gozi | 176d02977470034934512a168c058e3cfd7c5bbe972a81de7e6344ef8793f2b0

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd093f1f60c7c41bc1269520d573978b_JaffaCakes118.exe
Size

9KB
MD5

dd093f1f60c7c41bc1269520d573978b
SHA1

77875d454160d210d3141e42ea0451a977b2de34
SHA256

176d02977470034934512a168c058e3cfd7c5bbe972a81de7e6344ef8793f2b0
SHA512

f7db86fe31dad316c9a7cacd62c27612524fcdecda4b7552fcd373a722de81a5042d19e422b7cb5d3908278cf154dcde147cf5ef31a04bf4cfd6e7e4b4f80c94
SSDEEP

192:hZKB1E1MUtqavIdGkrDV++YQ9FaNJhLkwcud2DH9VwGfct8WF/3I:ho1E1MUtqHdzDwQLaNJawcudoD7U/F/Y

Score

10^/10

gozi banker discovery isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 1 IoCs

pid	Process
2828	b2e.exe

Loads dropped DLL 2 IoCs

pid	Process
2720	dd093f1f60c7c41bc1269520d573978b_JaffaCakes118.exe
2720	dd093f1f60c7c41bc1269520d573978b_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2720-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2720-13-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd093f1f60c7c41bc1269520d573978b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2828	2720	dd093f1f60c7c41bc1269520d573978b_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2828	2720	dd093f1f60c7c41bc1269520d573978b_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2828	2720	dd093f1f60c7c41bc1269520d573978b_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2828	2720	dd093f1f60c7c41bc1269520d573978b_JaffaCakes118.exe	30
PID 2828 wrote to memory of 2812	2828	b2e.exe	31
PID 2828 wrote to memory of 2812	2828	b2e.exe	31
PID 2828 wrote to memory of 2812	2828	b2e.exe	31
PID 2828 wrote to memory of 2812	2828	b2e.exe	31

C:\Users\Admin\AppData\Local\Temp\dd093f1f60c7c41bc1269520d573978b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd093f1f60c7c41bc1269520d573978b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\2646.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2646.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2646.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\dd093f1f60c7c41bc1269520d573978b_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\26B3.tmp\batchfile.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26B3.tmp\batchfile.bat

Filesize
2KB

MD5
1987e75d78b81e993191e33471a1bf65

SHA1
f023bac3e869953e0a8f78eecbd66a9e331e1f75

SHA256
239418fdff34d469f7c7e4bfca37575af889edec76cf0d506616ecfc63243b6b

SHA512
7e21ce5bfc1ce565d4db9d4236401dd800571bffba2f71cc1c76ab4485b2fdb98774ee4dbce8142da39edcef1e5fa860c30672e1057717db6b9c63bfe9460030

Download Submit
\Users\Admin\AppData\Local\Temp\2646.tmp\b2e.exe

Filesize
10KB

MD5
c470392f7aee32c5b054c055a9944699

SHA1
2d9d6c1565f6008cd20f64f7a92c2ea72d5714b4

SHA256
b686f257c024d1cb437cca886df536a06c10d203fdc2f011f6bddb569201cc45

SHA512
0c7a4fcea7e492368bef674bc9d953182dbbe497dc48430951fb3ae52000090e9f3921feadfd86eded5bd9f07652f147d7eec41b81925ac2ccc40c05cdc6598d

Download Submit
memory/2720-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2720-5-0x0000000000250000-0x0000000000255000-memory.dmp

Filesize
20KB

Download
memory/2720-7-0x0000000000250000-0x0000000000255000-memory.dmp

Filesize
20KB

Download
memory/2720-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2828-14-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2828-31-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download