Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    9e30414d0fc9fbe797e41cab5100a714_JaffaCakes118

  • Size

    351KB

  • Sample

    241125-1496wayph1

  • MD5

    9e30414d0fc9fbe797e41cab5100a714

  • SHA1

    b7f8accc729abc276a0510657becab414506d789

  • SHA256

    481821d0313006387cdb23cce4829f157c3f299e6ccbe284aeecf322826d2c7e

  • SHA512

    cfea07aae4ade705e57479ff8fb242b2a7407baa68260e4a0dd7ce77975e58026348cc9a41dfd2324a6ea45bff1a7e831c42ac065e1c7462ca777e5cabaf4fa6

  • SSDEEP

    6144:O0y3NRJO22A8oos+W0OBMgxDy1+yAD2qGr5Pe3q9Yng:OBNfORjVOB7xDQ1AD2qGrJe3q9Yn

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      9e30414d0fc9fbe797e41cab5100a714_JaffaCakes118

    • Size

      351KB

    • MD5

      9e30414d0fc9fbe797e41cab5100a714

    • SHA1

      b7f8accc729abc276a0510657becab414506d789

    • SHA256

      481821d0313006387cdb23cce4829f157c3f299e6ccbe284aeecf322826d2c7e

    • SHA512

      cfea07aae4ade705e57479ff8fb242b2a7407baa68260e4a0dd7ce77975e58026348cc9a41dfd2324a6ea45bff1a7e831c42ac065e1c7462ca777e5cabaf4fa6

    • SSDEEP

      6144:O0y3NRJO22A8oos+W0OBMgxDy1+yAD2qGr5Pe3q9Yng:OBNfORjVOB7xDQ1AD2qGrJe3q9Yn

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Gozi family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks