API tools faq
paste
Advertisement
paladin316

Gozi_5867111c4ed7815ff1ec59f85b1f0352 Malware JSON Report

paladin316
Jun 17th, 2019
1,407
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.97 KB | None | 0 0
raw download clone embed print report
  1.  
  2. [*] MalFamily: ""
  3.  
  4. [*] MalScore: 10.0
  5.  
  6. [*] File Name: "Gozi_5867111c4ed7815ff1ec59f85b1f0352.exe"
  7. [*] File Size: 562688
  8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. [*] SHA256: "abee725d7461a5961b2654044441c95e974b46e7e25ceabe9b8857ddcde266be"
  10. [*] MD5: "5867111c4ed7815ff1ec59f85b1f0352"
  11. [*] SHA1: "32749f3d69725ff846c9154390d51126e4e0c93d"
  12. [*] SHA512: "7b44a3d103724744ba186eef4f18f045c41018e14c688d0a0c5704507cc707959789870442402581c9b01242130e4a60e1b3f1987082774d4f5c5dc22c7b7d0e"
  13. [*] CRC32: "45AA5F6A"
  14. [*] SSDEEP: "6144:QkjP3Q+c/r94FN/cigBtt2S/ii50w8PNLIZUE:QkzFc6JgBttF/ii5BSNUZUE"
  15.  
  16. [*] Process Execution: [
  17. "Gozi_5867111c4ed7815ff1ec59f85b1f0352.exe",
  18. "svchost.exe",
  19. "WmiPrvSE.exe",
  20. "iexplore.exe",
  21. "iexplore.exe",
  22. "iexplore.exe",
  23. "iexplore.exe",
  24. "iexplore.exe",
  25. "iexplore.exe",
  26. "iexplore.exe",
  27. "iexplore.exe",
  28. "iexplore.exe",
  29. "iexplore.exe",
  30. "iexplore.exe",
  31. "iexplore.exe",
  32. "WmiPrvSE.exe",
  33. "iexplore.exe",
  34. "iexplore.exe",
  35. "iexplore.exe",
  36. "iexplore.exe",
  37. "iexplore.exe",
  38. "iexplore.exe",
  39. "iexplore.exe",
  40. "iexplore.exe",
  41. "iexplore.exe",
  42. "iexplore.exe",
  43. "iexplore.exe",
  44. "iexplore.exe",
  45. "iexplore.exe",
  46. "iexplore.exe",
  47. "iexplore.exe",
  48. "iexplore.exe",
  49. "iexplore.exe",
  50. "iexplore.exe",
  51. "iexplore.exe",
  52. "iexplore.exe",
  53. "iexplore.exe",
  54. "iexplore.exe",
  55. "iexplore.exe",
  56. "iexplore.exe",
  57. "iexplore.exe",
  58. "iexplore.exe",
  59. "iexplore.exe",
  60. "iexplore.exe",
  61. "iexplore.exe",
  62. "iexplore.exe",
  63. "iexplore.exe",
  64. "iexplore.exe",
  65. "iexplore.exe",
  66. "iexplore.exe",
  67. "iexplore.exe",
  68. "iexplore.exe",
  69. "iexplore.exe",
  70. "iexplore.exe",
  71. "iexplore.exe",
  72. "iexplore.exe",
  73. "iexplore.exe",
  74. "iexplore.exe",
  75. "WmiPrvSE.exe",
  76. "iexplore.exe",
  77. "iexplore.exe",
  78. "WMIADAP.exe"
  79. ]
  80.  
