gozi | 1829a6442112ad58298059ea9ccfe9bbaa12de5465c5ad28a15009e1ee4552a1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe
Size

502KB
MD5

c2721712884af79b3925a9461b6956ba
SHA1

5b16851628134c8fd01f3b0a19c98ab24c9e036b
SHA256

1829a6442112ad58298059ea9ccfe9bbaa12de5465c5ad28a15009e1ee4552a1
SHA512

df29f587c3fa46a4a2312ed336b2f5f184dbd2f7cd69073e9c10b0876d2151effd25494b2d8ef326967ab74b2cd156969009998a33e61157ec2c79663d7e9487
SSDEEP

12288:6OzvBPEuLAOOxsgfj40bDKg0m7t4is8jYar:ousO+RDKgJBnsgYa

Score

10^/10

gozi banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Attributes

build
215798

rsa_pubkey.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4536	Browcatq.exe
4068	Browcatq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AzSqIWmi = "C:\\Users\\Admin\\AppData\\Roaming\\accohunk\\Browcatq.exe"	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 4660 set thread context of 384	4660	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe	97
PID 4536 set thread context of 4068	4536	Browcatq.exe	105
PID 4068 set thread context of 2336	4068	Browcatq.exe	106
PID 2336 set thread context of 3424	2336	svchost.exe	56
PID 3424 set thread context of 3896	3424	Explorer.EXE	60
PID 3424 set thread context of 4148	3424	Explorer.EXE	62
PID 3424 set thread context of 5068	3424	Explorer.EXE	76

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Browcatq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Browcatq.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Browcatq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	Browcatq.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4068	Browcatq.exe
4068	Browcatq.exe
3424	Explorer.EXE
3424	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4068	Browcatq.exe
2336	svchost.exe
3424	Explorer.EXE
3424	Explorer.EXE
3424	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3424	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 384	4660	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe	97
PID 4660 wrote to memory of 384	4660	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe	97
PID 4660 wrote to memory of 384	4660	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe	97
PID 4660 wrote to memory of 384	4660	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe	97
PID 4660 wrote to memory of 384	4660	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe	97
PID 4660 wrote to memory of 384	4660	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe	97
PID 4660 wrote to memory of 384	4660	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe	97
PID 4660 wrote to memory of 384	4660	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe	97
PID 4660 wrote to memory of 384	4660	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe	97
PID 4660 wrote to memory of 384	4660	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe	97
PID 384 wrote to memory of 2752	384	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe	98
PID 384 wrote to memory of 2752	384	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe	98
PID 384 wrote to memory of 2752	384	c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe	98
PID 2752 wrote to memory of 3236	2752	cmd.exe	100
PID 2752 wrote to memory of 3236	2752	cmd.exe	100
PID 2752 wrote to memory of 3236	2752	cmd.exe	100
PID 3236 wrote to memory of 4536	3236	cmd.exe	101
PID 3236 wrote to memory of 4536	3236	cmd.exe	101
PID 3236 wrote to memory of 4536	3236	cmd.exe	101
PID 4536 wrote to memory of 4068	4536	Browcatq.exe	105
PID 4536 wrote to memory of 4068	4536	Browcatq.exe	105
PID 4536 wrote to memory of 4068	4536	Browcatq.exe	105
PID 4536 wrote to memory of 4068	4536	Browcatq.exe	105
PID 4536 wrote to memory of 4068	4536	Browcatq.exe	105
PID 4536 wrote to memory of 4068	4536	Browcatq.exe	105
PID 4536 wrote to memory of 4068	4536	Browcatq.exe	105
PID 4536 wrote to memory of 4068	4536	Browcatq.exe	105
PID 4536 wrote to memory of 4068	4536	Browcatq.exe	105
PID 4536 wrote to memory of 4068	4536	Browcatq.exe	105
PID 4068 wrote to memory of 2336	4068	Browcatq.exe	106
PID 4068 wrote to memory of 2336	4068	Browcatq.exe	106
PID 4068 wrote to memory of 2336	4068	Browcatq.exe	106
PID 4068 wrote to memory of 2336	4068	Browcatq.exe	106
PID 4068 wrote to memory of 2336	4068	Browcatq.exe	106
PID 2336 wrote to memory of 3424	2336	svchost.exe	56
PID 2336 wrote to memory of 3424	2336	svchost.exe	56
PID 2336 wrote to memory of 3424	2336	svchost.exe	56
PID 3424 wrote to memory of 3896	3424	Explorer.EXE	60
PID 3424 wrote to memory of 3896	3424	Explorer.EXE	60
PID 3424 wrote to memory of 3896	3424	Explorer.EXE	60
PID 3424 wrote to memory of 4148	3424	Explorer.EXE	62
PID 3424 wrote to memory of 4148	3424	Explorer.EXE	62
PID 3424 wrote to memory of 4148	3424	Explorer.EXE	62
PID 3424 wrote to memory of 5068	3424	Explorer.EXE	76
PID 3424 wrote to memory of 5068	3424	Explorer.EXE	76
PID 3424 wrote to memory of 5068	3424	Explorer.EXE	76

