gozi | ddd342053fc1b2a05e2e541b1a5caa33e2693e40a0a2b1c086e225f284e4a6cc

Analysis

max time kernel
139s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe
Size

20KB
MD5

61489b8f0c9db0196f6f7bef3a866e12
SHA1

60c4dd496c44ceb3dfe589c97638e46a7c396f13
SHA256

ddd342053fc1b2a05e2e541b1a5caa33e2693e40a0a2b1c086e225f284e4a6cc
SHA512

5b884e500b629ab2019d10ed6552a7c080bd0595c11259148e3324ab3d342507bf9ca49b3021caa3abf2aeeceb77b6c4e4343320faaac8d931f67c95ca445b32
SSDEEP

384:s1qoism0AbTGmissSGZv/siacUT0gaNJawcudoD7U4WyD5ldZAeKD0:sniRGmGHZXoQnbcuyD7U2DndZAeKD

Score

10^/10

gozi banker isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

7927.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 7927.tmp
Executes dropped EXE 1 IoCs

Processes:

7927.tmp

pid process

216 7927.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	7927.tmp

pid	process
216	7927.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1448-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1448-8-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe7927.tmp

description	pid	process	target process
PID 1448 wrote to memory of 216	1448	61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe	7927.tmp
PID 1448 wrote to memory of 216	1448	61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe	7927.tmp
PID 1448 wrote to memory of 216	1448	61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe	7927.tmp
PID 216 wrote to memory of 3720	216	7927.tmp	cmd.exe
PID 216 wrote to memory of 3720	216	7927.tmp	cmd.exe
PID 216 wrote to memory of 3720	216	7927.tmp	cmd.exe
PID 216 wrote to memory of 4448	216	7927.tmp	cmd.exe
PID 216 wrote to memory of 4448	216	7927.tmp	cmd.exe
PID 216 wrote to memory of 4448	216	7927.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61489b8f0c9db0196f6f7bef3a866e12_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\7927.tmp
C:\Users\Admin\AppData\Local\Temp\7927.tmp C:\Users\Admin\AppData\Local\Temp
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
3⤵
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
3⤵
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7927.tmp

Filesize
13KB

MD5
bc5e88e83744bca66feed188f3bd40c9

SHA1
54b5ca9045f07650639d916adaa571b02d063e9f

SHA256
23ebe2ea93ae58b4ececc492a4cfadf7ebece5024d281bef37831695645496d3

SHA512
cd86bc7fb9c507e14675f1316fe9918108811d6863449d33c5f34e5a6806abce11c1d7943ee895c820e9e7235b873499429e831966c87e4ade2e7bea80d337a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

Filesize
75B

MD5
a9f2bc5c96cca7f1f83569d6b8b9f84a

SHA1
322b82b1443ae547105fb4878bdeeabb63424926

SHA256
160ff09c793512c13fc0f5afa4a4eb84c5f77dc3ab944c160eec764baeba5452

SHA512
8ce29d3ded06785deba78ce9b0b1f7485b0ef727d3646eae9e8a696c4dd3713fd341358c6bee5f91bf9eae1a0a13f65df0b9a585f325cddccf33be6f4481394d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

Filesize
104B

MD5
ff2d1cab0d0a5baef355018454998492

SHA1
78f9c734afa9392e5722290efc6bf587b599814c

SHA256
af1c06c15a12194c3ffa0cf053c1208db4a3ab61cb23eb78a96fa97cb137a1bd

SHA512
e6be98ad9bb77de39270817267cc1c2194829514cabc9eb1d368b048ecaff97bb5fc0983aa3198d68ab87cb51876d7f1ae8f22419f407fd2dc22b784600e0d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfile0.tmp

Filesize
13B

MD5
38de427224a5082a04fe82e2bd4ea9ec

SHA1
7e4a53de1f83762dd2febd39b818e2258bc83bc1

SHA256
12f99f53144294750fe8713d580eda286f4bd95cd9c840db8ab957def8040028

SHA512
ec3f3c324eeaad91ab0efd47b3084493d863f969344fa1ba87ace1974908053d396673b44c33b4dceeef792a74ad9278e06acc27c83459af1153de52f83afcbf

Download Submit
memory/216-5-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/216-17-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1448-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1448-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download