gozi | 0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f

General

Target

94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe
Size

429KB
MD5

94991507c04f29915d7afeb6a1ce2c0b
SHA1

bb71a4a11a793cd6e4554e6cfa415bc93509599d
SHA256

0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f
SHA512

b1df63faa49c0f5aed4973375e2b70da477126f1b651418be038ba66ddadee7e89cf20db56504e0d8d42a01490cc6312613c72e82056ed1ade4af6693df734b0
SSDEEP

12288:gErZ1tp5Be+DDqzzATxOife+iOANdt8DKxvqcldx/oVIY:gE9x5bXE8oif9U8DKRqEdx/x

Score

10^/10

gozi 10030 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

10030

C2

jscallowallowallowjcli.me

disallowjscuserallow.pw

Attributes

build
215790
dga_base_url
z1.zedo.com/robots.txt
dga_crc
0x246640bb
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

CIWmnect.exe

pid process

4996 CIWmnect.exe
Executes dropped EXE 1 IoCs

Processes:

CIWmnect.exe

pid process

4996 CIWmnect.exe

pid	process
4996	CIWmnect.exe

pid	process
4996	CIWmnect.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avifApis = "C:\\Users\\Admin\\AppData\\Roaming\\AzSqcatq\\CIWmnect.exe"	94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

CIWmnect.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 4996 set thread context of 4744	4996	CIWmnect.exe	svchost.exe
PID 4744 set thread context of 3544	4744	svchost.exe	Explorer.EXE
PID 3544 set thread context of 4072	3544	Explorer.EXE	RuntimeBroker.exe
PID 3544 set thread context of 3944	3544	Explorer.EXE	RuntimeBroker.exe
PID 3544 set thread context of 2376	3544	Explorer.EXE	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

Explorer.EXERuntimeBroker.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

CIWmnect.exeExplorer.EXE

pid process

4996 CIWmnect.exe
4996 CIWmnect.exe
3544 Explorer.EXE
3544 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

CIWmnect.exesvchost.exeExplorer.EXE

pid process

4996 CIWmnect.exe
4744 svchost.exe
3544 Explorer.EXE
3544 Explorer.EXE
3544 Explorer.EXE

pid	process
4996	CIWmnect.exe
4996	CIWmnect.exe
3544	Explorer.EXE
3544	Explorer.EXE

pid	process
4996	CIWmnect.exe
4744	svchost.exe
3544	Explorer.EXE
3544	Explorer.EXE
3544	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Explorer.EXERuntimeBroker.exe

description	pid	process
Token: SeShutdownPrivilege	3544	Explorer.EXE
Token: SeCreatePagefilePrivilege	3544	Explorer.EXE
Token: SeShutdownPrivilege	3544	Explorer.EXE
Token: SeCreatePagefilePrivilege	3544	Explorer.EXE
Token: SeShutdownPrivilege	3544	Explorer.EXE
Token: SeCreatePagefilePrivilege	3544	Explorer.EXE
Token: SeShutdownPrivilege	4072	RuntimeBroker.exe
Token: SeShutdownPrivilege	4072	RuntimeBroker.exe
Token: SeShutdownPrivilege	4072	RuntimeBroker.exe
Token: SeShutdownPrivilege	4072	RuntimeBroker.exe
Token: SeShutdownPrivilege	4072	RuntimeBroker.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3544 Explorer.EXE
3544 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3544 Explorer.EXE

pid	process
3544	Explorer.EXE
3544	Explorer.EXE

pid	process
3544	Explorer.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.execmd.execmd.exeCIWmnect.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 220 wrote to memory of 1652	220	94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe	cmd.exe
PID 220 wrote to memory of 1652	220	94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe	cmd.exe
PID 220 wrote to memory of 1652	220	94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe	cmd.exe
PID 1652 wrote to memory of 3152	1652	cmd.exe	cmd.exe
PID 1652 wrote to memory of 3152	1652	cmd.exe	cmd.exe
PID 1652 wrote to memory of 3152	1652	cmd.exe	cmd.exe
PID 3152 wrote to memory of 4996	3152	cmd.exe	CIWmnect.exe
PID 3152 wrote to memory of 4996	3152	cmd.exe	CIWmnect.exe
PID 3152 wrote to memory of 4996	3152	cmd.exe	CIWmnect.exe
PID 4996 wrote to memory of 4744	4996	CIWmnect.exe	svchost.exe
PID 4996 wrote to memory of 4744	4996	CIWmnect.exe	svchost.exe
PID 4996 wrote to memory of 4744	4996	CIWmnect.exe	svchost.exe
PID 4996 wrote to memory of 4744	4996	CIWmnect.exe	svchost.exe
PID 4996 wrote to memory of 4744	4996	CIWmnect.exe	svchost.exe
PID 4744 wrote to memory of 3544	4744	svchost.exe	Explorer.EXE
PID 4744 wrote to memory of 3544	4744	svchost.exe	Explorer.EXE
PID 4744 wrote to memory of 3544	4744	svchost.exe	Explorer.EXE
PID 3544 wrote to memory of 4072	3544	Explorer.EXE	RuntimeBroker.exe
PID 3544 wrote to memory of 4072	3544	Explorer.EXE	RuntimeBroker.exe
PID 3544 wrote to memory of 4072	3544	Explorer.EXE	RuntimeBroker.exe
PID 3544 wrote to memory of 3944	3544	Explorer.EXE	RuntimeBroker.exe
PID 3544 wrote to memory of 3944	3544	Explorer.EXE	RuntimeBroker.exe
PID 3544 wrote to memory of 3944	3544	Explorer.EXE	RuntimeBroker.exe
PID 3544 wrote to memory of 2376	3544	Explorer.EXE	RuntimeBroker.exe
PID 3544 wrote to memory of 2376	3544	Explorer.EXE	RuntimeBroker.exe
PID 3544 wrote to memory of 2376	3544	Explorer.EXE	RuntimeBroker.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3544

