afeb6a1ce2c0b

SHA1
bb71a4a11a793cd6e4554e6cfa415bc93509599d

SHA256
0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f

SHA512
b1df63faa49c0f5aed4973375e2b70da477126f1b651418be038ba66ddadee7e89cf20db56504e0d8d42a01490cc6312613c72e82056ed1ade4af6693df734b0

Download Submit
memory/1152-30-0x0000000005290000-0x0000000005391000-memory.dmp

Filesize
1.0MB

Download
memory/1152-45-0x0000000005290000-0x0000000005391000-memory.dmp

Filesize
1.0MB

Download
memory/1152-36-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1152-37-0x0000000005290000-0x0000000005391000-memory.dmp

Filesize
1.0MB

Download
memory/1152-40-0x0000000005290000-0x0000000005391000-memory.dmp

Filesize
1.0MB

Download
memory/1152-42-0x0000000005290000-0x0000000005391000-memory.dmp

Filesize
1.0MB

Download
memory/1152-43-0x0000000005290000-0x0000000005391000-memory.dmp

Filesize
1.0MB

Download
memory/1152-39-0x0000000005290000-0x0000000005391000-memory.dmp

Filesize
1.0MB

Download
memory/2612-18-0x0000000000330000-0x0000000000395000-memory.dmp

Filesize
404KB

Download
memory/2612-28-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2612-29-0x0000000000330000-0x0000000000395000-memory.dmp

Filesize
404KB

Download
memory/2748-26-0x0000000000470000-0x0000000000571000-memory.dmp

Filesize
1.0MB

Download
memory/2748-23-0x0000000000470000-0x0000000000571000-memory.dmp

Filesize
1.0MB

Download
memory/2748-22-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2748-21-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/2748-34-0x0000000000470000-0x0000000000571000-memory.dmp

Filesize
1.0MB

Download
memory/3012-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3012-12-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3012-2-0x00000000004F0000-0x0000000000555000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads