gozi | 1225de9af9f6b29985e9304fa1056b8c7da036215a5e054c0ff6d7129c91a59f

Analysis

max time kernel
129s
max time network
133s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe
Size

416KB
MD5

1f26e5f9b44c28b37b6cd13283838366
SHA1

272b94c4d1d30dc9478675dd3df4a38029c1113e
SHA256

1225de9af9f6b29985e9304fa1056b8c7da036215a5e054c0ff6d7129c91a59f
SHA512

3d3d10eb33006de70ffa36a5999b9d6ac2eafdff0a27c313542b34cffdbb8b736b5573ce21bd9778ddd0a825c7a807c64e15bd9d284fa80b316464505267936c
SSDEEP

6144:N4IB2aqIOEzOFtXs0ncp2sRAztOf7Yp4jOa9UpU:TBQIsFtXlc4w

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	reg.exe

Executes dropped EXE 2 IoCs

Processes:

temp.exenet.exe

pid process

2548 temp.exe
2904 net.exe
Loads dropped DLL 2 IoCs

Processes:

1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exesvchost.exe

pid process

1704 1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe
3012 svchost.exe

pid	process
2548	temp.exe
2904	net.exe

pid	process
1704	1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe
3012	svchost.exe

Drops file in System32 directory 12 IoCs

Processes:

sysprep.exenet.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\sysprep\Panther\diagwrn.xml	sysprep.exe
File created	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	net.exe
File created	C:\Windows\SysWOW64\system_t.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\system_t.dll	svchost.exe
File created	C:\Windows\SysWOW64\enumfs.ini	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dnlist.ini	svchost.exe
File opened for modification	C:\Windows\system32\sysprep\Panther\setuperr.log	sysprep.exe
File opened for modification	C:\Windows\system32\sysprep\Panther\diagerr.xml	sysprep.exe
File opened for modification	C:\Windows\system32\sysprep\Panther\setupact.log	sysprep.exe
File created	C:\Windows\SysWOW64\net.bat	net.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\nettraveler[1].htm	svchost.exe

Drops file in Windows directory 3 IoCs

Processes:

net.exesvchost.exe

description	ioc	process
File created	C:\Windows\system\config_t.dat	net.exe
File opened for modification	C:\Windows\system\config_t.dat	net.exe
File opened for modification	C:\Windows\system\config_t.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1660 ipconfig.exe

pid	process
1660	ipconfig.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BF5F85-1140-4F75-9343-6FEE53099C02}\WpadNetworkName = "Network 3"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-e3-83-0f-ea-0b\WpadDecisionTime = 30487db772ccda01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BF5F85-1140-4F75-9343-6FEE53099C02}\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BF5F85-1140-4F75-9343-6FEE53099C02}\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BF5F85-1140-4F75-9343-6FEE53099C02}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-e3-83-0f-ea-0b\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-e3-83-0f-ea-0b\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BF5F85-1140-4F75-9343-6FEE53099C02}\WpadDecisionTime = 30487db772ccda01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-e3-83-0f-ea-0b	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BF5F85-1140-4F75-9343-6FEE53099C02}\86-e3-83-0f-ea-0b	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

temp.exesvchost.exe

pid process

2548 temp.exe
3012 svchost.exe

pid	process
2548	temp.exe
3012	svchost.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exetemp.exeExplorer.EXEsysprep.exenet.execmd.exesvchost.exe

description	pid	process	target process
PID 1704 wrote to memory of 2548	1704	1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe	temp.exe
PID 1704 wrote to memory of 2548	1704	1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe	temp.exe
PID 1704 wrote to memory of 2548	1704	1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe	temp.exe
PID 1704 wrote to memory of 2548	1704	1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe	temp.exe
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 2548 wrote to memory of 1284	2548	temp.exe	Explorer.EXE
PID 1284 wrote to memory of 2492	1284	Explorer.EXE	sysprep.exe
PID 1284 wrote to memory of 2492	1284	Explorer.EXE	sysprep.exe
PID 1284 wrote to memory of 2492	1284	Explorer.EXE	sysprep.exe
PID 2492 wrote to memory of 2904	2492	sysprep.exe	net.exe
PID 2492 wrote to memory of 2904	2492	sysprep.exe	net.exe
PID 2492 wrote to memory of 2904	2492	sysprep.exe	net.exe
PID 2492 wrote to memory of 2904	2492	sysprep.exe	net.exe
PID 2904 wrote to memory of 2472	2904	net.exe	cmd.exe
PID 2904 wrote to memory of 2472	2904	net.exe	cmd.exe
PID 2904 wrote to memory of 2472	2904	net.exe	cmd.exe
PID 2904 wrote to memory of 2472	2904	net.exe	cmd.exe
PID 2472 wrote to memory of 2580	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2580	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2580	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2580	2472	cmd.exe	reg.exe
PID 3012 wrote to memory of 1660	3012	svchost.exe	ipconfig.exe
PID 3012 wrote to memory of 1660	3012	svchost.exe	ipconfig.exe
PID 3012 wrote to memory of 1660	3012	svchost.exe	ipconfig.exe
PID 3012 wrote to memory of 1660	3012	svchost.exe	ipconfig.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f26e5f9b44c28b37b6cd13283838366_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\temp.exe
"C:\Users\Admin\AppData\Local\Temp\temp.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\system32\sysprep\sysprep.exe
"C:\Windows\system32\sysprep\sysprep.exe" "C:\Users\Admin\AppData\Local\Temp\net.exe" "C:\Windows\system32" ""
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2492