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Users\Admin\AppData\Local\Temp\c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Users\Admin\AppData\Local\Temp\c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c2721712884af79b3925a9461b6956ba_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\39F2\1CF9.bat" "C:\Users\Admin\AppData\Roaming\accohunk\Browcatq.exe" "C:\Users\Admin\AppData\Local\Temp\C27217~1.EXE""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C ""C:\Users\Admin\AppData\Roaming\accohunk\Browcatq.exe" "C:\Users\Admin\AppData\Local\Temp\C27217~1.EXE""
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3236
      - C:\Users\Admin\AppData\Roaming\accohunk\Browcatq.exe
        
        "C:\Users\Admin\AppData\Roaming\accohunk\Browcatq.exe" "C:\Users\Admin\AppData\Local\Temp\C27217~1.EXE"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\accohunk\Browcatq.exe
        
        "C:\Users\Admin\AppData\Roaming\accohunk\Browcatq.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2336

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4148

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\39F2\1CF9.bat

Filesize
112B

MD5
5ec36b685015635905da6d05aecb4ee6

SHA1
3f23c6ed9ef4e98e2720bac01c7eb3ec6473d882

SHA256
877db8b457ae7140026acf9ee135652aaa4eab8c69a866d58de9d9df354f3486

SHA512
f9ab5d226ad56d0337da8477bc6ffd3314060b7a285c6fd2775e3aed50bbf1b2164743ae7ec878c97fec366ad69f3291048439230ee2a0a08e65d200ee5cad38

Download Submit
C:\Users\Admin\AppData\Roaming\accohunk\Browcatq.exe

Filesize
502KB

MD5
c2721712884af79b3925a9461b6956ba

SHA1
5b16851628134c8fd01f3b0a19c98ab24c9e036b

SHA256
1829a6442112ad58298059ea9ccfe9bbaa12de5465c5ad28a15009e1ee4552a1

SHA512
df29f587c3fa46a4a2312ed336b2f5f184dbd2f7cd69073e9c10b0876d2151effd25494b2d8ef326967ab74b2cd156969009998a33e61157ec2c79663d7e9487

Download Submit
memory/384-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/384-3-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/384-10-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/384-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2336-23-0x0000000000E10000-0x0000000000F14000-memory.dmp

Filesize
1.0MB

Download
memory/2336-29-0x0000000000E10000-0x0000000000F14000-memory.dmp

Filesize
1.0MB

Download
memory/2336-22-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/2336-31-0x0000000000E10000-0x0000000000F14000-memory.dmp

Filesize
1.0MB

Download
memory/3424-36-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/3424-57-0x0000000002D60000-0x0000000002E64000-memory.dmp

Filesize
1.0MB

Download
memory/3424-30-0x0000000002D60000-0x0000000002E64000-memory.dmp

Filesize
1.0MB

Download
memory/3424-37-0x0000000002D60000-0x0000000002E64000-memory.dmp

Filesize
1.0MB

Download
memory/3424-63-0x0000000002D60000-0x0000000002E64000-memory.dmp

Filesize
1.0MB

Download
memory/3424-54-0x0000000002D60000-0x0000000002E64000-memory.dmp

Filesize
1.0MB

Download
memory/3424-55-0x0000000002D60000-0x0000000002E64000-memory.dmp

Filesize
1.0MB

Download
memory/3424-56-0x0000000002D60000-0x0000000002E64000-memory.dmp

Filesize
1.0MB

Download
memory/3896-42-0x0000029406470000-0x0000029406471000-memory.dmp

Filesize
4KB

Download
memory/3896-46-0x00000294066A0000-0x00000294067A4000-memory.dmp

Filesize
1.0MB

Download
memory/3896-47-0x00000294066A0000-0x00000294067A4000-memory.dmp

Filesize
1.0MB

Download
memory/3896-64-0x00000294066A0000-0x00000294067A4000-memory.dmp

Filesize
1.0MB

Download
memory/4068-28-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4068-19-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4148-53-0x0000023EF3710000-0x0000023EF3814000-memory.dmp

Filesize
1.0MB

Download
memory/4148-52-0x0000023EF3710000-0x0000023EF3814000-memory.dmp

Filesize
1.0MB

Download
memory/4148-65-0x0000023EF3710000-0x0000023EF3814000-memory.dmp

Filesize
1.0MB

Download
memory/5068-58-0x0000027B91A30000-0x0000027B91B34000-memory.dmp

Filesize
1.0MB

Download
memory/5068-62-0x0000027B91A30000-0x0000027B91B34000-memory.dmp

Filesize
1.0MB

Download