This is the Gozi IFSB malware,
created to steal data & informations from the victims. In the folder
you will see all the files needed to create your own malware server.
For this malware analysis I will use an .bin
found after google search. With this .bin file I will be 2 steps closer
for the analysis. I don’t have the .doc/.pdf file with the payload, but the
.bin is the downloaded file resulted from the payload.
I will transform the .bin file to
infected.exe(10000.exe)!
008c4bd6ee834d113cfc693af0ea90396eaa47e860bcdd567ffd964b57434e1d.bin
MD5: e6d118192fc848797e15dc0600834783
SHA1: 16d5ded68677f4a870423d3fd30da8377a5b2408
Let’s go to security manipulation and creation
of the malware on the system. The $LN33 it is exported by the executable, after
that will jump to C Runtime Library.
Calling the security_init_cookie for buffer overrun protection to comprommise the system security. Let’s run the infected file to see his actions!
I see that the explorer.exe has some activiti. Cyber security – Malware analysisThere I have some movements… let’s go to
\Roaming\MIcrosoft\ to see the new folder created ‘BthM300C’. An executable(the same .exe with diffrerent
name) created in new folder after runed the infected.exe / D3DCsapi.exe aka
1000.exe The Registry. Prodefence SRLNow… the explorer.exe.
24 .dll are suspicious.
That means some of them are from the injection
process. explorer.exe (2304) – 52074 – 166.124.148.146.bc.googleusercontent.com.
This is an Google Cloud Platform and the
explorer.exe has some connections there. genesisgrandergh.at
