Extracted

• • Target

    JaffaCakes118_89dbe243829a1f6c79190897e3c8fbae

  • Size

    5.6MB

  • MD5

    89dbe243829a1f6c79190897e3c8fbae

  • SHA1

    b28d6881630e4ff0675cef42b55a910b3e1dd1c9

  • SHA256

    59df1601a47511118c430b1961a05ed8000b73468dbbcaf06cd4048e8c7370c7

  • SHA512

    13b639f23cc342718fe8d3f0930c7eaa64576cf6cd91e0db8555e799fa8d37fb08476631a8359021a53f38b04162f20081913186a5a20c5014f1226c0d8b99b8

  • SSDEEP

    98304:GofZgqJrfcAmilwi/hMF5BdGTVNsUMDG5ACoRKqA4lsAS1J0lQW2AdYeBPZqV7fS:Hdl/lw8hMy5ORDG59pOHNF1ZcV7HHu9v

  Score

  10^/10

  gozibankerdefense_evasiondiscoveryisfbpersistenceprivilege_escalationtrojanupx

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi

  • Gozi family

    gozi

  • UAC bypass

    defense_evasiontrojan

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    defense_evasion

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory

  • Hide Artifacts: Hidden Users

    defense_evasion

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2