gozi | JaffaCakes118_4a36881ed346ab1d00077ba4c2cc4f8ca3b6b7c3c8d070403bfc414b2c422bf6

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_4a36881ed346ab1d00077ba4c2cc4f8ca3b6b7c3c8d070403bfc414b2c422bf6
Size

43KB
MD5

911289f9c871f9406faeafb5420039cb
SHA1

97f3dbcadc1f50bd676a2672b5a4b1f324e1f00f
SHA256

4a36881ed346ab1d00077ba4c2cc4f8ca3b6b7c3c8d070403bfc414b2c422bf6
SHA512

959c22dfd13319004f336f89fd16d5ae1c851eea5ccbde2f62f4bd2084925db361f44370e7d3b3753cd97dd7d48013989158905145347493c5a210821949579a
SSDEEP

768:5sLkvkJb1J1up9RNdOuZtxE5WkXQDrT+mgazC434i3z93teyS7sOMImb:uLksJbLQ/aWkXQDrTfBzC434Sz9PS7sV

Score

10^/10

isfb 3000 gozi

Malware Config

Extracted

Family

gozi

Botnet

3000

config.edge.skype.com

185.154.53.214

185.154.53.188

46.30.42.246

Attributes

base_path
/drew/
build
260226
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
JaffaCakes118_4a36881ed346ab1d00077ba4c2cc4f8ca3b6b7c3c8d070403bfc414b2c422bf6

Files

JaffaCakes118_4a36881ed346ab1d00077ba4c2cc4f8ca3b6b7c3c8d070403bfc414b2c422bf6
.dll windows:5 windows x86 arch:x86

11e4a06aed8466f4a1d1b855f6202f8f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

ntdll

memset
sprintf
strcpy
_snwprintf
ZwQueryInformationToken
wcstombs
ZwOpenProcess
ZwClose
ZwOpenProcessToken
mbstowcs
memcpy
_snprintf
_aulldiv
_allmul
_aullrem
RtlUnwind
NtQueryVirtualMemory

kernel32

RaiseException
InterlockedExchange
HeapAlloc
InterlockedIncrement
InterlockedDecrement
HeapFree
SetEvent
SleepEx
GetTickCount
GetCurrentThread
GetSystemTimeAsFileTime
HeapDestroy
HeapCreate
GetLastError
QueueUserAPC
lstrlenA
SetWaitableTimer
Process32First
WaitForSingleObject
Sleep
CreateEventA
lstrlenW
GetProcAddress
Process32Next
WaitForMultipleObjects
GetModuleHandleA
CreateToolhelp32Snapshot
CloseHandle
CreateWaitableTimerA
lstrcpyA
QueryPerformanceFrequency
LocalAlloc
lstrcmpW
LoadLibraryA
FreeLibrary
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
lstrcmpA
CreateFileMappingW
MapViewOfFile
ExpandEnvironmentStringsW
GetComputerNameExA
WideCharToMultiByte
GetComputerNameW
QueryPerformanceCounter
lstrcatA
GetCurrentProcessId
OpenProcess
GetVersion
ExpandEnvironmentStringsA

oleaut32

SysFreeString
SafeArrayDestroy
SafeArrayCreate
SysAllocString

winhttp

WinHttpQueryHeaders
WinHttpCloseHandle
WinHttpConnect
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpQueryOption
WinHttpSetOption
WinHttpOpen
WinHttpOpenRequest
WinHttpReadData
WinHttpSendRequest

Sections

.text
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 936B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

11e4a06aed8466f4a1d1b855f6202f8f

Headers

File Characteristics

Imports

ntdll

kernel32

oleaut32

winhttp

Sections

.text Size: 29KB - Virtual size: 29KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 512B - Virtual size: 936B

.bss Size: 4KB - Virtual size: 3KB

.reloc Size: 4KB - Virtual size: 4KB

.text
Size: 29KB - Virtual size: 29KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 512B - Virtual size: 936B

.bss
Size: 4KB - Virtual size: 3KB

.reloc
Size: 4KB - Virtual size: 4KB