General

  • Target

    852f562812305ad099372109f8e8b189_JaffaCakes118

  • Size

    498KB

  • Sample

    240810-hq6bnatgpe

  • MD5

    852f562812305ad099372109f8e8b189

  • SHA1

    f067c64bfcfc1c7883497618521e53206cfaa6e0

  • SHA256

    ec119c3389f145f2167d10e5cba67042a0cd0db8265537ea72c2c9d078fa2228

  • SHA512

    6649fe89a1647293949459b07752d14f9cd892b124bfdd6e62e3e8875a32ce2f451db85596896b3e62ac767712801119434c8a0d42e66328f9cb2799d3919194

  • SSDEEP

    6144:UmoZkbtQmb25Zh18hqJbDqSB7Lvq2XsjYiVmOf7Yp4jOa9Upx:UmoZkmmCVRtPvq2+d/

Malware Config

Extracted

Family

gozi

Targets

    • Target

      852f562812305ad099372109f8e8b189_JaffaCakes118

    • Size

      498KB

    • MD5

      852f562812305ad099372109f8e8b189

    • SHA1

      f067c64bfcfc1c7883497618521e53206cfaa6e0

    • SHA256

      ec119c3389f145f2167d10e5cba67042a0cd0db8265537ea72c2c9d078fa2228

    • SHA512

      6649fe89a1647293949459b07752d14f9cd892b124bfdd6e62e3e8875a32ce2f451db85596896b3e62ac767712801119434c8a0d42e66328f9cb2799d3919194

    • SSDEEP

      6144:UmoZkbtQmb25Zh18hqJbDqSB7Lvq2XsjYiVmOf7Yp4jOa9Upx:UmoZkmmCVRtPvq2+d/

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Server Software Component: Terminal Services DLL

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks