SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gozi (Back to overview)

Gozi

aka: CRM, Gozi CRM, Papras, Snifula, Ursnif
URLhaus      

2000 Ursnif aka Snifula
2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

References
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2017-02-15Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20170215:banking:c5e917c, author = {Kaoru Hayashi}, title = {{Banking Trojans: Ursnif Global Distribution Networks Identified}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/}, language = {English}, urldate = {2019-10-25} } Banking Trojans: Ursnif Global Distribution Networks Identified
Gozi
2016-11-23G DataG Data
@online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } Analysis: Ursnif - spying on your data since 2007
Gozi
2013-02-03Malware Must Die!Malware Must Die!
@online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)
Gozi
2007-03-20SecureworksDon Jackson
@online{jackson:20070320:gozi:701fe90, author = {Don Jackson}, title = {{Gozi Trojan}}, date = {2007-03-20}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gozi}, language = {English}, urldate = {2020-01-10} } Gozi Trojan
Gozi
Yara Rules
[TLP:WHITE] win_gozi_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_gozi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 83c410 8d4608 50 8d4708 50 e8???????? }
            // n = 6, score = 100
            //   83c410               | add                 esp, 0x10
            //   8d4608               | lea                 eax, [esi + 8]
            //   50                   | push                eax
            //   8d4708               | lea                 eax, [edi + 8]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_1 = { ff742410 50 e8???????? f7d8 1bc0 }
            // n = 5, score = 100
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   50                   | push                eax
            //   e8????????           |                     
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax

        $sequence_2 = { 894dcc ab 8b06 83e001 84c0 }
            // n = 5, score = 100
            //   894dcc               | mov                 dword ptr [ebp - 0x34], ecx
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   83e001               | and                 eax, 1
            //   84c0                 | test                al, al

        $sequence_3 = { 5b c20800 8b4c2404 33c0 85c9 }
            // n = 5, score = 100
            //   5b                   | pop                 ebx
            //   c20800               | ret                 8
            //   8b4c2404             | mov                 ecx, dword ptr [esp + 4]
            //   33c0                 | xor                 eax, eax
            //   85c9                 | test                ecx, ecx

        $sequence_4 = { e9???????? e8???????? 85f6 752b 83f802 }
            // n = 5, score = 100
            //   e9????????           |                     
            //   e8????????           |                     
            //   85f6                 | test                esi, esi
            //   752b                 | jne                 0x2d
            //   83f802               | cmp                 eax, 2

        $sequence_5 = { 6a08 ff75f4 ff75fc e8???????? ff75f4 e8???????? 6a08 }
            // n = 7, score = 100
            //   6a08                 | push                8
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   e8????????           |                     
            //   6a08                 | push                8

        $sequence_6 = { 8d878a020000 ff10 8945fc 8d45f8 }
            // n = 4, score = 100
            //   8d878a020000         | lea                 eax, [edi + 0x28a]
            //   ff10                 | call                dword ptr [eax]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_7 = { 56 56 668945fe 8d455c 50 6a01 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   56                   | push                esi
            //   668945fe             | mov                 word ptr [ebp - 2], ax
            //   8d455c               | lea                 eax, [ebp + 0x5c]
            //   50                   | push                eax
            //   6a01                 | push                1

        $sequence_8 = { e8???????? 68804f1200 e8???????? ebef c9 c20400 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   68804f1200           | push                0x124f80
            //   e8????????           |                     
            //   ebef                 | jmp                 0xfffffff1
            //   c9                   | leave               
            //   c20400               | ret                 4

        $sequence_9 = { 8d45c0 50 681082a01a 6802000080 }
            // n = 4, score = 100
            //   8d45c0               | lea                 eax, [ebp - 0x40]
            //   50                   | push                eax
            //   681082a01a           | push                0x1aa08210
            //   6802000080           | push                0x80000002

        $sequence_10 = { 8b4e0c 85c9 8975e8 0f85b3feffff 5f }
            // n = 5, score = 100
            //   8b4e0c               | mov                 ecx, dword ptr [esi + 0xc]
            //   85c9                 | test                ecx, ecx
            //   8975e8               | mov                 dword ptr [ebp - 0x18], esi
            //   0f85b3feffff         | jne                 0xfffffeb9
            //   5f                   | pop                 edi

        $sequence_11 = { ff33 ff520c b801000000 5b }
            // n = 4, score = 100
            //   ff33                 | push                dword ptr [ebx]
            //   ff520c               | call                dword ptr [edx + 0xc]
            //   b801000000           | mov                 eax, 1
            //   5b                   | pop                 ebx

        $sequence_12 = { ff7518 ff5210 8bfb c60300 33c9 }
            // n = 5, score = 100
            //   ff7518               | push                dword ptr [ebp + 0x18]
            //   ff5210               | call                dword ptr [edx + 0x10]
            //   8bfb                 | mov                 edi, ebx
            //   c60300               | mov                 byte ptr [ebx], 0
            //   33c9                 | xor                 ecx, ecx

        $sequence_13 = { fc 33c0 6aff 59 f2ae 803f00 7415 }
            // n = 7, score = 100
            //   fc                   | cld                 
            //   33c0                 | xor                 eax, eax
            //   6aff                 | push                -1
            //   59                   | pop                 ecx
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   803f00               | cmp                 byte ptr [edi], 0
            //   7415                 | je                  0x17

        $sequence_14 = { eb25 8b4d0c 0fb611 8d04d5608ba01a 8945fc }
            // n = 5, score = 100
            //   eb25                 | jmp                 0x27
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   0fb611               | movzx               edx, byte ptr [ecx]
            //   8d04d5608ba01a       | lea                 eax, [edx*8 + 0x1aa08b60]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_15 = { 8b4df0 8b5508 035160 8955fc 8b450c c1e810 0fb7c8 }
            // n = 7, score = 100
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   035160               | add                 edx, dword ptr [ecx + 0x60]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   c1e810               | shr                 eax, 0x10
            //   0fb7c8               | movzx               ecx, ax

    condition:
        7 of them
}
Download all Yara Rules