win.gozi (Back to overview)

Gozi

aka: CRM, Gozi CRM, Papras, Snifula, Ursnif
URLhaus      

2000 Ursnif aka Snifula
2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

References
https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
https://www.secureworks.com/research/gozi
https://lokalhost.pl/gozi_tree.txt
http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html
Yara Rules
[TLP:WHITE] win_gozi_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_gozi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 8d8500ffffff 50 e8???????? 85c0 74?? }
            // n = 5, score = 200
            //   8d8500ffffff         | lea                 eax, [ebp - 0x100]
            //   50                   | push                eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   74??                 |                     

        $sequence_1 = { 8d8500ffffff 50 e8???????? 85c0 74?? }
            // n = 5, score = 200
            //   8d8500ffffff         | lea                 eax, [ebp - 0x100]
            //   50                   | push                eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   74??                 |                     

        $sequence_2 = { 2bfb 8d4705 50 6a40 ff15???????? }
            // n = 5, score = 100
            //   2bfb                 | sub                 edi, ebx
            //   8d4705               | lea                 eax, [edi + 5]
            //   50                   | push                eax
            //   6a40                 | push                0x40
            //   ff15????????         |                     

        $sequence_3 = { 8b8c85b0feffff 3b4de0 74?? 40 }
            // n = 4, score = 100
            //   8b8c85b0feffff       | mov                 ecx, dword ptr [ebp + eax*4 - 0x150]
            //   3b4de0               | cmp                 ecx, dword ptr [ebp - 0x20]
            //   74??                 |                     
            //   40                   | inc                 eax

        $sequence_4 = { ff15???????? e9???????? 899dc8f4ffff 899dc4f4ffff 8d85c4f4ffff 50 6880000000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   e9????????           |                     
            //   899dc8f4ffff         | mov                 dword ptr [ebp - 0xb38], ebx
            //   899dc4f4ffff         | mov                 dword ptr [ebp - 0xb3c], ebx
            //   8d85c4f4ffff         | lea                 eax, [ebp - 0xb3c]
            //   50                   | push                eax
            //   6880000000           | push                0x80

        $sequence_5 = { 8d879e020000 ff10 5e c9 }
            // n = 4, score = 100
            //   8d879e020000         | lea                 eax, [edi + 0x29e]
            //   ff10                 | call                dword ptr [eax]
            //   5e                   | pop                 esi
            //   c9                   | leave               

        $sequence_6 = { 57 8bce 74?? 034104 }
            // n = 4, score = 100
            //   57                   | push                edi
            //   8bce                 | mov                 ecx, esi
            //   74??                 |                     
            //   034104               | add                 eax, dword ptr [ecx + 4]

        $sequence_7 = { 8bec 6aff 6a00 e8???????? 3bfb }
            // n = 5, score = 100
            //   8bec                 | mov                 ebp, esp
            //   6aff                 | push                -1
            //   6a00                 | push                0
            //   e8????????           |                     
            //   3bfb                 | cmp                 edi, ebx

        $sequence_8 = { 6a00 6a00 ff75e4 e8???????? 8b45dc }
            // n = 5, score = 100
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   e8????????           |                     
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]

        $sequence_9 = { e9???????? 5b 5f 5e c9 c21400 55 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c21400               | ret                 0x14
            //   55                   | push                ebp

        $sequence_10 = { 74?? 57 8d85b8fcffff 50 }
            // n = 4, score = 100
            //   74??                 |                     
            //   57                   | push                edi
            //   8d85b8fcffff         | lea                 eax, [ebp - 0x348]
            //   50                   | push                eax

        $sequence_11 = { ff15???????? 0345dc 0345d8 0145e4 eb?? }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   0345dc               | add                 eax, dword ptr [ebp - 0x24]
            //   0345d8               | add                 eax, dword ptr [ebp - 0x28]
            //   0145e4               | add                 dword ptr [ebp - 0x1c], eax
            //   eb??                 |                     

        $sequence_12 = { 83ec54 53 56 33c0 57 }
            // n = 5, score = 100
            //   83ec54               | sub                 esp, 0x54
            //   53                   | push                ebx
            //   56                   | push                esi
            //   33c0                 | xor                 eax, eax
            //   57                   | push                edi

        $sequence_13 = { ff750c ff7508 ff75fc ff15???????? ff75fc 8bf0 }
            // n = 6, score = 100
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   8bf0                 | mov                 esi, eax

        $sequence_14 = { 8b9554ffffff 0fbe4415ec 8b8d4cffffff 038d58ffffff 0fbe11 33d0 }
            // n = 6, score = 100
            //   8b9554ffffff         | mov                 edx, dword ptr [ebp - 0xac]
            //   0fbe4415ec           | movsx               eax, byte ptr [ebp + edx - 0x14]
            //   8b8d4cffffff         | mov                 ecx, dword ptr [ebp - 0xb4]
            //   038d58ffffff         | add                 ecx, dword ptr [ebp - 0xa8]
            //   0fbe11               | movsx               edx, byte ptr [ecx]
            //   33d0                 | xor                 edx, eax

    condition:
        7 of them
}
Download all Yara Rules