gozi | 2a64d3c1b9a873379dab9ef3c4a4236529940d2a3d8182126cdcfaba6ad72fb3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe
Size

2.0MB
MD5

19cf0f1a01aa4b001c0baf172952b363
SHA1

2806a09099abe39de1b68a9c66a28bb9ff971e5e
SHA256

2a64d3c1b9a873379dab9ef3c4a4236529940d2a3d8182126cdcfaba6ad72fb3
SHA512

c5646551ecdf5ccb84e9017c8a8aa090ff0ec2fff106c398240f012bd442909b0b6b0986dd54b632102ccf198885bcf354ecdf441e108c04f8b404140e04da49
SSDEEP

49152:/yVkwXM83xZ8ML430uyS/BuoZj/s+4CW3/scFE:/yVxXJx40uXpS3Ux

Score

10^/10

gozi banker isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2_del_starter.exeb2e.exe1_starter.exe.exeb2e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	2_del_starter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	1_starter.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 5 IoCs

Processes:

1_starter.exe.exeb2e.exe2_del_starter.exeb2e.exesystem.dll

pid process

2644 1_starter.exe.exe
4032 b2e.exe
3192 2_del_starter.exe
1888 b2e.exe
3624 system.dll

pid	process
2644	1_starter.exe.exe
4032	b2e.exe
3192	2_del_starter.exe
1888	b2e.exe
3624	system.dll

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1_starter.exe.exe	upx
behavioral2/memory/2644-11-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/2644-19-0x0000000000400000-0x000000000040C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\2_del_starter.exe	upx
behavioral2/memory/3192-29-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3192-43-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\system.dll	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\system.dll.nb5.tmp	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe1_starter.exe.exe2_del_starter.exeb2e.exeb2e.execmd.exe

description	pid	process	target process
PID 692 wrote to memory of 2644	692	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe	1_starter.exe.exe
PID 692 wrote to memory of 2644	692	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe	1_starter.exe.exe
PID 692 wrote to memory of 2644	692	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe	1_starter.exe.exe
PID 2644 wrote to memory of 4032	2644	1_starter.exe.exe	b2e.exe
PID 2644 wrote to memory of 4032	2644	1_starter.exe.exe	b2e.exe
PID 2644 wrote to memory of 4032	2644	1_starter.exe.exe	b2e.exe
PID 692 wrote to memory of 3192	692	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe	2_del_starter.exe
PID 692 wrote to memory of 3192	692	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe	2_del_starter.exe
PID 692 wrote to memory of 3192	692	19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe	2_del_starter.exe
PID 3192 wrote to memory of 1888	3192	2_del_starter.exe	b2e.exe
PID 3192 wrote to memory of 1888	3192	2_del_starter.exe	b2e.exe
PID 3192 wrote to memory of 1888	3192	2_del_starter.exe	b2e.exe
PID 4032 wrote to memory of 2764	4032	b2e.exe	cmd.exe
PID 4032 wrote to memory of 2764	4032	b2e.exe	cmd.exe
PID 4032 wrote to memory of 2764	4032	b2e.exe	cmd.exe
PID 1888 wrote to memory of 4036	1888	b2e.exe	cmd.exe
PID 1888 wrote to memory of 4036	1888	b2e.exe	cmd.exe
PID 1888 wrote to memory of 4036	1888	b2e.exe	cmd.exe
PID 2764 wrote to memory of 3624	2764	cmd.exe	system.dll
PID 2764 wrote to memory of 3624	2764	cmd.exe	system.dll
PID 2764 wrote to memory of 3624	2764	cmd.exe	system.dll
PID 1888 wrote to memory of 816	1888	b2e.exe	cmd.exe
PID 1888 wrote to memory of 816	1888	b2e.exe	cmd.exe
PID 1888 wrote to memory of 816	1888	b2e.exe	cmd.exe
PID 4032 wrote to memory of 888	4032	b2e.exe	cmd.exe
PID 4032 wrote to memory of 888	4032	b2e.exe	cmd.exe
PID 4032 wrote to memory of 888	4032	b2e.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19cf0f1a01aa4b001c0baf172952b363_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:692

C:\Users\Admin\AppData\Local\Temp\1_starter.exe.exe
"C:\Users\Admin\AppData\Local\Temp\1_starter.exe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\3AE6.tmp\b2e.exe
"C:\Users\Admin\AppData\Local\Temp\3AE6.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3AE6.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\1_starter.exe.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3B82.tmp\batfile.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\system.dll
system.dll
5⤵
- Executes dropped EXE
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel1.bat" "
4⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\2_del_starter.exe
"C:\Users\Admin\AppData\Local\Temp\2_del_starter.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Local\Temp\3BA1.tmp\b2e.exe
"C:\Users\Admin\AppData\Local\Temp\3BA1.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3BA1.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\2_del_starter.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3C0F.tmp\batfile.bat" "
4⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
4⤵
PID:816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1_starter.exe.exe
Filesize
12KB

MD5
ff5527e36cc9742b0fa24f0b874e8a68

SHA1
93a6440a6e8e6216113e66f062faf6a1d44a6a9d

SHA256
f38773807b7e7cf89521a50f7c4b5392726417f3e5decf3febd1db2b822c58e6

SHA512
2e380dc100f3ab9e4de79dfb58470e28bae363236a27aa4448093d2de9770a345b87bd52b8c0d78ddd50823e12a0d70cf17e40cd99c83e0eb7bc7ab0a3c4ab7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_del_starter.exe
Filesize
9KB

MD5
acf52148cbe5cb8a6cc2dbfb8c5dc69d

SHA1
4bab9ca95a0a9f459c14c97daf0cbba5bbef4f05

SHA256
e36e638d934f667775afb4840d7d8d2d4eae676618dd66798d3fdd8d384445e0

SHA512
38a82308f7de9eefdf7159d4657a615a6bf4e19892178a3cfa5b1d8852a35bb8040416ed2264d01233d9b6c9c3f8233abacce28148556c41ffaeec33ff4ad1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3AE6.tmp\b2e.exe
Filesize
8KB

MD5
609902ae6b0998ea39e263b13ed0970a

SHA1
6eecf3271626aca4d87215110345db5204d87469

SHA256
fb4d2e53310a3fd295708878612228e76b9b209f60d9f3c673553af2822dfaf3

SHA512
e55a9075ac34d803ebf7f9484d6ccac51d6f4533eebaaac7bd815e6218582733c073705a8b2954d56a76eb7e1b92e5ba280295e8a3dd6fb0ff8c2251480e72df

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B82.tmp\batfile.bat
Filesize
33B

MD5
68470b6f0315b9501ddeb136853689c8

SHA1
40806b1f9dc337678b76d01b0c1fd4632a4722e6

SHA256
753245de7f7b6dae54de914cabe09219e82a0cc51eecd0c0e9a3435c8af9f2e4

SHA512
fef6048418c8b0e0d6a06c3989156a928723225bcaa0a76dc7dc3ac09b235a7fa40460ca8bf00d3d6c1e678564c89844d697d5913562b777a8ebd5b6496a1ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BA1.tmp\b2e.exe
Filesize
8KB

MD5
56a2c93542fa5c8bb97315107143b6e7

SHA1
eca1b5af01af0e779a803b39e96dc0d7b9da2df8

SHA256
d403889d41414fad5d9a1ad5fdbb74a2ed56ddb47c4a6893583e8c56dabf0856

SHA512
4fc50f4a1d924b48853637ccfea9d76365c3ca5b161d7d43e677cc85d0984eda519deee1ac075fe9413f9e91c1cf0c9184d1d345ea26f5678b08f8110fd393fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C0F.tmp\batfile.bat
Filesize
57B

MD5
93bb4edd36278d185072acc9353cf4b5

SHA1
f5aa831e6f9b68d22dff463feb72949c68b68eba

SHA256
8a1412d92d0e46fe79946381d8781ee226c2ac7432c1819f96f93818c36fc194

SHA512
d288e696fcfd0c79e0830edf1289745213bc5b5de73d86f4a6debb3e8254fcd77cd7c650564e1e8da0ca37ccd90f119e3d88e911b0d96dba9fe6ce5c171ec183

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat
Filesize
158B

MD5
5523532ac6bb391652a875b42f594f76

SHA1
d1b41bef9bf8bccbd05749c939f3458d5f11332f

SHA256
a191c4b56d65b2ddeb183411f490f9cf4eddf9db93184a8a4eb68035a200bd3e

SHA512
115ea124f91511fadaa7c90aef21d6c5319e8841d04ce980a97ee98f90df20b72753c4d8bd380eeafe370d4e66b579522a95bb78007451f67a2dd2a67de58a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel1.bat
Filesize
158B

MD5
0944a86a7ae861f714cb84de64ebfd0b

SHA1
f47e4ae663887cf397d593f89f056d1bb0facb1a

SHA256
e55636d32b8bfd6d53378a4896472e9496a563d1673b3b0785d5c393e540ecf9

SHA512
38d03ae11735b6936fe4079a23a43ef7c9480e1d3cd524c977cfbe76e3632c168623c89762e83bd93bf3ebf96ac77faf51190b0b5b3386a43befcb94c061e6c5

Download Submit
C:\Windows\SysWOW64\system.dll
Filesize
4.1MB

MD5
4949f2a896b4d753bb5a3b7dbc58fa24

SHA1
151e97f0af2c1d599fe43535b8d5810b78b60818

SHA256
811b6fd4b7243490efb836d0f28e95af01d14433ec5bfbe05c5346b181058a31

SHA512
08a5da833c6a20862751e57dda58b253780f10a181ac3b6d7db4064eae094a7980e392122dc5f276396c7f87cf6c78a7897eaf74e8f04ab8b1220126d1bda09d

Download Submit
memory/1888-40-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1888-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2644-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2644-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3192-43-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3192-29-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4032-22-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4032-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download