C:\Users\Admin\AppData\Local\Temp\net.exe
"C:\Users\Admin\AppData\Local\Temp\net.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\SysWOW64\cmd.exe
cmd /c net.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d C:\Windows\system32\FastUserSwitchingCompatibilityex.dll
5⤵
- Server Software Component: Terminal Services DLL
PID:2580

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\net.exe
Filesize
178KB

MD5
57f2374d9f2a787339b0c6a5b1008a72

SHA1
d34418fb66e48bd3b563c0f6c81e7f1c17d7f5d3

SHA256
9637b2dcd5f9d5fdc0f1c1104f73f3dbdcfd803cac47196cc94c768c21fa2ae4

SHA512
bacf6b7142d2525d017a4a38c83875540e670a39c357d5c946ca04731557968dd2272fa7b6ba4635c3ced823c99d650da5438f2db292f6c8eebe8ce236e6432b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\nettraveler[1].htm
Filesize
1024B

MD5
545bfde42a67146caa2d16606ae834f1

SHA1
90195c18c8c29d4598cdef34931a9df42add0545

SHA256
d9cccfddb6f9d5d28ba693232256ffc49f637e3f74f3909836b1c62c617c5013

SHA512
966b20d82435baf20689067a89dce6164657eca28abf7c63de2dcfed72793bbad16b79885d9d0371a713210f1d41da58ba4cc35d78e6a0329c0942c47bff0d02

Download Submit
C:\Windows\SysWOW64\dnlist.ini
Filesize
60B

MD5
30b5f3ca639ddfa69575968b4032a8cf

SHA1
7d0b96c596bc7fb81dd52f62aac4709025e0dd3c

SHA256
27c94ea9dc125000c55e3c8be0067aece091046b3b000304e75a013dda982c0b

SHA512
a7d9ea4b99b755ecd8498fb2ba910e52f7cd70f02625ef9628c57612bdf0f9488647aa66e10cb4aaaaf1ad1531fba8e28bc7c1c41933dd11a7171cf567e181ad

Download Submit
C:\Windows\SysWOW64\enumfs.ini
Filesize
62B

MD5
3cdd5067e3df908bdb48c205463efdae

SHA1
985fa99672add2707667bc93062c05373ba2ebfe

SHA256
2e3380864f1a2c16825abc682ad65ff680d3630c0ff52f8d5fb28a0e0b66bbc8

SHA512
bdcb9889b3616ce8614dad9ed9fe9312664ff2fbeeacceaef84e9de295dadaab80b8b71adae01883846fab9cd8acbc156095953af2d4ec8510a57857676be1c4

Download Submit
C:\Windows\SysWOW64\net.bat
Filesize
211B

MD5
dde99ab936da8cbda74ea779ef0b2e67

SHA1
1e27e432e0b7c81b990b92595daebdf0539efea4

SHA256
ab6da77270cb63c49d1d12e854850e882d03f41ce48782e98c81bcede0c9ad80

SHA512
62a124172d34dc56d00328b45ac13a029c847c2b7e2843ec38270a7c4d813b68b7d66b9a8ef80b8adfa7b1a894f36b5f8c6365fa5551c35939c0b76cd4439437

Download Submit
C:\Windows\SysWOW64\system_t.dll
Filesize
809B

MD5
bf2c97c558dbcab12ce8b742b10a3897

SHA1
ddf034f79325ce70ebb189666a47a8d5c319fb78

SHA256
c1b96a24078a285657a55a5242a4535e6a2661741bfc160a761d31aac2837aac

SHA512
ab5a445afc08ac62ea55aeaf25fffaf6b015157af911c9761fe90acb0d9d131c0b54bfc46a4d5d94ca843b71fcb6de625f8f3dca60a12a8b92e895120a08ca98

Download Submit
C:\Windows\system\config_t.dat
Filesize
186B

MD5
2708043b77d6ea590696856b9f44aa4e

SHA1
aca48ecf7347fe444a2b7d2c11680a6918e67c7a

SHA256
998ec5c11540cca088e079c8afda1d9222ed343dd0e6294817a187dd57185e9d

SHA512
b14053d01726da26eaaeccbbe666e0f472c68f8cc38aff404ac0b659caa427f7c50f6efbc67fdc4d0c593273457632477eb393780cd6b720564dfda9307d4c49

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dll
Filesize
127KB

MD5
ba20c70e538db853613bd65a7caf1d91

SHA1
96c935e51e3fed095f7158901ff10ebe32794c8b

SHA256
520b773ce8d6855abc992c1499609ca5e8c45446b10b8c2a804ecb1c967bda08

SHA512
7d3110f7ebe6b5c3099b7c919c2141db4b4684ba0193c21bdf5ceae6dd5f191fd2f653768253f40db367f0d44f965587564f4ad52490dcb6761df431f6498230

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe
Filesize
86KB

MD5
425609a2c35081730982a01d72a76cbe

SHA1
64f95fe985a7ef7ee4f396e36279aa31498ac3cc

SHA256
e03145fefe7fef82c2a476d7dec03305d7da79cd3c8fe1578177580175febbd3

SHA512
6ede1415ac51d588a71bfb5697a599eb777e9530240b7a3524626d2a230bb51017c9b3d05923c5cb41800cca9818f2d99484310390a0425ef8e48984c4c9cfd4

Download Submit
memory/1284-28-0x0000000003A00000-0x0000000003A01000-memory.dmp

Filesize
4KB

Download
memory/1284-13-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1284-7-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download