gozi | JaffaCakes118_f42512a61e57afecc9aa65dd1359d9a87fcd1619fb5df6eb0bca208fcfb9973a

General

Target

JaffaCakes118_f42512a61e57afecc9aa65dd1359d9a87fcd1619fb5df6eb0bca208fcfb9973a
Size

38KB
MD5

d70a86eab8b4d9a760ca72e12d032f32
SHA1

22f91652014c97569a3ff9fe9bc87fe262bd5041
SHA256

f42512a61e57afecc9aa65dd1359d9a87fcd1619fb5df6eb0bca208fcfb9973a
SHA512

2ef81d1a9cc75235ebd101c1481ec58508c86900d0edf13b0f79ea0c381ec9259e7c081c411c74e6466e2bf4fbb63a42b1dde8aed635fde382bbdfd759973df2
SSDEEP

768:sTH7lehe1iZfyVkRYgPYcMFxKWf84rNR933jMwuS789rW5It:sTH7lehjqSYF5KtEH9b789rcIt

Score

10^/10

isfb 7406 gozi

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

7406

C2

signin.microsoft.com

login.microsoft.com

keeneticline.com

keeneticline.bar

infmeetic.co

Attributes

base_path
/includes/
build
250193
dns_servers
107.174.86.134

107.175.127.22
exe_type
loader
extension
.img
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/29886509fe1c9628fa5227a052e98e5b7cd7bc04cab15f498eb884d588654b1f.dll

Files

JaffaCakes118_f42512a61e57afecc9aa65dd1359d9a87fcd1619fb5df6eb0bca208fcfb9973a
.zip

Password: infected
29886509fe1c9628fa5227a052e98e5b7cd7bc04cab15f498eb884d588654b1f.dll
.dll regsvr32 windows:4 windows x86 arch:x86

9b4bd5e9c744a772e2cae4b95c84d26f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

HeapAlloc
GetLastError
GetSystemTime
Sleep
SwitchToThread
HeapFree
SetThreadAffinityMask
ExitThread
lstrlenW
SleepEx
WaitForSingleObject
HeapCreate
InterlockedDecrement
HeapDestroy
InterlockedIncrement
CloseHandle
SetThreadPriority
GetCurrentThread
GetExitCodeThread
VirtualProtect
GetModuleFileNameW
SetLastError
GetModuleHandleA
GetLongPathNameW
OpenProcess
GetVersion
GetCurrentProcessId
CreateEventA
QueueUserAPC
CreateThread
TerminateThread
GetProcAddress
LoadLibraryA
VirtualFree
VirtualAlloc
CreateFileMappingW
GetSystemTimeAsFileTime
MapViewOfFile

ntdll

_snwprintf
memset
memcpy
_aulldiv
RtlUnwind
NtQueryVirtualMemory

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA

Exports

Exports

DllRegisterServer

Sections

.text
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 476B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 1024B - Virtual size: 732B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 33KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

Password: infected

9b4bd5e9c744a772e2cae4b95c84d26f

Headers

File Characteristics

Imports

kernel32

ntdll

advapi32

Exports

Exports

Sections

.text Size: 5KB - Virtual size: 5KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 476B

.bss Size: 1024B - Virtual size: 732B

.reloc Size: 33KB - Virtual size: 36KB

.text
Size: 5KB - Virtual size: 5KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 476B

.bss
Size: 1024B - Virtual size: 732B

.reloc
Size: 33KB - Virtual size: 36KB