Extracted

• • Target

    31f484466c41c311dd702cdfb3aea4a3_JaffaCakes118

  • Size

    901KB

  • MD5

    31f484466c41c311dd702cdfb3aea4a3

  • SHA1

    b314c0da69f04ab703468b88793deb59926a73fd

  • SHA256

    76e65fd36bc77975bbfd5d6e74052cca917b26c79fb7370f9023fead0face8cf

  • SHA512

    cd1af53676335a2c6681c52713dad5fd2d70a4ffa400f01fadb3205c3e3866fcf436cb1bf3fd6451e11c2baae122a5a952805e100d02e8a566989728a248c036

  • SSDEEP

    24576:xPHlaDA8TUmS+IUQbZflGuLmM1s8qaSRflM1Jb9:xflutIiQrKMFqnRflW

  Score

  10^/10

  gozibankerbootkitdiscoveryevasionisfbpersistencetrojan

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Checks whether UAC is enabled

    evasiontrojan

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2