  81. [*] Signatures Detected: [
  82. {
  83. "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
  84. "Details": [
  85. {
  86. "IP": "204.79.197.200:80"
  87. },
  88. {
  89. "IP": "47.254.82.18:80"
  90. }
  91. ]
  92. },
  93. {
  94. "Description": "Creates RWX memory",
  95. "Details": []
  96. },
  97. {
  98. "Description": "Possible date expiration check, exits too soon after checking local time",
  99. "Details": [
  100. {
  101. "process": "iexplore.exe, PID 1712"
  102. }
  103. ]
  104. },
  105. {
  106. "Description": "A process attempted to delay the analysis task.",
  107. "Details": [
  108. {
  109. "Process": "Gozi_5867111c4ed7815ff1ec59f85b1f0352.exe tried to sleep 1649 seconds, actually delayed analysis time by 0 seconds"
  110. },
  111. {
  112. "Process": "WmiPrvSE.exe tried to sleep 840 seconds, actually delayed analysis time by 0 seconds"
  113. }
  114. ]
  115. },
  116. {
  117. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  118. "Details": [
  119. {
  120. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
  121. },
  122. {
  123. "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
  124. },
  125. {
  126. "suspicious_request": "http://api.frame303.at/index.htm"
  127. },
  128. {
  129. "suspicious_request": "http://47.254.82.18/favicon.ico"
  130. },
  131. {
  132. "suspicious_request": "http://cde.frame303.at/index.htm"
  133. }
  134. ]
  135. },
  136. {
  137. "Description": "Performs some HTTP requests",
  138. "Details": [
  139. {
  140. "url": "http://www.bing.com/favicon.ico"
  141. },
  142. {
  143. "url": "http://api.frame303.at/index.htm"
  144. },
  145. {
  146. "url": "http://47.254.82.18/favicon.ico"
  147. },
  148. {
  149. "url": "http://cde.frame303.at/index.htm"
  150. }
  151. ]
  152. },
  153. {
  154. "Description": "Crashed cuckoomon during analysis. Report this error to the Github repo.",
  155. "Details": [
  156. {
  157. "pid": 500
  158. },
  159. {
  160. "message": "Exception reported at offset 0x1967e in cuckoomon itself while accessing 0x16d5f8 from hook RtlDispatchException"
  161. },
  162. {
  163. "pid": 500
  164. },
  165. {
  166. "message": "Exception reported at offset 0x19681 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  167. },
  168. {
  169. "pid": 500
  170. },
  171. {
  172. "message": "Exception reported at offset 0x19681 in cuckoomon itself while accessing 0x16d5fc from hook RtlDispatchException"
  173. },
  174. {
  175. "pid": 500
  176. },
  177. {
  178. "message": "Exception reported at offset 0x19684 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  179. },
  180. {
  181. "pid": 500
  182. },
  183. {
  184. "message": "Exception reported at offset 0x19684 in cuckoomon itself while accessing 0x16d5f4 from hook RtlDispatchException"
  185. },
  186. {
  187. "pid": 500
  188. },
  189. {
  190. "message": "Exception reported at offset 0x19687 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  191. },
  192. {
  193. "pid": 500
  194. },
  195. {
  196. "message": "Exception reported at offset 0x19687 in cuckoomon itself while accessing 0x16d5f0 from hook RtlDispatchException"
  197. },
  198. {
  199. "pid": 500
  200. },
  201. {
  202. "message": "Exception reported at offset 0x19689 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  203. },
  204. {
  205. "pid": 500
  206. },
  207. {
  208. "message": "Exception reported at offset 0x19699 in cuckoomon itself while accessing 0x16d600 from hook RtlDispatchException"
  209. },
  210. {
  211. "pid": 500
  212. },
  213. {
  214. "message": "Exception reported at offset 0x1969b in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  215. },
  216. {
  217. "pid": 500
  218. },
  219. {
  220. "message": "Exception reported at offset 0x1969f in cuckoomon itself while accessing 0x16d604 from hook RtlDispatchException"
  221. },
  222. {
  223. "pid": 500
  224. },
  225. {
  226. "message": "Exception reported at offset 0x196a2 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  227. },
  228. {
  229. "pid": 500
  230. },
  231. {
  232. "message": "Exception reported at offset 0x196aa in cuckoomon itself while accessing 0x16d608 from hook RtlDispatchException"
  233. },
  234. {
  235. "pid": 500
  236. },
  237. {
  238. "message": "Exception reported at offset 0x196ad in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  239. },
  240. {
  241. "pid": 500
  242. },
  243. {
  244. "message": "Exception reported at offset 0x196bd in cuckoomon itself while accessing 0x16d60c from hook RtlDispatchException"
  245. },
  246. {
  247. "pid": 500
  248. },
  249. {
  250. "message": "Exception reported at offset 0x196c0 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  251. },
  252. {
  253. "pid": 500
  254. },
  255. {
  256. "message": "Exception reported at offset 0x19bfc in cuckoomon itself while accessing 0x16d5f0 from hook RtlDispatchException"
  257. },
  258. {
  259. "pid": 500
  260. },
  261. {
  262. "message": "Exception reported at offset 0x19bfe in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  263. },
  264. {
  265. "pid": 500
  266. },
  267. {
  268. "message": "Exception reported at offset 0x19bfe in cuckoomon itself while accessing 0x16d5f4 from hook RtlDispatchException"
  269. },
  270. {
  271. "pid": 500
  272. },
  273. {
  274. "message": "Exception reported at offset 0x19c01 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  275. },
  276. {
  277. "pid": 500
  278. },
  279. {
  280. "message": "Exception reported at offset 0x19c01 in cuckoomon itself while accessing 0x16d5f8 from hook RtlDispatchException"
  281. },
  282. {
  283. "pid": 500
  284. },
  285. {
  286. "message": "Exception reported at offset 0x19c04 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  287. },
  288. {
  289. "pid": 500
  290. },
  291. {