C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A568\52B4.bat" "C:\Users\Admin\AppData\Roaming\AzSqcatq\CIWmnect.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\AzSqcatq\CIWmnect.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE""
4⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Roaming\AzSqcatq\CIWmnect.exe
"C:\Users\Admin\AppData\Roaming\AzSqcatq\CIWmnect.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE"
5⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3944

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A568\52B4.bat
Filesize
112B

MD5
b4ee0cae2366e3712a2622e1bbb02ef8

SHA1
d507818784556f3b871e109c494d58dfa9a9ba23

SHA256
7123d3dcbddd54c0b0c9725169be50f91b776a2ea7dda3bd3e73c325cd561f8d

SHA512
d0975586ae21f54e9e271f74f9eef51f2ffb44498dd157dddd2622b123f932c8636e354679c9dcdc812ce578ab0bd3ba7a6de390442373592f87cb52deee2dc7

Download Submit
C:\Users\Admin\AppData\Roaming\AzSqcatq\CIWmnect.exe
Filesize
429KB

MD5
94991507c04f29915d7afeb6a1ce2c0b

SHA1
bb71a4a11a793cd6e4554e6cfa415bc93509599d

SHA256
0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f

SHA512
b1df63faa49c0f5aed4973375e2b70da477126f1b651418be038ba66ddadee7e89cf20db56504e0d8d42a01490cc6312613c72e82056ed1ade4af6693df734b0

Download Submit
memory/220-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/220-2-0x0000000000990000-0x00000000009F5000-memory.dmp

Filesize
404KB

Download
memory/220-7-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2376-52-0x0000024FD65F0000-0x0000024FD66F1000-memory.dmp

Filesize
1.0MB

Download
memory/2376-56-0x0000024FD65F0000-0x0000024FD66F1000-memory.dmp

Filesize
1.0MB

Download
memory/3544-50-0x0000000008F60000-0x0000000009061000-memory.dmp

Filesize
1.0MB

Download
memory/3544-48-0x0000000008F60000-0x0000000009061000-memory.dmp

Filesize
1.0MB

Download
memory/3544-49-0x0000000008F60000-0x0000000009061000-memory.dmp

Filesize
1.0MB

Download
memory/3544-32-0x0000000008F60000-0x0000000009061000-memory.dmp

Filesize
1.0MB

Download
memory/3544-31-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/3544-23-0x0000000008F60000-0x0000000009061000-memory.dmp

Filesize
1.0MB

Download
memory/3544-57-0x0000000008F60000-0x0000000009061000-memory.dmp

Filesize
1.0MB

Download
memory/3544-51-0x0000000008F60000-0x0000000009061000-memory.dmp

Filesize
1.0MB

Download
memory/3944-46-0x00000201F6A30000-0x00000201F6B31000-memory.dmp

Filesize
1.0MB

Download
memory/3944-45-0x00000201F69F0000-0x00000201F69F1000-memory.dmp

Filesize
4KB

Download
memory/3944-58-0x00000201F6A30000-0x00000201F6B31000-memory.dmp

Filesize
1.0MB

Download
memory/3944-41-0x00000201F6A30000-0x00000201F6B31000-memory.dmp

Filesize
1.0MB

Download
memory/3944-47-0x00000201F6A30000-0x00000201F6B31000-memory.dmp

Filesize
1.0MB

Download
memory/4072-34-0x00000259AFE30000-0x00000259AFF31000-memory.dmp

Filesize
1.0MB

Download
memory/4072-39-0x00000259AFBF0000-0x00000259AFBF1000-memory.dmp

Filesize
4KB

Download
memory/4072-40-0x00000259AFE30000-0x00000259AFF31000-memory.dmp

Filesize
1.0MB

Download
memory/4072-38-0x00000259AFE30000-0x00000259AFF31000-memory.dmp

Filesize
1.0MB

Download
memory/4744-24-0x0000000000C00000-0x0000000000D01000-memory.dmp

Filesize
1.0MB

Download
memory/4744-21-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/4744-22-0x0000000000C00000-0x0000000000D01000-memory.dmp

Filesize
1.0MB

Download
memory/4744-16-0x0000000000C00000-0x0000000000D01000-memory.dmp

Filesize
1.0MB

Download
memory/4996-20-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4996-12-0x0000000000990000-0x00000000009F5000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads