gozi | 93b1135cdbed6e1bf1269248d28e5a5f74fb5cb234c6385b56d025839bada289

General

Target

72d70e94e54ba232ba3f798699669990_JaffaCakes118.exe
Size

446KB
MD5

72d70e94e54ba232ba3f798699669990
SHA1

16f257adf89a56a93a6be45bf470a71d4d570d26
SHA256

93b1135cdbed6e1bf1269248d28e5a5f74fb5cb234c6385b56d025839bada289
SHA512

e024605c3469c27d470dc2cdb17bdef55507c80feb81969531277f96083d96511ab4e14d16f61f1723e0a97a69f6c201cfb34ac3584da8ba415e5f05582a139d
SSDEEP

12288:rFQyFgwMQsXS3NG5ddoM4YQYgDhgvMph5O0ZcQ:rSyFgTQ9NydHQ3evs15

Score

10^/10

gozi 3000 banker discovery evasion isfb persistence ransomware trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

3000

C2

unikymprogress.ru

Attributes

build
214664
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\ddraitor\dmlomapi.exe = "0"	72d70e94e54ba232ba3f798699669990_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
2448	dmlomapi.exe

Executes dropped EXE 1 IoCs

pid	Process
2448	dmlomapi.exe

Loads dropped DLL 1 IoCs

pid	Process
1980	cmd.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\ddraitor\dmlomapi.exe = "0"	72d70e94e54ba232ba3f798699669990_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\coloes = "C:\\Users\\Admin\\AppData\\Roaming\\ddraitor\\dmlomapi.exe"	72d70e94e54ba232ba3f798699669990_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DEC0.bin"	dmlomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	dmlomapi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 2156	2448	dmlomapi.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72d70e94e54ba232ba3f798699669990_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmlomapi.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2448	dmlomapi.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2156	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2448	dmlomapi.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2044	72d70e94e54ba232ba3f798699669990_JaffaCakes118.exe
Token: SeShutdownPrivilege	2156	explorer.exe
Token: SeShutdownPrivilege	2156	explorer.exe
Token: SeShutdownPrivilege	2156	explorer.exe
Token: SeShutdownPrivilege	2156	explorer.exe
Token: SeShutdownPrivilege	2156	explorer.exe
Token: SeShutdownPrivilege	2156	explorer.exe
Token: SeShutdownPrivilege	2156	explorer.exe
Token: SeShutdownPrivilege	2156	explorer.exe
Token: SeShutdownPrivilege	2156	explorer.exe
Token: SeShutdownPrivilege	2156	explorer.exe
Token: SeShutdownPrivilege	2156	explorer.exe
Token: SeShutdownPrivilege	2156	explorer.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2156	explorer.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1560	2044	72d70e94e54ba232ba3f798699669990_JaffaCakes118.exe	30
PID 2044 wrote to memory of 1560	2044	72d70e94e54ba232ba3f798699669990_JaffaCakes118.exe	30
PID 2044 wrote to memory of 1560	2044	72d70e94e54ba232ba3f798699669990_JaffaCakes118.exe	30
PID 2044 wrote to memory of 1560	2044	72d70e94e54ba232ba3f798699669990_JaffaCakes118.exe	30
PID 1560 wrote to memory of 1980	1560	cmd.exe	32
PID 1560 wrote to memory of 1980	1560	cmd.exe	32
PID 1560 wrote to memory of 1980	1560	cmd.exe	32
PID 1560 wrote to memory of 1980	1560	cmd.exe	32
PID 1980 wrote to memory of 2448	1980	cmd.exe	33
PID 1980 wrote to memory of 2448	1980	cmd.exe	33
PID 1980 wrote to memory of 2448	1980	cmd.exe	33
PID 1980 wrote to memory of 2448	1980	cmd.exe	33
PID 2448 wrote to memory of 2156	2448	dmlomapi.exe	34
PID 2448 wrote to memory of 2156	2448	dmlomapi.exe	34
PID 2448 wrote to memory of 2156	2448	dmlomapi.exe	34
PID 2448 wrote to memory of 2156	2448	dmlomapi.exe	34
PID 2448 wrote to memory of 2156	2448	dmlomapi.exe	34
PID 2448 wrote to memory of 2156	2448	dmlomapi.exe	34
PID 2448 wrote to memory of 2156	2448	dmlomapi.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\72d70e94e54ba232ba3f798699669990_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72d70e94e54ba232ba3f798699669990_JaffaCakes118.exe"
1⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\F5B2\F139.bat" "C:\Users\Admin\AppData\Roaming\ddraitor\dmlomapi.exe" "C:\Users\Admin\AppData\Local\Temp\72D70E~1.EXE""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C ""C:\Users\Admin\AppData\Roaming\ddraitor\dmlomapi.exe" "C:\Users\Admin\AppData\Local\Temp\72D70E~1.EXE""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Users\Admin\AppData\Roaming\ddraitor\dmlomapi.exe
      "C:\Users\Admin\AppData\Roaming\ddraitor\dmlomapi.exe" "C:\Users\Admin\AppData\Local\Temp\72D70E~1.EXE"
      4⤵
      Deletes itself
      Executes dropped EXE
      Sets desktop wallpaper using registry
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEC0.bin