  292. "message": "Exception reported at offset 0x19c04 in cuckoomon itself while accessing 0x16d5fc from hook RtlDispatchException"
  293. },
  294. {
  295. "pid": 500
  296. },
  297. {
  298. "message": "Exception reported at offset 0x19c07 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  299. },
  300. {
  301. "pid": 500
  302. },
  303. {
  304. "message": "Exception reported at offset 0x1967e in cuckoomon itself while accessing 0x16d678 from hook RtlDispatchException"
  305. },
  306. {
  307. "pid": 500
  308. },
  309. {
  310. "message": "Exception reported at offset 0x19681 in cuckoomon itself while accessing 0x16d67c from hook RtlDispatchException"
  311. },
  312. {
  313. "pid": 500
  314. },
  315. {
  316. "message": "Exception reported at offset 0x19684 in cuckoomon itself while accessing 0x16d674 from hook RtlDispatchException"
  317. },
  318. {
  319. "pid": 500
  320. },
  321. {
  322. "message": "Exception reported at offset 0x19687 in cuckoomon itself while accessing 0x16d670 from hook RtlDispatchException"
  323. },
  324. {
  325. "pid": 500
  326. },
  327. {
  328. "message": "Exception reported at offset 0x19699 in cuckoomon itself while accessing 0x16d630 from hook RtlDispatchException"
  329. },
  330. {
  331. "pid": 500
  332. },
  333. {
  334. "message": "Exception reported at offset 0x1969f in cuckoomon itself while accessing 0x16d634 from hook RtlDispatchException"
  335. },
  336. {
  337. "pid": 500
  338. },
  339. {
  340. "message": "Exception reported at offset 0x196aa in cuckoomon itself while accessing 0x16d638 from hook RtlDispatchException"
  341. },
  342. {
  343. "pid": 500
  344. },
  345. {
  346. "message": "Exception reported at offset 0x196bd in cuckoomon itself while accessing 0x16d63c from hook RtlDispatchException"
  347. },
  348. {
  349. "pid": 500
  350. },
  351. {
  352. "message": "Exception reported at offset 0x19bfc in cuckoomon itself while accessing 0x16d670 from hook RtlDispatchException"
  353. },
  354. {
  355. "pid": 500
  356. },
  357. {
  358. "message": "Exception reported at offset 0x19bfe in cuckoomon itself while accessing 0x16d674 from hook RtlDispatchException"
  359. },
  360. {
  361. "pid": 500
  362. },
  363. {
  364. "message": "Exception reported at offset 0x19c01 in cuckoomon itself while accessing 0x16d678 from hook RtlDispatchException"
  365. },
  366. {
  367. "pid": 500
  368. },
  369. {
  370. "message": "Exception reported at offset 0x19c04 in cuckoomon itself while accessing 0x16d67c from hook RtlDispatchException"
  371. }
  372. ]
  373. },
  374. {
  375. "Description": "Creates a hidden or system file",
  376. "Details": [
  377. {
  378. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low"
  379. },
  380. {
  381. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF13e2cb2.TMP"
  382. },
  383. {
  384. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF13e3e46.TMP"
  385. },
  386. {
  387. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF14bddd3.TMP"
  388. },
  389. {
  390. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF13e58c3.TMP"
  391. },
  392. {
  393. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF13e7ae2.TMP"
  394. },
  395. {
  396. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF13e9000.TMP"
  397. },
  398. {
  399. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF13eaaeb.TMP"
  400. },
  401. {
  402. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF13ebae8.TMP"
  403. },
  404. {
  405. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF13ecd09.TMP"
  406. },
  407. {
  408. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF13edd74.TMP"
  409. },
  410. {
  411. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF13f0f42.TMP"
  412. },
  413. {
  414. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF14cb789.TMP"
  415. },
  416. {
  417. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF13f3633.TMP"
  418. },
  419. {
  420. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF13f6a82.TMP"
  421. },
  422. {
  423. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF13f83a7.TMP"
  424. },
  425. {
  426. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF13f97ac.TMP"
  427. },
  428. {
  429. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF13fb0f1.TMP"
  430. },
  431. {
  432. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF14d7b75.TMP"
  433. },
  434. {
  435. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF14d915f.TMP"
  436. },
  437. {
  438. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF1401b63.TMP"
  439. },
  440. {
  441. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF140581e.TMP"
  442. },
  443. {
  444. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF1407a3c.TMP"
  445. },
  446. {
  447. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF140c7a1.TMP"
  448. },
  449. {
  450. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF140f008.TMP"
  451. },
  452. {
  453. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF1413ce0.TMP"
  454. },
  455. {
  456. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF1416298.TMP"
  457. },
  458. {
  459. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF141af51.TMP"
  460. },
  461. {
  462. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF141fc96.TMP"
  463. }
  464. ]
  465. },
  466. {
  467. "Description": "Retrieves Windows ProductID, probably to fingerprint the sandbox",
  468. "Details": []
  469. },
  470. {
  471. "Description": "Checks the version of Bios, possibly for anti-virtualization",
  472. "Details": []
  473. },
  474. {
  475. "Description": "Attempts to modify proxy settings",
  476. "Details": []
  477. },
  478. {
  479. "Description": "Collects information to fingerprint the system",
  480. "Details": []
  481. }
  482. ]
  483.  
  484. [*] Started Service: []
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!