gozi

General

Target

ea95ba8f4901f76942bf4f3d6741d51c_JaffaCakes118
Size

44KB
Sample

240919-e3wffa1clh
MD5

ea95ba8f4901f76942bf4f3d6741d51c
SHA1

5562e6fd62d403aa86b0c4ba338f10045765d05d
SHA256

1d6326bb9856509e77e5e562d6e3a67175027d8ae6421ed9fc9958cd995d1bae
SHA512

bfd359f8eeb02f856f16c54f19c248bbfdd16c3b7b810fa9c321d170c97c6a9d00eedc57b783b342d14eeb7be798beabcda1a1bce52e55301e9758a811117d79
SSDEEP

768:5AfL1G0aJa4NqFRmPGCSwlqxge34WaS4s7vSy4Nio6XHtLc++Art:5AfL1Gk4y9CSwkgYGSPGfAowtLcX4t

Score

10^/10

Malware Config

Extracted

Family

gozi

Attributes

build
217061

Extracted

Family

gozi

Botnet

1000

C2

intro.tir001.at/rpc

doa.quappak.at/rpc

api.siperskon.at/rpc

io.tir001.at/rpc

ytruieowphf.bit/rpc

u2.ceelop.at/rpc

enter.nokartoon.at/rpc

api.nwq2000.at/rpc

cd.iqwoker.at/rpc

api.fin150.at/rpc

chat.loop1000.at/rpc

chat.iqwoker.at/rpc

mahono.cn/rpc

Attributes

build
217061
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
dns_servers
192.71.245.208

8.8.8.8

178.17.170.179

82.196.9.45

151.80.222.79

68.183.70.217

217.144.135.7

158.69.160.164

207.148.83.241

5.189.170.196

217.144.132.148

94.247.43.254

188.165.200.156

159.89.249.249

150.249.149.222
exe_type
loader
server_id
150

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  ea95ba8f4901f76942bf4f3d6741d51c_JaffaCakes118
- Size
  
  44KB
- MD5
  
  ea95ba8f4901f76942bf4f3d6741d51c
- SHA1
  
  5562e6fd62d403aa86b0c4ba338f10045765d05d
- SHA256
  
  1d6326bb9856509e77e5e562d6e3a67175027d8ae6421ed9fc9958cd995d1bae
- SHA512
  
  bfd359f8eeb02f856f16c54f19c248bbfdd16c3b7b810fa9c321d170c97c6a9d00eedc57b783b342d14eeb7be798beabcda1a1bce52e55301e9758a811117d79
- SSDEEP
  
  768:5AfL1G0aJa4NqFRmPGCSwlqxge34WaS4s7vSy4Nio6XHtLc++Art:5AfL1Gk4y9CSwkgYGSPGfAowtLcX4t
Score

10^/10

gozi 1000 banker discovery isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Unexpected DNS network traffic destination

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2