gozi | 009e31bc001d2d96414e6305ba4127ba8d76a108c2b0b594e464458a5e79b49c | Triage

Sharing

General

Target

dceda648174b63e9377137dec9b231ba_JaffaCakes118
Size

249KB
Sample

240912-yfjmxa1erb
MD5

dceda648174b63e9377137dec9b231ba
SHA1

c99edbb499a562bc430acac5f656b12d3513ef22
SHA256

009e31bc001d2d96414e6305ba4127ba8d76a108c2b0b594e464458a5e79b49c
SHA512

e50454da7c30825f4130832fde0806cdcf4bee39f429af71f0b710a96a527f83ad2810093e078fe1861bc757b3f691f474047b345cc87af90883a21e9cf1a108
SSDEEP

3072:gqK4Lh/ArAHP6o5hO2GYcuYiX53BV27GUnRbhicwhTEiKHCQ0AkKsoj3mQG45adD:7tNdHPhO2OuYy8RbhildQ1Psojnb

Score

10^/10

gozi 1000 banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

goliathuz.com

musicvideoporntip3s.ru

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  dceda648174b63e9377137dec9b231ba_JaffaCakes118
- Size
  
  249KB
- MD5
  
  dceda648174b63e9377137dec9b231ba
- SHA1
  
  c99edbb499a562bc430acac5f656b12d3513ef22
- SHA256
  
  009e31bc001d2d96414e6305ba4127ba8d76a108c2b0b594e464458a5e79b49c
- SHA512
  
  e50454da7c30825f4130832fde0806cdcf4bee39f429af71f0b710a96a527f83ad2810093e078fe1861bc757b3f691f474047b345cc87af90883a21e9cf1a108
- SSDEEP
  
  3072:gqK4Lh/ArAHP6o5hO2GYcuYiX53BV27GUnRbhicwhTEiKHCQ0AkKsoj3mQG45adD:7tNdHPhO2OuYy8RbhildQ1Psojnb
Score

10^/10

gozi 1000 banker discovery isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi1000bankerdiscoveryisfbpersistencetrojan

behavioral2

gozi1000bankerdiscoveryisfbpersistencetrojan