General

  • Target

    1c4ed93e152e93cfecac0871341349c8_JaffaCakes118

  • Size

    300KB

  • Sample

    241007-jl9nysxhmd

  • MD5

    1c4ed93e152e93cfecac0871341349c8

  • SHA1

    4abf656619a854fcfc71074973476af31059a63f

  • SHA256

    d15fb20a7df2aab845ef54a0e45771fcf1ec96365a4e067d3871d299dd3ae628

  • SHA512

    6524390e5cd8968953ebd59cd630ff696e651071d5b7e43f77b1f3c8eb7b10c9c048ff77ce434dc93e47e09447d9328dc4ad295f77dd12abc9092d30f2cc6ca5

  • SSDEEP

    6144:aa+iFt8DQxjQ6oyeKSgb0HAwM/Kv97VNntEjOaBiJuMI/cyhlWr6FOo:aa+iFt8DQxU6NPSpgv/ApGDBiJuMI/3w

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1100

C2

andlegislature.at/zpvp/gtr02po/krp3cmg

outaplaceshave.cn/zpvp/gtr02po/krp3cmg

exvorid.at/zpvp/gtr02po/krp3cmg

letaformerrightru.su/zpvp/gtr02po/krp3cmg

volhood.at/zpvp/gtr02po/krp3cmg

vopiolek.at/zpvp/gtr02po/krp3cmg

veroilko.at/zpvp/gtr02po/krp3cmg

hothegivforsuffer.cn/zpvp/gtr02po/krp3cmg

volaerop.at/zpvp/gtr02po/krp3cmg

plus5005.at/zpvp/gtr02po/krp3cmg

justiceseasfriends.cn/zpvp/gtr02po/krp3cmg

moonjoehon.at/zpvp/gtr02po/krp3cmg

verosamko.at/zpvp/gtr02po/krp3cmg

trepeatedandequal.cn/zpvp/gtr02po/krp3cmg

theindependence.su/zpvp/gtr02po/krp3cmg

creatortherefore.cn/zpvp/gtr02po/krp3cmg

Attributes
  • build

    214734

  • exe_type

    worker

  • server_id

    110

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      1c4ed93e152e93cfecac0871341349c8_JaffaCakes118

    • Size

      300KB

    • MD5

      1c4ed93e152e93cfecac0871341349c8

    • SHA1

      4abf656619a854fcfc71074973476af31059a63f

    • SHA256

      d15fb20a7df2aab845ef54a0e45771fcf1ec96365a4e067d3871d299dd3ae628

    • SHA512

      6524390e5cd8968953ebd59cd630ff696e651071d5b7e43f77b1f3c8eb7b10c9c048ff77ce434dc93e47e09447d9328dc4ad295f77dd12abc9092d30f2cc6ca5

    • SSDEEP

      6144:aa+iFt8DQxjQ6oyeKSgb0HAwM/Kv97VNntEjOaBiJuMI/cyhlWr6FOo:aa+iFt8DQxU6NPSpgv/ApGDBiJuMI/3w

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks