gozi | fea6adf451d8a886caf3f2c2ee7ea298a0ae15640443227310ab12a18ff42086 | Triage

Sharing

General

Target

98870053f992cdf24078e994d74a2390_JaffaCakes118
Size

352KB
Sample

241125-cdq4basjfv
MD5

98870053f992cdf24078e994d74a2390
SHA1

ab1b4fa7bd2ba730ba12336bc3a15bc7b2c55d84
SHA256

fea6adf451d8a886caf3f2c2ee7ea298a0ae15640443227310ab12a18ff42086
SHA512

c1668b500eae59108d07f38605c381c7832ba6424522ff6f458914ccf7b90986e141f6a1e59e5ffca864862558b491c085188cb2818e94250fd08a4969c99589
SSDEEP

6144:RwtcuvtLsnTE/3OeLWKr4aa94eNekkNFhHpUHSaBfJER:RwKuZHWIehNe9FRMf4

Score

10^/10

gozi 1050 banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1050

C2

fkklqkjgnr.com

sinpotikos.com

bnkalirmf.com

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  98870053f992cdf24078e994d74a2390_JaffaCakes118
- Size
  
  352KB
- MD5
  
  98870053f992cdf24078e994d74a2390
- SHA1
  
  ab1b4fa7bd2ba730ba12336bc3a15bc7b2c55d84
- SHA256
  
  fea6adf451d8a886caf3f2c2ee7ea298a0ae15640443227310ab12a18ff42086
- SHA512
  
  c1668b500eae59108d07f38605c381c7832ba6424522ff6f458914ccf7b90986e141f6a1e59e5ffca864862558b491c085188cb2818e94250fd08a4969c99589
- SSDEEP
  
  6144:RwtcuvtLsnTE/3OeLWKr4aa94eNekkNFhHpUHSaBfJER:RwKuZHWIehNe9FRMf4
Score

10^/10

gozi 1050 banker discovery isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi1050bankerdiscoveryisfbpersistencetrojan

behavioral2

gozi1050bankerdiscoveryisfbpersistencetrojan