General
-
Target
f5aaa6259e6b36a2b67adf0ea0f99972_JaffaCakes118
-
Size
150KB
-
Sample
240925-k25wdaxajq
-
MD5
f5aaa6259e6b36a2b67adf0ea0f99972
-
SHA1
9b9f10c31ba0f5079e8e61217ea468155048296d
-
SHA256
1bf87f22ce1c0caecf66acab44cecb6d30202e0eca5f2e940990443ec80ffadb
-
SHA512
b37232796895c9e3146c5160fed59edec5e24aed860e10712b6ea7cc287cf978b6a50417ecf704ed8cd58699ab3e04c0e7170ced30b44f0e66c1e12f538b2e1b
-
SSDEEP
3072:Mf/GIpqpeR32zALJ6T+UKonkuABQC2vr36ndNgV:c/G0yeYULglRzAl2vonA
Malware Config
Extracted
gozi
1000
g2.ex100p.at/webstore
beetfeetlife.bit/webstore
in.termas.at/webstore
ax.ikobut.at/webstore
sm.dvloop.at/webstore
extra.avareg.cn/webstore
api.ex100p.at/webstore
foo.avaregio.at/webstore
op.basedok.at/webstore
f1.cnboal.at/webstore
xxx.lapoder.at/webstore
core.cnboal.at/webstore
pop.muongo.at/webstore
-
build
217061
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
dns_servers
192.71.245.208
8.8.8.8
178.17.170.179
82.196.9.45
151.80.222.79
68.183.70.217
217.144.135.7
158.69.160.164
207.148.83.241
5.189.170.196
217.144.132.148
94.247.43.254
188.165.200.156
159.89.249.249
150.249.149.222
-
exe_type
loader
-
server_id
550
Targets
-
-
Target
f5aaa6259e6b36a2b67adf0ea0f99972_JaffaCakes118
-
Size
150KB
-
MD5
f5aaa6259e6b36a2b67adf0ea0f99972
-
SHA1
9b9f10c31ba0f5079e8e61217ea468155048296d
-
SHA256
1bf87f22ce1c0caecf66acab44cecb6d30202e0eca5f2e940990443ec80ffadb
-
SHA512
b37232796895c9e3146c5160fed59edec5e24aed860e10712b6ea7cc287cf978b6a50417ecf704ed8cd58699ab3e04c0e7170ced30b44f0e66c1e12f538b2e1b
-
SSDEEP
3072:Mf/GIpqpeR32zALJ6T+UKonkuABQC2vr36ndNgV:c/G0yeYULglRzAl2vonA
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-