General
-
Target
8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118
-
Size
8.1MB
-
Sample
241103-jptrxayldx
-
MD5
8a60f22c8d18cdfbfe84b56a7aaa49da
-
SHA1
7c8b05826c4f7c65fab370eaf141f54651f3907c
-
SHA256
f8edc9e3b84fc1a98f70b9bf3b68f86baed4e04b7daf7b70d1ac5820d6ba11e1
-
SHA512
50539e668c1a0c2214ef77f5abcb6e3d1bc59555962a46e6d3fa271fbed0724c4673fd3c9210634aae7754cb9049d5431930e7cc0952a9fe3a8d82a8fa1de825
-
SSDEEP
196608:LCK8Iwvgsb87DwQiiFFL4an2L/dfXaI+fVcZ:O93Stl4LL/ZaI
Malware Config
Extracted
gozi
Targets
-
-
Target
8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118
-
Size
8.1MB
-
MD5
8a60f22c8d18cdfbfe84b56a7aaa49da
-
SHA1
7c8b05826c4f7c65fab370eaf141f54651f3907c
-
SHA256
f8edc9e3b84fc1a98f70b9bf3b68f86baed4e04b7daf7b70d1ac5820d6ba11e1
-
SHA512
50539e668c1a0c2214ef77f5abcb6e3d1bc59555962a46e6d3fa271fbed0724c4673fd3c9210634aae7754cb9049d5431930e7cc0952a9fe3a8d82a8fa1de825
-
SSDEEP
196608:LCK8Iwvgsb87DwQiiFFL4an2L/dfXaI+fVcZ:O93Stl4LL/ZaI
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Gozi family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1