gozi | 2a64d3c1b9a873379dab9ef3c4a4236529940d2a3d8182126cdcfaba6ad72fb3

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe
Size

2.0MB
MD5

19cf0f1a01aa4b001c0baf172952b363
SHA1

2806a09099abe39de1b68a9c66a28bb9ff971e5e
SHA256

2a64d3c1b9a873379dab9ef3c4a4236529940d2a3d8182126cdcfaba6ad72fb3
SHA512

c5646551ecdf5ccb84e9017c8a8aa090ff0ec2fff106c398240f012bd442909b0b6b0986dd54b632102ccf198885bcf354ecdf441e108c04f8b404140e04da49
SSDEEP

49152:/yVkwXM83xZ8ML430uyS/BuoZj/s+4CW3/scFE:/yVxXJx40uXpS3Ux

Score

10^/10

gozi banker isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Executes dropped EXE 5 IoCs

Processes:

1_starter.exe.exeb2e.exe2_del_starter.exeb2e.exesystem.dll

pid process

2584 1_starter.exe.exe
2700 b2e.exe
2748 2_del_starter.exe
2724 b2e.exe
344 system.dll

pid	process
2584	1_starter.exe.exe
2700	b2e.exe
2748	2_del_starter.exe
2724	b2e.exe
344	system.dll

Loads dropped DLL 9 IoCs

Processes:

19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe1_starter.exe.exe2_del_starter.execmd.exe

pid	process
2400	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe
2400	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe
2584	1_starter.exe.exe
2584	1_starter.exe.exe
2400	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe
2400	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe
2748	2_del_starter.exe
2748	2_del_starter.exe
2948	cmd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\1_starter.exe.exe	upx
behavioral1/memory/2584-17-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2584-27-0x0000000000400000-0x000000000040C000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\2_del_starter.exe	upx
behavioral1/memory/2748-46-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2400-45-0x0000000000270000-0x000000000027B000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\system.dll.nb5.tmp	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\system.dll	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe1_starter.exe.exe2_del_starter.exeb2e.execmd.exeb2e.exe

description	pid	process	target process
PID 2400 wrote to memory of 2584	2400	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe	1_starter.exe.exe
PID 2400 wrote to memory of 2584	2400	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe	1_starter.exe.exe
PID 2400 wrote to memory of 2584	2400	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe	1_starter.exe.exe
PID 2400 wrote to memory of 2584	2400	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe	1_starter.exe.exe
PID 2584 wrote to memory of 2700	2584	1_starter.exe.exe	b2e.exe
PID 2584 wrote to memory of 2700	2584	1_starter.exe.exe	b2e.exe
PID 2584 wrote to memory of 2700	2584	1_starter.exe.exe	b2e.exe
PID 2584 wrote to memory of 2700	2584	1_starter.exe.exe	b2e.exe
PID 2400 wrote to memory of 2748	2400	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe	2_del_starter.exe
PID 2400 wrote to memory of 2748	2400	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe	2_del_starter.exe
PID 2400 wrote to memory of 2748	2400	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe	2_del_starter.exe
PID 2400 wrote to memory of 2748	2400	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe	2_del_starter.exe
PID 2748 wrote to memory of 2724	2748	2_del_starter.exe	b2e.exe
PID 2748 wrote to memory of 2724	2748	2_del_starter.exe	b2e.exe
PID 2748 wrote to memory of 2724	2748	2_del_starter.exe	b2e.exe
PID 2748 wrote to memory of 2724	2748	2_del_starter.exe	b2e.exe
PID 2700 wrote to memory of 2948	2700	b2e.exe	cmd.exe
PID 2700 wrote to memory of 2948	2700	b2e.exe	cmd.exe
PID 2700 wrote to memory of 2948	2700	b2e.exe	cmd.exe
PID 2700 wrote to memory of 2948	2700	b2e.exe	cmd.exe
PID 2948 wrote to memory of 344	2948	cmd.exe	system.dll
PID 2948 wrote to memory of 344	2948	cmd.exe	system.dll
PID 2948 wrote to memory of 344	2948	cmd.exe	system.dll
PID 2948 wrote to memory of 344	2948	cmd.exe	system.dll
PID 2724 wrote to memory of 2784	2724	b2e.exe	cmd.exe
PID 2724 wrote to memory of 2784	2724	b2e.exe	cmd.exe
PID 2724 wrote to memory of 2784	2724	b2e.exe	cmd.exe
PID 2724 wrote to memory of 2784	2724	b2e.exe	cmd.exe
PID 2700 wrote to memory of 2452	2700	b2e.exe	cmd.exe
PID 2700 wrote to memory of 2452	2700	b2e.exe	cmd.exe
PID 2700 wrote to memory of 2452	2700	b2e.exe	cmd.exe
PID 2700 wrote to memory of 2452	2700	b2e.exe	cmd.exe
PID 2724 wrote to memory of 1872	2724	b2e.exe	cmd.exe
PID 2724 wrote to memory of 1872	2724	b2e.exe	cmd.exe
PID 2724 wrote to memory of 1872	2724	b2e.exe	cmd.exe
PID 2724 wrote to memory of 1872	2724	b2e.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\1_starter.exe.exe
"C:\Users\Admin\AppData\Local\Temp\1_starter.exe.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584

C:\Users\Admin\AppData\Local\Temp\29A0.tmp\b2e.exe
"C:\Users\Admin\AppData\Local\Temp\29A0.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\29A0.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\1_starter.exe.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2A0D.tmp\batfile.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\system.dll
system.dll
5⤵
- Executes dropped EXE
PID:344

