gozi | bf647a1d55c0208b2acd3a34043dc2d5_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

bf647a1d55c0208b2acd3a34043dc2d5_JaffaCakes118
Size

176KB
MD5

bf647a1d55c0208b2acd3a34043dc2d5
SHA1

a78e6800d417e3cf104878fdecebace2e7760fe6
SHA256

f6b0df5f84e29476f1479ae68a283c70cdbda201dde8fed1c8ff78fdcae78988
SHA512

2c021f8af94aec8b805cde715a005e2eb1f612df66c76972458fbd7d99aa16644fd22f21f2f578737fea73653a3378e1eb7640d8ae80db0888576e491f2aa3ac
SSDEEP

3072:1FIcnxeZ7q+edZnYAeoCuPIw8n4BXhTKSdEnl3Fz3n+c7i4HyuI:Fx2e3YARCurXhdcOiI

Score

10^/10

isfb gozi

Malware Config

Extracted

Family

gozi

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
bf647a1d55c0208b2acd3a34043dc2d5_JaffaCakes118

Files

bf647a1d55c0208b2acd3a34043dc2d5_JaffaCakes118
.dll regsvr32 windows:4 windows x86 arch:x86

c5471aee61efadef746b0e9e46db368e

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CreateProcessA
FlushInstructionCache
lstrcmpA
VirtualProtect
GetCurrentProcess
FreeLibrary
LoadLibraryA
SetLastError
GetFileSize
GetLastError
CreateFileA
WriteFile
GlobalAlloc
Sleep
DeleteFileA
CopyFileA
LocalAlloc
CreateDirectoryA
SetFilePointer
FindNextFileA
FindFirstFileA
ReadFile
GlobalFree
GetModuleFileNameA
CreateThread
GetWindowsDirectoryA
SizeofResource
LoadResource
FindResourceA
TerminateProcess
OpenProcess
LockResource
GetProcAddress
TlsSetValue
TlsAlloc
ExitProcess
TlsFree
DisableThreadLibraryCalls
lstrlenW
CreatePipe
GetCurrentProcessId
CreateMutexA
OpenMutexA
DuplicateHandle
Process32Next
Process32First
CreateToolhelp32Snapshot
WaitForSingleObject
CloseHandle
OutputDebugStringA
lstrcatA
lstrcpyA
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSection
LocalFree
WideCharToMultiByte
lstrlenA
InterlockedDecrement
InterlockedIncrement
MultiByteToWideChar
GetVersionExA
GetSystemDirectoryA
TerminateThread

user32

GetWindowPlacement
EndDialog
GetOpenClipboardWindow
CloseClipboard
GetClipboardData
OpenClipboard
CharLowerA
GetDlgItemTextA
KillTimer
GetSystemMetrics
GetWindowRect
SetWindowPos
DialogBoxParamA
FindWindowA
CharUpperBuffA
SetTimer
CharLowerBuffA
CreatePopupMenu
GetDC
SetWindowsHookExA
UnhookWindowsHookEx
GetDlgItem
PostMessageA
SetWindowLongA
CallNextHookEx
LoadCursorA
CopyIcon
CopyImage
SetSystemCursor
LoadStringA
InsertMenuA
TrackPopupMenu
GetCursorPos
GetForegroundWindow
SetForegroundWindow
DestroyMenu
SendMessageA
SetWindowTextA
MessageBoxA
ShowWindow
MoveWindow
GetWindowLongA
SetParent
GetWindowThreadProcessId
LoadImageA
IsWindow
SetDlgItemTextA

gdi32

GetDIBits
CreateFontA
GetObjectA

advapi32

RegCreateKeyExA
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegDeleteValueA
RegDeleteKeyA
RegEnumKeyExA
RegQueryInfoKeyA

shell32

ShellExecuteA
Shell_NotifyIconA
SHChangeNotify

ole32

CoMarshalInterThreadInterfaceInStream
CoCreateInstance
CoGetInterfaceAndReleaseStream
CoInitialize
CoUninitialize

oleaut32

VariantClear
LoadRegTypeLi
SysStringLen
SysAllocStringLen
VariantInit
SysFreeString
SysAllocString
SysAllocStringByteLen

ws2_32

recv
connect
send
ntohs
getpeername
WSAConnect
socket
gethostbyname
WSAGetLastError
htons
getsockopt
select
closesocket
inet_addr

wininet

InternetAutodial
InternetSetOptionA
InternetConnectA
InternetGetConnectedState
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoA
InternetOpenA

atl

ord30
ord11
ord10
ord58
ord32
ord23
ord21
ord16
ord15
ord18
ord57
ord52
ord53

urlmon

URLOpenBlockingStreamA

iphlpapi

GetAdaptersInfo
GetIfEntry

msvcrt

atol
_CxxThrowException
_mbsinc
_msize
_mbslwr
memset
_mbschr
wcslen
memcpy
__CxxFrameHandler
??2@YAPAXI@Z
strcpy
??3@YAXPAX@Z
strcmp
memcmp
_except_handler3
_mbsstr
_mbsrchr
vsprintf
_mbclen
strlen
sprintf
_mbsnbcmp
_ismbcdigit
atoi
_mbscmp
fclose
fwrite
fopen
strrchr
strchr
realloc
malloc
strstr
time
_purecall
??1type_info@@UAE@XZ
_adjust_fdiv
_initterm
memmove
free
__dllonexit
strncmp
_onexit
?terminate@@YAXXZ

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
InstantAccess
P2EProc
Socksify
UnSocksify

Sections

.text
Size: 80KB - Virtual size: 76KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 151KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.HookSec
Size: 4KB - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 32KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

c5471aee61efadef746b0e9e46db368e

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

ws2_32

wininet

atl

urlmon

iphlpapi

msvcrt

Exports

Exports

Sections

.text Size: 80KB - Virtual size: 76KB

.rdata Size: 20KB - Virtual size: 16KB

.data Size: 24KB - Virtual size: 151KB

.HookSec Size: 4KB - Virtual size: 28B

.rsrc Size: 32KB - Virtual size: 29KB

.reloc Size: 12KB - Virtual size: 10KB

.text
Size: 80KB - Virtual size: 76KB

.rdata
Size: 20KB - Virtual size: 16KB

.data
Size: 24KB - Virtual size: 151KB

.HookSec
Size: 4KB - Virtual size: 28B

.rsrc
Size: 32KB - Virtual size: 29KB

.reloc
Size: 12KB - Virtual size: 10KB