gozi | 26b61a616d9ff0fc7e76c5c5d5058b6a05eec82c16b8206b0a3f057e82e23e71 | Triage

Sharing

General

Target

8b6c087ce23acbe5540e2e799e215010_JaffaCakes118
Size

346KB
Sample

241103-pc26eatgnl
MD5

8b6c087ce23acbe5540e2e799e215010
SHA1

6f4d9a8e3fb4dcc9e71ac88a2042f86873ba9593
SHA256

26b61a616d9ff0fc7e76c5c5d5058b6a05eec82c16b8206b0a3f057e82e23e71
SHA512

31a76bf4230f2683d768917c172a12f898f309cef4dae9087aecf6f70b66a32c6de2b79c66564db0661901306d0cef029446be0f337479a756d9ff656512228d
SSDEEP

6144:ltdN0c+xadEDmU5JXN4/6/1B4fAd9r+KJQlStcZeNtC/ZfyBeNPTfW:rD0c+0EjX4/6/1B4fAd9KKJ6fIORqkNy

Score

10^/10

gozi 1002 banker discovery isfb persistence ransomware trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1002

C2

lolila.net

vndjtu968488.ru

moriyurw368798.ru

Attributes

build
213425
exe_type
worker

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  8b6c087ce23acbe5540e2e799e215010_JaffaCakes118
- Size
  
  346KB
- MD5
  
  8b6c087ce23acbe5540e2e799e215010
- SHA1
  
  6f4d9a8e3fb4dcc9e71ac88a2042f86873ba9593
- SHA256
  
  26b61a616d9ff0fc7e76c5c5d5058b6a05eec82c16b8206b0a3f057e82e23e71
- SHA512
  
  31a76bf4230f2683d768917c172a12f898f309cef4dae9087aecf6f70b66a32c6de2b79c66564db0661901306d0cef029446be0f337479a756d9ff656512228d
- SSDEEP
  
  6144:ltdN0c+xadEDmU5JXN4/6/1B4fAd9r+KJQlStcZeNtC/ZfyBeNPTfW:rD0c+0EjX4/6/1B4fAd9KKJ6fIORqkNy
Score

10^/10

gozi 1002 banker discovery isfb persistence ransomware trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Deletes itself
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

gozi1002bankerdiscoveryisfbpersistenceransomwaretrojan

behavioral2