Overview

overview

10

Static

static

3

bb2bbdfd56...18.dll

windows7-x64

10

bb2bbdfd56...18.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bb2bbdfd56cfa56164b14a0a574d1544_JaffaCakes118

  • Size

    848KB

  • Sample

    240618-hkzxpawbkk

  • MD5

    bb2bbdfd56cfa56164b14a0a574d1544

  • SHA1

    b639e690382f6a6e3e9debb304ef09111a6d9a4d

  • SHA256

    32d2ce148c7d07c6b2acac5b1f4c3e668ab15518c5e17fa4be0ed128008837f0

  • SHA512

    11a2e1e40fb66e45eff486c45bc3e0c7ea76ee8920b8374c6b207ec378faa2fe8659fcf6301f3d01d0510da9af56256af4c6b4d0d2b7fd3e97e2c5ef0993ff07

  • SSDEEP

    12288:o+AtHVEapHjI6Y8ND2SE8a43uc+11rKQoPgPli+fsWfplphiPwiH:7At1PEj8cB8aqAULoPw+fsWX3BiH

Score
10/10
gozi700bankerisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

700

C2

http://cxzko43pnr7ujnte.onion

http://intraders-support.at

http://freshness-girls.at
Attributes
  • build

    216098

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      bb2bbdfd56cfa56164b14a0a574d1544_JaffaCakes118

    • Size

      848KB

    • MD5

      bb2bbdfd56cfa56164b14a0a574d1544

    • SHA1

      b639e690382f6a6e3e9debb304ef09111a6d9a4d

    • SHA256

      32d2ce148c7d07c6b2acac5b1f4c3e668ab15518c5e17fa4be0ed128008837f0

    • SHA512

      11a2e1e40fb66e45eff486c45bc3e0c7ea76ee8920b8374c6b207ec378faa2fe8659fcf6301f3d01d0510da9af56256af4c6b4d0d2b7fd3e97e2c5ef0993ff07

    • SSDEEP

      12288:o+AtHVEapHjI6Y8ND2SE8a43uc+11rKQoPgPli+fsWfplphiPwiH:7At1PEj8cB8aqAULoPw+fsWX3BiH

    Score
    10/10
    gozi700bankerisfbpersistencetrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks