gozi | JaffaCakes118_fa13e39768fdfb72af2fe96aed08adb191b925de09013702e364909e29167a30

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_fa13e39768fdfb72af2fe96aed08adb191b925de09013702e364909e29167a30
Size

174KB
MD5

1f683d3624c3f5144c14a2108d29f982
SHA1

7c2d1e61481d122cc7f48535c79832fd961fd27f
SHA256

fa13e39768fdfb72af2fe96aed08adb191b925de09013702e364909e29167a30
SHA512

d633e2f543326a46f23e905a757f83a69f0d855e0139b6d28f013440fd4e8339346f49fb6befc775a9ecc391423b1b10c053e6407f5964ff4faa0ca36306ba19
SSDEEP

3072:lI71dnLPQppM/B/W/POXMb2qlalj/FYAe/j7Ajis5t8ZS7UeaOsNsRgC7cP2favu:YVPqMY/POX3qlalpYAUQeW8feasRdc2B

Score

10^/10

isfb 4483 gozi

Malware Config

Extracted

Family

gozi

Botnet

4483

lycos.com

mail.yahoo.com

37.120.222.107

185.186.247.91

185.186.245.171

dumokurenu.xyz

fumokurenu.xyz

lumokurenu.xyz

Attributes

base_path
/images/
build
250211
dga_season
10
dga_tlds
com

ru

org
exe_type
worker
extension
.avi
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
JaffaCakes118_fa13e39768fdfb72af2fe96aed08adb191b925de09013702e364909e29167a30

Files

JaffaCakes118_fa13e39768fdfb72af2fe96aed08adb191b925de09013702e364909e29167a30
.dll windows:5 windows x86 arch:x86

3e5a5960a954602a0f374a91077473ac

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

ntdll

NtSetInformationProcess
sprintf
strstr
ZwOpenProcess
ZwClose
ZwOpenProcessToken
strcpy
ZwQueryInformationProcess
RtlNtStatusToDosError
NtQuerySystemInformation
NtQueryInformationThread
_wcsupr
memmove
wcscpy
_snprintf
mbstowcs
ZwQueryKey
RtlFreeUnicodeString
RtlUpcaseUnicodeString
wcstombs
RtlAdjustPrivilege
memset
_strupr
_snwprintf
memcpy
RtlImageNtHeader
ZwQueryInformationToken
_aulldiv
_allmul
RtlUnwind
NtQueryVirtualMemory

kernel32

TlsAlloc
GetCurrentDirectoryW
LoadLibraryW
GetVersionExA
VirtualProtectEx
FileTimeToLocalFileTime
CreateFileMappingW
GetModuleFileNameA
GetModuleFileNameW
QueryPerformanceFrequency
GetLocalTime
FileTimeToSystemTime
GetComputerNameExA
GetComputerNameW
QueryPerformanceCounter
GetTempFileNameA
CreateThread
HeapAlloc
HeapFree
WaitForSingleObject
ExitThread
lstrlenW
GetLastError
ResetEvent
CloseHandle
DeleteFileW
CreateFileA
lstrlenA
WriteFile
lstrcatA
CreateDirectoryA
RemoveDirectoryA
LoadLibraryA
DeleteFileA
lstrcpyA
HeapReAlloc
InterlockedIncrement
InterlockedDecrement
SetEvent
GetSystemTimeAsFileTime
HeapDestroy
HeapCreate
GetModuleHandleA
ExitProcess
GetFileSize
lstrcmpA
SetWaitableTimer
CreateDirectoryW
GetTickCount
GetCurrentThread
VirtualFree
GetWindowsDirectoryA
GetCommandLineA
InitializeCriticalSection
OpenProcess
Sleep
CopyFileW
CreateEventA
LeaveCriticalSection
TerminateProcess
CreateFileW
InterlockedExchange
VirtualAlloc
EnterCriticalSection
lstrcmpiW
lstrcatW
GetCurrentThreadId
DuplicateHandle
GetTempPathA
SuspendThread
ResumeThread
lstrcpyW
SwitchToThread
MapViewOfFile
UnmapViewOfFile
SetLastError
lstrcmpiA
OpenWaitableTimerA
OpenMutexA
WaitForMultipleObjects
CreateMutexA
ReleaseMutex
CreateWaitableTimerA
UnregisterWait
TlsGetValue
LoadLibraryExW
TlsSetValue
RegisterWaitForSingleObject
VirtualProtect
TerminateThread
OpenEventA
RemoveVectoredExceptionHandler
AddVectoredExceptionHandler
GetProcAddress
GetDriveTypeW
GetLogicalDriveStringsW
WideCharToMultiByte
GetFileAttributesA
GetExitCodeProcess
GetFileAttributesW
CreateProcessA
CreateFileMappingA
OpenFileMappingA
lstrcpynA
GlobalLock
GlobalUnlock
LocalFree
Thread32First
Thread32Next
QueueUserAPC
OpenThread
CreateToolhelp32Snapshot
CallNamedPipeA
WaitNamedPipeA
ConnectNamedPipe
ReadFile
GetOverlappedResult
DisconnectNamedPipe
FlushFileBuffers
CreateNamedPipeA
CancelIo
GetSystemTime
SleepEx
LocalAlloc
FreeLibrary
RaiseException
GetCurrentProcessId
GetVersion
DeleteCriticalSection
VirtualQuery
ExpandEnvironmentStringsW
FindNextFileW
RemoveDirectoryW
FindClose
SetEndOfFile
SetFilePointer
FindFirstFileW
SetCurrentDirectoryW

Sections

.text
Size: 136KB - Virtual size: 136KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 13KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

3e5a5960a954602a0f374a91077473ac

Headers

File Characteristics

Imports

ntdll

kernel32

Sections

.text Size: 136KB - Virtual size: 136KB

.rdata Size: 11KB - Virtual size: 10KB

.data Size: 4KB - Virtual size: 4KB

.bss Size: 8KB - Virtual size: 8KB

.reloc Size: 13KB - Virtual size: 16KB

.text
Size: 136KB - Virtual size: 136KB

.rdata
Size: 11KB - Virtual size: 10KB

.data
Size: 4KB - Virtual size: 4KB

.bss
Size: 8KB - Virtual size: 8KB

.reloc
Size: 13KB - Virtual size: 16KB