gozi | JaffaCakes118_d3b47982dc74bc3984e515dcad6787014924f1e941b3ef71b7a83c39742a0979

General

Target

JaffaCakes118_d3b47982dc74bc3984e515dcad6787014924f1e941b3ef71b7a83c39742a0979
Size

38KB
MD5

a7228c0eb847cd8f0cc03a75d20b3a03
SHA1

1f1b1e0556f50c7241a3faeb1c2ca32cb4c9ec74
SHA256

d3b47982dc74bc3984e515dcad6787014924f1e941b3ef71b7a83c39742a0979
SHA512

6f82f50c60ea2916a9b4cb201ceb9029298f8e03ad3223ddd388c4697c9c2e0750d4ff4f91ebf8f9d98c71059c639a96f11677faffed19a052b793b220dd1d42
SSDEEP

768:FrKB00gb5/EzMAogX6OP4jk5CzWh7g/zGOjUI1cLB7EGhy3tCgn5zUM:Vn0gb5/4MALrdQzQ7g/zBV1KqdtC25zL

Score

10^/10

isfb 4463 gozi

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

4463

C2

1.microsoft.com

silugerude.xyz

vilugerude.xyz

Attributes

base_path
/palok/
build
250193
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
extension
.trb
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/35bef39478577d735b1c8104f5800e95d73487284c89b281283e4c117688bd92.dll

Files

JaffaCakes118_d3b47982dc74bc3984e515dcad6787014924f1e941b3ef71b7a83c39742a0979
.zip

Password: infected
35bef39478577d735b1c8104f5800e95d73487284c89b281283e4c117688bd92.dll
.dll regsvr32 windows:4 windows x86 arch:x86

9b4bd5e9c744a772e2cae4b95c84d26f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

HeapAlloc
GetLastError
GetSystemTime
Sleep
SwitchToThread
HeapFree
SetThreadAffinityMask
ExitThread
lstrlenW
SleepEx
WaitForSingleObject
HeapCreate
InterlockedDecrement
HeapDestroy
InterlockedIncrement
CloseHandle
SetThreadPriority
GetCurrentThread
GetExitCodeThread
VirtualProtect
GetModuleFileNameW
SetLastError
GetModuleHandleA
GetLongPathNameW
OpenProcess
GetVersion
GetCurrentProcessId
CreateEventA
QueueUserAPC
CreateThread
TerminateThread
GetProcAddress
LoadLibraryA
VirtualFree
VirtualAlloc
CreateFileMappingW
GetSystemTimeAsFileTime
MapViewOfFile

ntdll

_snwprintf
memset
memcpy
_aulldiv
RtlUnwind
NtQueryVirtualMemory

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA

Exports

Exports

DllRegisterServer

Sections

.text
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 476B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 1024B - Virtual size: 732B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 33KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

Password: infected

9b4bd5e9c744a772e2cae4b95c84d26f

Headers

File Characteristics

Imports

kernel32

ntdll

advapi32

Exports

Exports

Sections

.text Size: 5KB - Virtual size: 5KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 476B

.bss Size: 1024B - Virtual size: 732B

.reloc Size: 33KB - Virtual size: 36KB

.text
Size: 5KB - Virtual size: 5KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 476B

.bss
Size: 1024B - Virtual size: 732B

.reloc
Size: 33KB - Virtual size: 36KB