gozi | cb215014f6bf97e1e48c57964e2f66b26f5aa24dc91760c06618a74b1feee118 | Triage

Submit
Reports

Overview

overview

Static

static

5

f99497128b...18.exe

windows7-x64

f99497128b...18.exe

windows10-2004-x64

Sharing

General

Target

f99497128b2306c71806f8290cdcd0b3_JaffaCakes118
Size

14KB
Sample

240927-deyefs1hqn
MD5

f99497128b2306c71806f8290cdcd0b3
SHA1

e2ac260d6329fc4f20c343aca73023de88a523e0
SHA256

cb215014f6bf97e1e48c57964e2f66b26f5aa24dc91760c06618a74b1feee118
SHA512

67f1dcbfb7091d0ab7b55812241d909b6c1ea4b50698fe6b789b5df99f9cd0aa193e167c36cb6e7013c13b74b69c8d37117d68cea4e88802a2e6c4d0c80a762c
SSDEEP

192:zawE9e6BACdbQstv7U8vAzN7aVD1xWdj7cEhvM5I21PN1PYIm4bT6aImYpTMmP2:zd/wbp8z4Kd/cEhvMfaIhqoCTJAzM

Score

10^/10

gozi banker discovery isfb persistence privilege_escalation trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

f99497128b2306c71806f8290cdcd0b3_JaffaCakes118.exe

Resource

win7-20240903-en

gozi banker discovery isfb persistence privilege_escalation trojan upx

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

f99497128b2306c71806f8290cdcd0b3_JaffaCakes118.exe

Resource

win10v2004-20240802-en

gozi banker discovery isfb persistence privilege_escalation trojan upx

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  f99497128b2306c71806f8290cdcd0b3_JaffaCakes118
- Size
  
  14KB
- MD5
  
  f99497128b2306c71806f8290cdcd0b3
- SHA1
  
  e2ac260d6329fc4f20c343aca73023de88a523e0
- SHA256
  
  cb215014f6bf97e1e48c57964e2f66b26f5aa24dc91760c06618a74b1feee118
- SHA512
  
  67f1dcbfb7091d0ab7b55812241d909b6c1ea4b50698fe6b789b5df99f9cd0aa193e167c36cb6e7013c13b74b69c8d37117d68cea4e88802a2e6c4d0c80a762c
- SSDEEP
  
  192:zawE9e6BACdbQstv7U8vAzN7aVD1xWdj7cEhvM5I21PN1PYIm4bT6aImYpTMmP2:zd/wbp8z4Kd/cEhvMfaIhqoCTJAzM
Score

10^/10

gozi banker discovery isfb persistence privilege_escalation trojan upx
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

AppInit DLLs

Privilege Escalation

Event Triggered Execution

AppInit DLLs

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozibankerdiscoveryisfbpersistenceprivilege_escalationtrojanupx

behavioral2

gozibankerdiscoveryisfbpersistenceprivilege_escalationtrojanupx

© 2018-2025

Terms | Privacy