gozi | 34ad177800e89a94d27b7ea4f39cd805c2910fa6afcb835501567b59415af0ed

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd3f26523c5cad6fe9632bfd4f6449bc_JaffaCakes118.dll
Size

541KB
MD5

bd3f26523c5cad6fe9632bfd4f6449bc
SHA1

492f9c4bb1bba2f94b889e9de68e9a6b0289de41
SHA256

34ad177800e89a94d27b7ea4f39cd805c2910fa6afcb835501567b59415af0ed
SHA512

116b5bbf456ac0863cd787fe45b4bf9729d94aaffe2a4f05b150a85f66c04cfa2faf179ba0a8f5abd5358470831c05ded6663402adf9d5085c9631fd898f4587
SSDEEP

12288:VF75Cm31VCpGJfLnba3vpFs10bjZca/HhJL+7Jt:VF75R3He1fZca7L+7

Score

10^/10

gozi 7220 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

7220

pop53334.yahoo.com

web.kundertviolas.com

Attributes

build
250154
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AEECA2FA-2E0C-11EF-92F1-4A7C5F4B2F01} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9AD39107-2E0C-11EF-92F1-4A7C5F4B2F01} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 400fd45619c2da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f00000000020000000000106600000001000020000000ef676f082bc7a6a4d6635b58c9b25c68a2759117196848c93a5a8b237edf4445000000000e80000000020000200000000c2b97a1c59187c62eba3cb4285cc941c58c8e4d65970981a46ffd98f60bc90e2000000027db1d4ab7e845b5d1c5d509dd2baf48f60c52c21fe5e3ff783e5fb071b8e8474000000060d32f76b0dffc19ce0de47315cf67ef5293f1da0013b00d273976e463b08b1158015b1afe53481a1717bbaca426b6babc913884e1223bd470c62beac461539b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f000000000200000000001066000000010000200000001673d6906dec1c738a99eac7b97605986d5337e9e20d5c6bc59ae6fdf3d0a037000000000e80000000020000200000002b2ea64c4483d73fbaa69ad88f488040945b3d445cb3186b808175900f4097c820000000df469f714960609a023b990dbac7a6aa175b42f0650022065be73f997717817c4000000041f7ea5d4c4bed79b29c2cb0ec115e06069fa6617d5a30e230b345a85187ccd27a41663f1b36e0f0331da9cb2eb6ba1b66b3842fe6d02641d82b8ccdb653537f	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f000000000200000000001066000000010000200000000587fb6137fd56976d1f4adc430b7ca4c46b313945a3cb2d4d5498facd0c5225000000000e80000000020000200000001e4e61662127a8ba7cc7dd14c3a59e7dfd3bdce2e985544f4a6948f009093abd200000003cda264741cdabea51dc89fdbbbb3642e164a88bd8c5e7f89c62d7fc01023b7240000000e5d5ab5c137328b3ebf6ce8df40090221348fb56de3baa69b8e19f29b48214e16ad3f5f9f799f96ab79f02edfecf97c7607b303de5e3590dac9007dc032fce93	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c0006519c2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7AA633A3-2E0C-11EF-92F1-4A7C5F4B2F01} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 303bdb5619c2da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

3360 iexplore.exe
4268 iexplore.exe
2916 iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
3360	iexplore.exe
3360	iexplore.exe
3636	IEXPLORE.EXE
3636	IEXPLORE.EXE
4268	iexplore.exe
4268	iexplore.exe
860	IEXPLORE.EXE
860	IEXPLORE.EXE
2916	iexplore.exe
2916	iexplore.exe
3260	IEXPLORE.EXE
3260	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

rundll32.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 4352 wrote to memory of 4000	4352	rundll32.exe	rundll32.exe
PID 4352 wrote to memory of 4000	4352	rundll32.exe	rundll32.exe
PID 4352 wrote to memory of 4000	4352	rundll32.exe	rundll32.exe
PID 3360 wrote to memory of 3636	3360	iexplore.exe	IEXPLORE.EXE
PID 3360 wrote to memory of 3636	3360	iexplore.exe	IEXPLORE.EXE
PID 3360 wrote to memory of 3636	3360	iexplore.exe	IEXPLORE.EXE
PID 4268 wrote to memory of 860	4268	iexplore.exe	IEXPLORE.EXE
PID 4268 wrote to memory of 860	4268	iexplore.exe	IEXPLORE.EXE
PID 4268 wrote to memory of 860	4268	iexplore.exe	IEXPLORE.EXE
PID 2916 wrote to memory of 3260	2916	iexplore.exe	IEXPLORE.EXE
PID 2916 wrote to memory of 3260	2916	iexplore.exe	IEXPLORE.EXE
PID 2916 wrote to memory of 3260	2916	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bd3f26523c5cad6fe9632bfd4f6449bc_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bd3f26523c5cad6fe9632bfd4f6449bc_JaffaCakes118.dll,#1
2⤵
PID:4000

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:640

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3360

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3360 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4268

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4268 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2916 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3260

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4000-0-0x0000000075020000-0x00000000750FE000-memory.dmp

Filesize
888KB

Download
memory/4000-1-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/4000-4-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-8-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

Filesize
2.0MB

Download