gozi | 32d2ce148c7d07c6b2acac5b1f4c3e668ab15518c5e17fa4be0ed128008837f0

Analysis

max time kernel
119s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18-06-2024 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb2bbdfd56cfa56164b14a0a574d1544_JaffaCakes118.dll
Size

848KB
MD5

bb2bbdfd56cfa56164b14a0a574d1544
SHA1

b639e690382f6a6e3e9debb304ef09111a6d9a4d
SHA256

32d2ce148c7d07c6b2acac5b1f4c3e668ab15518c5e17fa4be0ed128008837f0
SHA512

11a2e1e40fb66e45eff486c45bc3e0c7ea76ee8920b8374c6b207ec378faa2fe8659fcf6301f3d01d0510da9af56256af4c6b4d0d2b7fd3e97e2c5ef0993ff07
SSDEEP

12288:o+AtHVEapHjI6Y8ND2SE8a43uc+11rKQoPgPli+fsWfplphiPwiH:7At1PEj8cB8aqAULoPw+fsWX3BiH

Score

10^/10

gozi 700 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

700

http://cxzko43pnr7ujnte.onion

http://intraders-support.at

http://freshness-girls.at

Attributes

build
216098
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\apiMtxml = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Bdesudrv\\bthcgIME.dll\",DllRegisterServer"	Explorer.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 2188 set thread context of 2632	2188	rundll32.exe	control.exe
PID 2632 set thread context of 1376	2632	control.exe	Explorer.EXE
PID 2632 set thread context of 2812	2632	control.exe	rundll32.exe
PID 1376 set thread context of 1980	1376	Explorer.EXE	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeExplorer.EXE

pid process

2188 rundll32.exe
1376 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

pid process

2188 rundll32.exe
2632 control.exe
2632 control.exe
1376 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1376 Explorer.EXE
1376 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1376 Explorer.EXE
1376 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1376 Explorer.EXE

pid	process
2188	rundll32.exe
1376	Explorer.EXE

pid	process
2188	rundll32.exe
2632	control.exe
2632	control.exe
1376	Explorer.EXE

pid	process
1376	Explorer.EXE
1376	Explorer.EXE

pid	process
1376	Explorer.EXE
1376	Explorer.EXE

pid	process
1376	Explorer.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1276 wrote to memory of 2188	1276	rundll32.exe	rundll32.exe
PID 1276 wrote to memory of 2188	1276	rundll32.exe	rundll32.exe
PID 1276 wrote to memory of 2188	1276	rundll32.exe	rundll32.exe
PID 1276 wrote to memory of 2188	1276	rundll32.exe	rundll32.exe
PID 1276 wrote to memory of 2188	1276	rundll32.exe	rundll32.exe
PID 1276 wrote to memory of 2188	1276	rundll32.exe	rundll32.exe
PID 1276 wrote to memory of 2188	1276	rundll32.exe	rundll32.exe
PID 2188 wrote to memory of 2632	2188	rundll32.exe	control.exe
PID 2188 wrote to memory of 2632	2188	rundll32.exe	control.exe
PID 2188 wrote to memory of 2632	2188	rundll32.exe	control.exe
PID 2188 wrote to memory of 2632	2188	rundll32.exe	control.exe
PID 2188 wrote to memory of 2632	2188	rundll32.exe	control.exe
PID 2188 wrote to memory of 2632	2188	rundll32.exe	control.exe
PID 2188 wrote to memory of 2632	2188	rundll32.exe	control.exe
PID 2632 wrote to memory of 1376	2632	control.exe	Explorer.EXE
PID 2632 wrote to memory of 1376	2632	control.exe	Explorer.EXE
PID 2632 wrote to memory of 1376	2632	control.exe	Explorer.EXE
PID 2632 wrote to memory of 2812	2632	control.exe	rundll32.exe
PID 2632 wrote to memory of 2812	2632	control.exe	rundll32.exe
PID 2632 wrote to memory of 2812	2632	control.exe	rundll32.exe
PID 2632 wrote to memory of 2812	2632	control.exe	rundll32.exe
PID 2632 wrote to memory of 2812	2632	control.exe	rundll32.exe
PID 2632 wrote to memory of 2812	2632	control.exe	rundll32.exe
PID 1376 wrote to memory of 2172	1376	Explorer.EXE	cmd.exe
PID 1376 wrote to memory of 2172	1376	Explorer.EXE	cmd.exe
PID 1376 wrote to memory of 2172	1376	Explorer.EXE	cmd.exe
PID 2172 wrote to memory of 1620	2172	cmd.exe	nslookup.exe
PID 2172 wrote to memory of 1620	2172	cmd.exe	nslookup.exe
PID 2172 wrote to memory of 1620	2172	cmd.exe	nslookup.exe
PID 1376 wrote to memory of 2736	1376	Explorer.EXE	cmd.exe
PID 1376 wrote to memory of 2736	1376	Explorer.EXE	cmd.exe
PID 1376 wrote to memory of 2736	1376	Explorer.EXE	cmd.exe
PID 1376 wrote to memory of 1980	1376	Explorer.EXE	cmd.exe
PID 1376 wrote to memory of 1980	1376	Explorer.EXE	cmd.exe
PID 1376 wrote to memory of 1980	1376	Explorer.EXE	cmd.exe
PID 1376 wrote to memory of 1980	1376	Explorer.EXE	cmd.exe
PID 1376 wrote to memory of 1980	1376	Explorer.EXE	cmd.exe
PID 1376 wrote to memory of 1980	1376	Explorer.EXE	cmd.exe
PID 1376 wrote to memory of 1980	1376	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb2bbdfd56cfa56164b14a0a574d1544_JaffaCakes118.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb2bbdfd56cfa56164b14a0a574d1544_JaffaCakes118.dll,#1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
5⤵
PID:2812

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\5394.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:1620

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5394.bi1"
2⤵
PID:2736

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5394.bi1
Filesize
122B

MD5
86ae6b510c19228190f4b797503ce192

SHA1
0a6c67bc4f36fcdaa7a553f9ff9ae439f13b32d1

SHA256
be8c30a0e245b6d86db1e7bdf04b8cfa3117846d5b88f6d476066041eaea1c3a

SHA512
bec76ed958ccf192f26b2eb9250f02ce2cf04318cc4f51d30cbbd24b96de172f4f26bbac018938ebd2f7c38f70e70def8d8f6b0e9b473b3a32bbe252449e3dd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Bdesudrv\bthcgIME.dll
Filesize
848KB

MD5
bb2bbdfd56cfa56164b14a0a574d1544

SHA1
b639e690382f6a6e3e9debb304ef09111a6d9a4d

SHA256
32d2ce148c7d07c6b2acac5b1f4c3e668ab15518c5e17fa4be0ed128008837f0

SHA512
11a2e1e40fb66e45eff486c45bc3e0c7ea76ee8920b8374c6b207ec378faa2fe8659fcf6301f3d01d0510da9af56256af4c6b4d0d2b7fd3e97e2c5ef0993ff07

Download Submit
memory/1376-24-0x00000000044D0000-0x0000000004583000-memory.dmp

Filesize
716KB

Download
memory/1376-51-0x00000000044D0000-0x0000000004583000-memory.dmp

Filesize
716KB

Download
memory/1376-27-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/1376-28-0x00000000044D0000-0x0000000004583000-memory.dmp

Filesize
716KB

Download
memory/1980-57-0x0000000001F00000-0x0000000001FA5000-memory.dmp

Filesize
660KB

Download
memory/2188-20-0x00000000022C0000-0x0000000002C9E000-memory.dmp

Filesize
9.9MB

Download
memory/2188-5-0x0000000000210000-0x000000000025A000-memory.dmp

Filesize
296KB

Download
memory/2188-3-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2188-0-0x00000000022C0000-0x0000000002C9E000-memory.dmp

Filesize
9.9MB

Download
memory/2188-2-0x00000000022C0000-0x0000000002C9E000-memory.dmp

Filesize
9.9MB

Download
memory/2188-4-0x00000000022C0000-0x0000000002C9E000-memory.dmp

Filesize
9.9MB

Download
memory/2188-12-0x0000000000210000-0x000000000025A000-memory.dmp

Filesize
296KB

Download
memory/2632-15-0x0000000001B60000-0x0000000001C13000-memory.dmp

Filesize
716KB

Download
memory/2632-36-0x0000000001B60000-0x0000000001C13000-memory.dmp

Filesize
716KB

Download
memory/2632-14-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2632-22-0x0000000001B60000-0x0000000001C13000-memory.dmp

Filesize
716KB

Download
memory/2632-21-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2812-32-0x0000000001DA0000-0x0000000001E53000-memory.dmp

Filesize
716KB

Download
memory/2812-31-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

Filesize
4KB

Download