gozi | d81b25ba955e8ab608e792df5b5ddc3a1c3a3dfc66c8801fa82c456326af597a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe
Size

2.5MB
MD5

09bf965f2e6c6182342110ec95cbacdd
SHA1

7dcf765c2a4afc9ed14cc19cdb925f9857748213
SHA256

d81b25ba955e8ab608e792df5b5ddc3a1c3a3dfc66c8801fa82c456326af597a
SHA512

4dec0bcda949aae0409019218690036bec483e340faea4d7c2b8a30218a082c371957ecf193a938acb8ac4e88dec5ebb30c6d61870f218ed979c58837541c018
SSDEEP

49152:7pVxXrwHcI9iOe1SfGYo1IiouCpAPcuv3+FwieK6EUhmQudRlS7hChUPH:7RXrw8I9JeaoaioUTv3+FLeKPUhZud7G

Score

10^/10

gozi banker isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Executes dropped EXE 1 IoCs

Processes:

b2e.exe

pid process

2208 b2e.exe
Loads dropped DLL 5 IoCs

Processes:

09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exeWerFault.exe

pid process

2484 09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe
2484 09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe
2908 WerFault.exe
2908 WerFault.exe
2908 WerFault.exe
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral1/memory/2484-0-0x0000000000400000-0x00000000006A2000-memory.dmp upx
behavioral1/memory/2484-12-0x0000000000400000-0x00000000006A2000-memory.dmp upx
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2908 2208 WerFault.exe b2e.exe

pid	process
2208	b2e.exe

pid	process
2484	09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe
2484	09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe

resource	yara_rule
behavioral1/memory/2484-0-0x0000000000400000-0x00000000006A2000-memory.dmp	upx
behavioral1/memory/2484-12-0x0000000000400000-0x00000000006A2000-memory.dmp	upx

pid	pid_target	process	target process
2908	2208	WerFault.exe	b2e.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exeb2e.exe

description	pid	process	target process
PID 2484 wrote to memory of 2208	2484	09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe	b2e.exe
PID 2484 wrote to memory of 2208	2484	09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe	b2e.exe
PID 2484 wrote to memory of 2208	2484	09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe	b2e.exe
PID 2484 wrote to memory of 2208	2484	09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe	b2e.exe
PID 2208 wrote to memory of 2908	2208	b2e.exe	WerFault.exe
PID 2208 wrote to memory of 2908	2208	b2e.exe	WerFault.exe
PID 2208 wrote to memory of 2908	2208	b2e.exe	WerFault.exe
PID 2208 wrote to memory of 2908	2208	b2e.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484

C:\Users\Admin\AppData\Local\Temp\CCD.tmp\b2e.exe
"C:\Users\Admin\AppData\Local\Temp\CCD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\CCD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\09bf965f2e6c6182342110ec95cbacdd_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 124
3⤵
- Loads dropped DLL
- Program crash
PID:2908

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\CCD.tmp\b2e.exe
Filesize
2.6MB

MD5
333daf1122d0b642a24caf3e35e6c685

SHA1
ed051b2e422f8487d166da4461ea9a9bf2ff22ca

SHA256
985645c3ccff912547cf542cb4c5efed1c9254f78ebe96ea4bc2587895c686ac

SHA512
98fec4a769e1499d6eb0717e62b7519df1aead8c27f181d3cd5058bdd548df0b99ce65baae33dcd18f95199f2f5233a0dcfe653a3d4bc05c0b56f23df17d68d1

Download Submit
memory/2208-13-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2484-0-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2484-4-0x0000000000250000-0x0000000000255000-memory.dmp

Filesize
20KB

Download
memory/2484-12-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download