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
4⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\2_del_starter.exe
"C:\Users\Admin\AppData\Local\Temp\2_del_starter.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\2A0E.tmp\b2e.exe
"C:\Users\Admin\AppData\Local\Temp\2A0E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2A0E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\2_del_starter.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2A3C.tmp\batfile.bat" "
4⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
4⤵
PID:1872

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29A0.tmp\b2e.exe
Filesize
8KB

MD5
609902ae6b0998ea39e263b13ed0970a

SHA1
6eecf3271626aca4d87215110345db5204d87469

SHA256
fb4d2e53310a3fd295708878612228e76b9b209f60d9f3c673553af2822dfaf3

SHA512
e55a9075ac34d803ebf7f9484d6ccac51d6f4533eebaaac7bd815e6218582733c073705a8b2954d56a76eb7e1b92e5ba280295e8a3dd6fb0ff8c2251480e72df

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A0D.tmp\batfile.bat
Filesize
33B

MD5
68470b6f0315b9501ddeb136853689c8

SHA1
40806b1f9dc337678b76d01b0c1fd4632a4722e6

SHA256
753245de7f7b6dae54de914cabe09219e82a0cc51eecd0c0e9a3435c8af9f2e4

SHA512
fef6048418c8b0e0d6a06c3989156a928723225bcaa0a76dc7dc3ac09b235a7fa40460ca8bf00d3d6c1e678564c89844d697d5913562b777a8ebd5b6496a1ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A3C.tmp\batfile.bat
Filesize
57B

MD5
93bb4edd36278d185072acc9353cf4b5

SHA1
f5aa831e6f9b68d22dff463feb72949c68b68eba

SHA256
8a1412d92d0e46fe79946381d8781ee226c2ac7432c1819f96f93818c36fc194

SHA512
d288e696fcfd0c79e0830edf1289745213bc5b5de73d86f4a6debb3e8254fcd77cd7c650564e1e8da0ca37ccd90f119e3d88e911b0d96dba9fe6ce5c171ec183

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat
Filesize
158B

MD5
860ea0fe9716be0208034b20377d71e9

SHA1
c08bf27e28681ceebc2a3c527d1ff236f21fa52a

SHA256
8d88312766cf50e05bac9959af5a1cd37f1f4d810b139a3937d0602fd1f9e22d

SHA512
b5856d2a3bc0ee16046ad206652cede330c5c0ca1cb9cf1150329328591a700255dc562ba3bfafdd00e026b33933f633f6a5788132d62e8d9cc0da59dda710a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat
Filesize
158B

MD5
c006c743cc2769f0d6b10293bc9b10bf

SHA1
919525477e66494eac0eabf9b1c26140e93af5b8

SHA256
9030f85ae3b4d998b6d6e31cd8130bf66c1afd99ef2f7c050bb76d66673d9378

SHA512
62e5f7592754e341d79bca26c9cbdfab19976692d44b5e8d6909da075c3a2faf776fa766f4306845a8827466ca2716fe86a91975875044910a3f46bc6b7984cd

Download Submit
C:\Windows\SysWOW64\system.dll
Filesize
4.1MB

MD5
4949f2a896b4d753bb5a3b7dbc58fa24

SHA1
151e97f0af2c1d599fe43535b8d5810b78b60818

SHA256
811b6fd4b7243490efb836d0f28e95af01d14433ec5bfbe05c5346b181058a31

SHA512
08a5da833c6a20862751e57dda58b253780f10a181ac3b6d7db4064eae094a7980e392122dc5f276396c7f87cf6c78a7897eaf74e8f04ab8b1220126d1bda09d

Download Submit
\Users\Admin\AppData\Local\Temp\1_starter.exe.exe
Filesize
12KB

MD5
ff5527e36cc9742b0fa24f0b874e8a68

SHA1
93a6440a6e8e6216113e66f062faf6a1d44a6a9d

SHA256
f38773807b7e7cf89521a50f7c4b5392726417f3e5decf3febd1db2b822c58e6

SHA512
2e380dc100f3ab9e4de79dfb58470e28bae363236a27aa4448093d2de9770a345b87bd52b8c0d78ddd50823e12a0d70cf17e40cd99c83e0eb7bc7ab0a3c4ab7d

Download Submit
\Users\Admin\AppData\Local\Temp\2A0E.tmp\b2e.exe
Filesize
8KB

MD5
56a2c93542fa5c8bb97315107143b6e7

SHA1
eca1b5af01af0e779a803b39e96dc0d7b9da2df8

SHA256
d403889d41414fad5d9a1ad5fdbb74a2ed56ddb47c4a6893583e8c56dabf0856

SHA512
4fc50f4a1d924b48853637ccfea9d76365c3ca5b161d7d43e677cc85d0984eda519deee1ac075fe9413f9e91c1cf0c9184d1d345ea26f5678b08f8110fd393fe

Download Submit
\Users\Admin\AppData\Local\Temp\2_del_starter.exe
Filesize
9KB

MD5
acf52148cbe5cb8a6cc2dbfb8c5dc69d

SHA1
4bab9ca95a0a9f459c14c97daf0cbba5bbef4f05

SHA256
e36e638d934f667775afb4840d7d8d2d4eae676618dd66798d3fdd8d384445e0

SHA512
38a82308f7de9eefdf7159d4657a615a6bf4e19892178a3cfa5b1d8852a35bb8040416ed2264d01233d9b6c9c3f8233abacce28148556c41ffaeec33ff4ad1cc

Download Submit
memory/2400-43-0x0000000000270000-0x000000000027B000-memory.dmp

Filesize
44KB

Download
memory/2400-45-0x0000000000270000-0x000000000027B000-memory.dmp

Filesize
44KB

Download
memory/2400-15-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2400-16-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2584-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2584-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2700-42-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2700-99-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2724-67-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2724-110-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2748-46-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads