gozi | JaffaCakes118_540aec5bbc87fba7a6c21894ea4999d04b490f64abd5cdf53896735501735532

General

Target

JaffaCakes118_540aec5bbc87fba7a6c21894ea4999d04b490f64abd5cdf53896735501735532
Size

38KB
MD5

18b8cb4d69ec7c30269b0c8e6b587eb2
SHA1

14db963b30717fa09cb7ebc39a0cc5cda1a7b391
SHA256

540aec5bbc87fba7a6c21894ea4999d04b490f64abd5cdf53896735501735532
SHA512

44ceec451f7a5e0ff5e76e0c6ecd8a66bc0b65f0e9f8e35f2a5ca5162f96335363cd023246747e465349368a07288dc03d30042d1155206a7f4fcb068d77c8e3
SSDEEP

768:PnokLrDvjpBcQs5nhBoGFwfrs9BmGDXI4bFouio6:rLbjHizsiLI4WuB

Score

10^/10

isfb 1500 gozi

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1500

C2

app.buboleinov.com

chat.veminiare.com

chat.billionady.com

app3.maintorna.com

Attributes

build
250188
exe_type
loader
server_id
580

rsa_pubkey.plain

aes.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
JaffaCakes118_540aec5bbc87fba7a6c21894ea4999d04b490f64abd5cdf53896735501735532

Files

JaffaCakes118_540aec5bbc87fba7a6c21894ea4999d04b490f64abd5cdf53896735501735532
.dll regsvr32 windows:4 windows x86 arch:x86

6645a948149623e814d378b0c62a0e68

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

shlwapi

StrStrIA

kernel32

SetThreadAffinityMask
HeapAlloc
GetLastError
VerLanguageNameA
Sleep
GetSystemTime
SwitchToThread
HeapFree
SleepEx
GetLocaleInfoA
ExitThread
lstrlenW
GetSystemDefaultUILanguage
WaitForSingleObject
HeapCreate
InterlockedDecrement
HeapDestroy
InterlockedIncrement
CloseHandle
SetThreadPriority
GetCurrentThread
GetExitCodeThread
GetModuleFileNameW
CreateFileMappingW
MapViewOfFile
GetSystemTimeAsFileTime
SetLastError
GetModuleHandleA
VirtualProtect
OpenProcess
GetVersion
GetCurrentProcessId
CreateEventA
GetLongPathNameW
QueueUserAPC
CreateThread
TerminateThread
GetProcAddress
LoadLibraryA
VirtualFree
VirtualAlloc

ntdll

_snwprintf
memcpy
memset
_aulldiv
RtlUnwind
NtQueryVirtualMemory

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA

Exports

Exports

DllRegisterServer

Sections

.text
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 604B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 1024B - Virtual size: 620B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 28KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

6645a948149623e814d378b0c62a0e68

Headers

File Characteristics

Imports

shlwapi

kernel32

ntdll

advapi32

Exports

Exports

Sections

.text Size: 6KB - Virtual size: 5KB

.rdata Size: 2KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 604B

.bss Size: 1024B - Virtual size: 620B

.reloc Size: 28KB - Virtual size: 32KB

.text
Size: 6KB - Virtual size: 5KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 604B

.bss
Size: 1024B - Virtual size: 620B

.reloc
Size: 28KB - Virtual size: 32KB