gozi | 13bafa194263261f954f57d6a9d29f89f515faf8c30467e0a7287cec25ed665e

Analysis

max time kernel
130s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe
Size

8KB
MD5

15c322e957e74d68ba7fb5a06fa8c2da
SHA1

67ea1c9321ec07c01332c35a982c76380a94b69c
SHA256

13bafa194263261f954f57d6a9d29f89f515faf8c30467e0a7287cec25ed665e
SHA512

9a9cbe001d04d7c242107eecd8747281afc5b6319fbc14c8294c537257ce77d27db1ac5b080106675ba3e1cdb338dde2af27e743cfe18068cd8f048875c774f7
SSDEEP

192:+sJZQFOq5VcchzIUbBFaNJhLkwcud2DH9VwGfctl3O:ZXWOq5+chEK3aNJawcudoD7US

Score

10^/10

gozi banker isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exeb2e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 1 IoCs

Processes:

b2e.exe

pid process

396 b2e.exe
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral2/memory/4380-0-0x0000000000400000-0x000000000040A000-memory.dmp upx
behavioral2/memory/4380-11-0x0000000000400000-0x000000000040A000-memory.dmp upx
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
396	b2e.exe

resource	yara_rule
behavioral2/memory/4380-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4380-11-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exeb2e.exe

description	pid	process	target process
PID 4380 wrote to memory of 396	4380	15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe	b2e.exe
PID 4380 wrote to memory of 396	4380	15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe	b2e.exe
PID 4380 wrote to memory of 396	4380	15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe	b2e.exe
PID 396 wrote to memory of 3796	396	b2e.exe	cmd.exe
PID 396 wrote to memory of 3796	396	b2e.exe	cmd.exe
PID 396 wrote to memory of 3796	396	b2e.exe	cmd.exe
PID 396 wrote to memory of 2880	396	b2e.exe	cmd.exe
PID 396 wrote to memory of 2880	396	b2e.exe	cmd.exe
PID 396 wrote to memory of 2880	396	b2e.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4380

C:\Users\Admin\AppData\Local\Temp\276E.tmp\b2e.exe
"C:\Users\Admin\AppData\Local\Temp\276E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\276E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\15c322e957e74d68ba7fb5a06fa8c2da_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\27FA.tmp\batfile.bat" "
3⤵
PID:3796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
3⤵
PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\276E.tmp\b2e.exe
Filesize
8KB

MD5
07c281da32f3b5d09ede7735a50543c4

SHA1
2c419eba3e2d8a73b8e40ef56d61a08700f2b03b

SHA256
edd19019911dab46f1a6925a6246f41ca67a66c48c143e9d53fef797719712fe

SHA512
179ecc29cde5f4d7ca363c65981697a7698da27e3b31690f92f2e3bf4d35a493bbc0cde195d9d67517a6fd8dfb7c462397bb81d54823284bf0ee9ac5c85fdd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\27FA.tmp\batfile.bat
Filesize
94B

MD5
0fc8c95d090d58b2cb9c2ad0e26132e4

SHA1
14199fdc66d24d4cb8c07d8df4b341c5ba0130e3

SHA256
6c08a607c6ff07db1cbe4f72123e6250a35f0a45f29f586ef558551b4708b2e6

SHA512
7b2c88a83dd8b2b13fdf1645fc5f791798414e4c2d457cbe61b0ce63c23143c0c698ef3a7e44d82e8eca282995e0f9c493913e0b4c91220b16ac062847238942

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat
Filesize
158B

MD5
e861162804e52aceaec102e50cb70013

SHA1
3f1484573809c83682bae12072c05d5fb73d9059

SHA256
6d54fcac43d9426703ead9495fc461d32a21d6898be4c04866fb362c03ae7581

SHA512
a841a309eb48e9dd3987e744bc1c35de33e9665a14ed180b0b8cbbfe6a2f261b95aaa1336ccde83dfe5882bc5b77d4f929be0016f594cd5b3b4439465caef189

Download Submit
memory/396-12-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/396-19-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4380-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4380-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download