gozi | ad956e1181935dd123ddd1117dd5ea19fcc3aebd5283870584bc48ddf1f1d5dd | Triage

Sharing

General

Target

f5eade965124253a0173e81ea951ad17_JaffaCakes118
Size

460KB
Sample

240925-nnjyjasgpp
MD5

f5eade965124253a0173e81ea951ad17
SHA1

3a3db3cd1421b26233f436f2acfd933897f16a92
SHA256

ad956e1181935dd123ddd1117dd5ea19fcc3aebd5283870584bc48ddf1f1d5dd
SHA512

c1ca316773445c07bceddeb9ebd2fd68e85cd5c70b9bd21118a53bad48cdc1fee0ae873fc6f5008827d9b5ae57c19f5cb291e7fc7b06527c130a67a6b456fd0c
SSDEEP

12288:haEJ8pW9FPNTbWwrrqkBFU+4jdKnBSXVP:/J8+FVTbWwfqkChXV

Score

10^/10

gozi 10030 banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

10030

C2

aljscallowjscallowallow.pw

allowjscjscallow.pw

Attributes

build
215801
dga_base_url
z1.zedo.com/robots.txt
dga_crc
0x246640bb
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  f5eade965124253a0173e81ea951ad17_JaffaCakes118
- Size
  
  460KB
- MD5
  
  f5eade965124253a0173e81ea951ad17
- SHA1
  
  3a3db3cd1421b26233f436f2acfd933897f16a92
- SHA256
  
  ad956e1181935dd123ddd1117dd5ea19fcc3aebd5283870584bc48ddf1f1d5dd
- SHA512
  
  c1ca316773445c07bceddeb9ebd2fd68e85cd5c70b9bd21118a53bad48cdc1fee0ae873fc6f5008827d9b5ae57c19f5cb291e7fc7b06527c130a67a6b456fd0c
- SSDEEP
  
  12288:haEJ8pW9FPNTbWwrrqkBFU+4jdKnBSXVP:/J8+FVTbWwfqkChXV
Score

10^/10

gozi 10030 banker discovery isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi10030bankerdiscoveryisfbpersistencetrojan

behavioral2

gozi10030bankerdiscoveryisfbpersistencetrojan