gozi | JaffaCakes118_4f0066b3a94a37a1bb9f13d4ad953b45b761635c0dac4418a8524deffa4c2bc0

General

Target

JaffaCakes118_4f0066b3a94a37a1bb9f13d4ad953b45b761635c0dac4418a8524deffa4c2bc0
Size

38KB
MD5

aa7b507a69f9a65fc211cf821bfbbfb2
SHA1

7dd8992663f8eb289eaaedbb52ce37cedc48106b
SHA256

4f0066b3a94a37a1bb9f13d4ad953b45b761635c0dac4418a8524deffa4c2bc0
SHA512

caf220a957e852e60aec5820ca9cf3c3ae509605ec269f300dd06766000ae84bd4ec215c0921b099ea4ef485e2859d71daa40070d5c6471d21edb8021b28be10
SSDEEP

768:v6CNzUJvaQjxB72WPyBga0V59dcL7JFWGXKeYRzkcoyUeSzXd6IXB8H:v6SzGvaQjxcxgaUpcxFWGKedcoyUeqXa

Score

10^/10

isfb 8899 gozi

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

8899

C2

msn.com/login

vloderuniok.website

gloderuniok.website

Attributes

base_path
/jkloio/
build
260212
dga_season
10
exe_type
loader
extension
.lko
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/loader_260212_3ce9df2272bb98916f215be5a0943ed0fc06f72eca3bed2385aacc7c1b4c6071

Files

JaffaCakes118_4f0066b3a94a37a1bb9f13d4ad953b45b761635c0dac4418a8524deffa4c2bc0
.zip

Password: infected
loader_260212_3ce9df2272bb98916f215be5a0943ed0fc06f72eca3bed2385aacc7c1b4c6071
.dll regsvr32 windows:5 windows x86 arch:x86

7810ad7e9f1684556ca41a69627e4ce9

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

ntdll

_snwprintf
memset
memcpy
NtQuerySystemInformation
_aulldiv
RtlUnwind
NtQueryVirtualMemory

kernel32

SetThreadAffinityMask
CloseHandle
HeapAlloc
SetThreadPriority
Sleep
ExitThread
lstrlenW
GetLastError
GetExitCodeThread
HeapCreate
HeapDestroy
GetCurrentThread
SleepEx
WaitForSingleObject
InterlockedDecrement
InterlockedIncrement
HeapFree
GetModuleFileNameW
SetLastError
GetModuleHandleA
VirtualProtect
OpenProcess
CreateEventA
GetLongPathNameW
GetVersion
GetCurrentProcessId
TerminateThread
QueueUserAPC
CreateThread
GetProcAddress
LoadLibraryA
VirtualFree
VirtualAlloc
MapViewOfFile
GetSystemTimeAsFileTime
CreateFileMappingW

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA

Exports

Exports

DllRegisterServer

Sections

.text
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 604B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 1024B - Virtual size: 732B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 33KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

Password: infected

7810ad7e9f1684556ca41a69627e4ce9

Headers

File Characteristics

Imports

ntdll

kernel32

advapi32

Exports

Exports

Sections

.text Size: 5KB - Virtual size: 5KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 604B

.bss Size: 1024B - Virtual size: 732B

.reloc Size: 33KB - Virtual size: 36KB

.text
Size: 5KB - Virtual size: 5KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 604B

.bss
Size: 1024B - Virtual size: 732B

.reloc
Size: 33KB - Virtual size: 36KB