gozi | ddd342053fc1b2a05e2e541b1a5caa33e2693e40a0a2b1c086e225f284e4a6cc

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe
Size

20KB
MD5

61489b8f0c9db0196f6f7bef3a866e12
SHA1

60c4dd496c44ceb3dfe589c97638e46a7c396f13
SHA256

ddd342053fc1b2a05e2e541b1a5caa33e2693e40a0a2b1c086e225f284e4a6cc
SHA512

5b884e500b629ab2019d10ed6552a7c080bd0595c11259148e3324ab3d342507bf9ca49b3021caa3abf2aeeceb77b6c4e4343320faaac8d931f67c95ca445b32
SSDEEP

384:s1qoism0AbTGmissSGZv/siacUT0gaNJawcudoD7U4WyD5ldZAeKD0:sniRGmGHZXoQnbcuyD7U2DndZAeKD

Score

10^/10

gozi banker isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Executes dropped EXE 1 IoCs

Processes:

2452.tmp

pid process

2952 2452.tmp
Loads dropped DLL 2 IoCs

Processes:

61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe

pid process

2356 61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe
2356 61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe

pid	process
2952	2452.tmp

pid	process
2356	61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe
2356	61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2356-1-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe2452.tmp

description	pid	process	target process
PID 2356 wrote to memory of 2952	2356	61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe	2452.tmp
PID 2356 wrote to memory of 2952	2356	61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe	2452.tmp
PID 2356 wrote to memory of 2952	2356	61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe	2452.tmp
PID 2356 wrote to memory of 2952	2356	61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe	2452.tmp
PID 2952 wrote to memory of 2032	2952	2452.tmp	cmd.exe
PID 2952 wrote to memory of 2032	2952	2452.tmp	cmd.exe
PID 2952 wrote to memory of 2032	2952	2452.tmp	cmd.exe
PID 2952 wrote to memory of 2032	2952	2452.tmp	cmd.exe
PID 2952 wrote to memory of 2648	2952	2452.tmp	cmd.exe
PID 2952 wrote to memory of 2648	2952	2452.tmp	cmd.exe
PID 2952 wrote to memory of 2648	2952	2452.tmp	cmd.exe
PID 2952 wrote to memory of 2648	2952	2452.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\2452.tmp
C:\Users\Admin\AppData\Local\Temp\2452.tmp C:\Users\Admin\AppData\Local\Temp
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
3⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
3⤵
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

Filesize
75B

MD5
a9f2bc5c96cca7f1f83569d6b8b9f84a

SHA1
322b82b1443ae547105fb4878bdeeabb63424926

SHA256
160ff09c793512c13fc0f5afa4a4eb84c5f77dc3ab944c160eec764baeba5452

SHA512
8ce29d3ded06785deba78ce9b0b1f7485b0ef727d3646eae9e8a696c4dd3713fd341358c6bee5f91bf9eae1a0a13f65df0b9a585f325cddccf33be6f4481394d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

Filesize
104B

MD5
fb00f3b8751c172c30b9f6cd92ba67e2

SHA1
8bcfb778d455339ad5025f7a3528cf3c469e338d

SHA256
6f1cbfc12039af73253b754a99a176fa729e25b137c1ca54cc683776a45bbca0

SHA512
d892a4ed6497776910f114dec40da44ef740f18f3081a74f15c9b43c191d18c87be8914440f9fda0dcc93a5c018dcbb00f08f6c7f6d7f20567bf99fc55a370ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfile0.tmp

Filesize
13B

MD5
38de427224a5082a04fe82e2bd4ea9ec

SHA1
7e4a53de1f83762dd2febd39b818e2258bc83bc1

SHA256
12f99f53144294750fe8713d580eda286f4bd95cd9c840db8ab957def8040028

SHA512
ec3f3c324eeaad91ab0efd47b3084493d863f969344fa1ba87ace1974908053d396673b44c33b4dceeef792a74ad9278e06acc27c83459af1153de52f83afcbf

Download Submit
\Users\Admin\AppData\Local\Temp\2452.tmp

Filesize
13KB

MD5
bc5e88e83744bca66feed188f3bd40c9

SHA1
54b5ca9045f07650639d916adaa571b02d063e9f

SHA256
23ebe2ea93ae58b4ececc492a4cfadf7ebece5024d281bef37831695645496d3

SHA512
cd86bc7fb9c507e14675f1316fe9918108811d6863449d33c5f34e5a6806abce11c1d7943ee895c820e9e7235b873499429e831966c87e4ade2e7bea80d337a2

Download Submit
memory/2356-1-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2356-10-0x0000000000160000-0x0000000000167000-memory.dmp

Filesize
28KB

Download
memory/2356-9-0x0000000000160000-0x0000000000167000-memory.dmp

Filesize
28KB

Download
memory/2952-11-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2952-34-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download