gozi | 70f0516575cb8fc5f70f0fc4d463db9db35a114518043410f1d03d5fdba46a0d

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
23-06-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe
Size

520KB
MD5

04d1aed5d8791c7e4f7038ae63c1792c
SHA1

4d9f359fa2ba9e47e825d32c7792c1b34be9d4b0
SHA256

70f0516575cb8fc5f70f0fc4d463db9db35a114518043410f1d03d5fdba46a0d
SHA512

1c180223a102e7deb530b1fb56cbfd39dae57453c328df8382728ccf6b7bfc4506b5176d190d23c93838b57a5988f663b17d72213c8b3215963353fbfcf56dee
SSDEEP

12288:bJ3Y9cNKkdhHSeFAEsbfu+Hvf9mn1WpNtTirdG:bdYKNKkGzbG+InkNTEdG

Score

10^/10

gozi banker bootkit isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe

description ioc process

File opened for modification \??\PhysicalDrive0 04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe

description pid process target process

PID 2104 set thread context of 1588 2104 04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe 04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe

pid process

2104 04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe

description	pid	process	target process
PID 2104 set thread context of 1588	2104	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.EXE

pid	process
2104	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe

description	pid	process	target process
PID 2104 wrote to memory of 1588	2104	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.EXE
PID 2104 wrote to memory of 1588	2104	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.EXE
PID 2104 wrote to memory of 1588	2104	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.EXE
PID 2104 wrote to memory of 1588	2104	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.EXE
PID 2104 wrote to memory of 1588	2104	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.EXE
PID 2104 wrote to memory of 1588	2104	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.EXE
PID 2104 wrote to memory of 1588	2104	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.EXE
PID 2104 wrote to memory of 1588	2104	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.EXE
PID 2104 wrote to memory of 1588	2104	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.EXE
PID 2104 wrote to memory of 1588	2104	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.EXE
PID 2104 wrote to memory of 1588	2104	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe	04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.EXE

C:\Users\Admin\AppData\Local\Temp\04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.EXE
"C:\Users\Admin\AppData\Local\Temp\04d1aed5d8791c7e4f7038ae63c1792c_JaffaCakes118.EXE"
2⤵
PID:1588

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1588-107-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1588-110-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1588-115-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1588-112-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1588-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1588-119-0x0000000000220000-0x000000000026A000-memory.dmp

Filesize
296KB

Download
memory/1588-126-0x0000000000220000-0x000000000026A000-memory.dmp

Filesize
296KB

Download
memory/1588-97-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1588-101-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1588-99-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1588-103-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1588-105-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2104-51-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/2104-26-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/2104-2-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2104-21-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/2104-20-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/2104-19-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2104-18-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/2104-17-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/2104-16-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/2104-15-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/2104-14-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2104-13-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2104-12-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2104-24-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2104-25-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2104-23-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/2104-22-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/2104-62-0x0000000003920000-0x0000000003921000-memory.dmp

Filesize
4KB

Download
memory/2104-27-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/2104-28-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2104-29-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/2104-30-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2104-31-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2104-32-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/2104-33-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/2104-34-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/2104-35-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/2104-63-0x0000000003910000-0x0000000003911000-memory.dmp

Filesize
4KB

Download
memory/2104-37-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/2104-38-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/2104-39-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/2104-61-0x0000000003830000-0x0000000003831000-memory.dmp

Filesize
4KB

Download
memory/2104-41-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/2104-42-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/2104-43-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/2104-44-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/2104-45-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/2104-46-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/2104-47-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/2104-48-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/2104-49-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/2104-50-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/2104-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2104-52-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/2104-53-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/2104-54-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/2104-36-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2104-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2104-40-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/2104-60-0x0000000003840000-0x0000000003841000-memory.dmp

Filesize
4KB

Download
memory/2104-59-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2104-58-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/2104-57-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/2104-56-0x0000000003800000-0x0000000003801000-memory.dmp

Filesize
4KB

Download
memory/2104-55-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download
memory/2104-79-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/2104-78-0x0000000003860000-0x0000000003861000-memory.dmp

Filesize
4KB

Download
memory/2104-77-0x0000000004030000-0x0000000004031000-memory.dmp

Filesize
4KB

Download
memory/2104-76-0x0000000004040000-0x0000000004041000-memory.dmp

Filesize
4KB

Download
memory/2104-75-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

Filesize
4KB

Download
memory/2104-74-0x0000000003F00000-0x0000000003F01000-memory.dmp

Filesize
4KB

Download
memory/2104-73-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

Filesize
4KB

Download
memory/2104-72-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

Filesize
4KB

Download
memory/2104-71-0x0000000003D90000-0x0000000003D91000-memory.dmp

Filesize
4KB

Download
memory/2104-70-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

Filesize
4KB

Download
memory/2104-69-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download
memory/2104-68-0x0000000003D80000-0x0000000003D81000-memory.dmp

Filesize
4KB

Download
memory/2104-67-0x0000000003D50000-0x0000000003D51000-memory.dmp

Filesize
4KB

Download
memory/2104-66-0x0000000003D60000-0x0000000003D61000-memory.dmp

Filesize
4KB

Download
memory/2104-65-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/2104-64-0x0000000003D40000-0x0000000003D41000-memory.dmp

Filesize
4KB

Download
memory/2104-80-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2104-82-0x0000000003870000-0x0000000003871000-memory.dmp

Filesize
4KB

Download
memory/2104-81-0x0000000003880000-0x0000000003881000-memory.dmp

Filesize
4KB

Download
memory/2104-83-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/2104-84-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download
memory/2104-85-0x0000000003890000-0x0000000003891000-memory.dmp

Filesize
4KB

Download
memory/2104-86-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/2104-87-0x00000000038B0000-0x00000000038B1000-memory.dmp

Filesize
4KB

Download
memory/2104-88-0x00000000038E0000-0x00000000038E1000-memory.dmp

Filesize
4KB

Download
memory/2104-89-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/2104-90-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/2104-91-0x00000000038F0000-0x00000000038F1000-memory.dmp

Filesize
4KB

Download
memory/2104-92-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

Filesize
4KB

Download
memory/2104-93-0x0000000003DD0000-0x0000000003DD1000-memory.dmp

Filesize
4KB

Download
memory/2104-94-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

Filesize
4KB

Download
memory/2104-95-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2104-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2104-6-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/2104-7-0x0000000000590000-0x0000000000592000-memory.dmp

Filesize
8KB

Download
memory/2104-8-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/2104-9-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/2104-1-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/2104-0-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2104-114-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/2104-113-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download