Filesize
3.5MB

MD5
5a4c3c4a68b05cd5d4bbdf90b8607c42

SHA1
71a38e7d31bf80cb31fb3b86347e41543dccbc8e

SHA256
acbe4d9ec47780a4c64797d84547d86692f366a6b81e02c8721fbf79852f35cc

SHA512
a00b8325adc0c375d0e085fbc4829f4c6b5ab65b5402f2d7ff1a9cf4532afc9766c89c93ec7895862073cf59870227d79d56baee74851e2ac0d50f0a35b15a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5B2\F139.bat

Filesize
112B

MD5
dbf341e99dc4bd5294167d953a8f6764

SHA1
0dd048e2855c5c319311d97e455b0a5159693a95

SHA256
b6dbdd72550db07234426a8f9e94c179fa15e44a5d351e2e8855853111d13986

SHA512
df72dc2dd76a77d4ca9951800ef6cd495f96af438544d48319b6c6d355517b0692045ecb5209c1634fdb886c034efb81ecb59f8ab2d9afb025d738135875fefd

Download Submit
\Users\Admin\AppData\Roaming\ddraitor\dmlomapi.exe

Filesize
446KB

MD5
72d70e94e54ba232ba3f798699669990

SHA1
16f257adf89a56a93a6be45bf470a71d4d570d26

SHA256
93b1135cdbed6e1bf1269248d28e5a5f74fb5cb234c6385b56d025839bada289

SHA512
e024605c3469c27d470dc2cdb17bdef55507c80feb81969531277f96083d96511ab4e14d16f61f1723e0a97a69f6c201cfb34ac3584da8ba415e5f05582a139d

Download Submit
memory/2044-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2044-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2044-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2044-11-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2156-28-0x0000000001B00000-0x0000000001B8F000-memory.dmp

Filesize
572KB

Download
memory/2156-36-0x0000000001B00000-0x0000000001B8F000-memory.dmp

Filesize
572KB

Download
memory/2156-23-0x0000000001B00000-0x0000000001B8F000-memory.dmp

Filesize
572KB

Download
memory/2156-43-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2156-29-0x0000000001B00000-0x0000000001B8F000-memory.dmp

Filesize
572KB

Download
memory/2156-31-0x0000000001B00000-0x0000000001B8F000-memory.dmp

Filesize
572KB

Download
memory/2156-30-0x0000000001B00000-0x0000000001B8F000-memory.dmp

Filesize
572KB

Download
memory/2156-42-0x0000000001B00000-0x0000000001B8F000-memory.dmp

Filesize
572KB

Download
memory/2156-41-0x0000000001B00000-0x0000000001B8F000-memory.dmp

Filesize
572KB

Download
memory/2156-34-0x0000000001B00000-0x0000000001B8F000-memory.dmp

Filesize
572KB

Download
memory/2156-22-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2448-33-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2448-17-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2448-18-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads