Spelevo Exploit Kit delivers Gozi Trojan

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2020-02-19-Spelevo-EK-gozi-pcap.zip

 

ASSOCIATED DOMAINS:

188.127.249.55 – synth.website – Spelevo EK Redirect
185.159.80.223 – keli.adultessvensk.info GET /17rh2ccau1jrsid/bolivia-crystal-bikini – Spelevo Exploit Kit
185.159.80.223 – keli.adultessvensk.info POST /17rh2ccau1jrsid/?e975da3dfc774fc8a654e1dd23e51a48fe6205y – Spelevo Exploit Kit
45.147.200.7 Port 443 – vapershotz.xyz – Gozi Trojan C2

 

IMAGES AND DETAILS:


Shown above: Network traffic associated with the Spelevo Exploit Kit and Gozi Trojan C2


Shown above: Pinging the domain and sub-domain shows DNS resolving domains to different IP’s indicating possible DNS Shadowing

 

SOME ASSOCIATED PROCESS BEHAVIOR FOR HUNTING ENDPOINTS:

[Sysmon Event 1] – Iexplorer.exe parent process for dropped malware
Image C:\Users\Steven\AppData\Local\Temp\893698.exe
FileVersion 14.12.0.18020
Description Auto Client Reconnect Dialog (Win32)
Product Citrix Receiver
Company Citrix Systems, Inc.
CommandLine “C:\Users\Steven\AppData\Local\Temp\893698.exe”
CurrentDirectory C:\Users\Steven\Desktop\
User Steven-PC\Steven
MALWARE Hashes MD5=8580C4C91EF71B26AF47223461B326D7,SHA256=09242DCBDE80BBC7BE36E2E3CB257AD265C5D3659752DB5A57D01005B6BC0C7B
ParentImage C:\Program Files\Internet Explorer\iexplore.exe
ParentCommandLine “C:\Program Files\Internet Explorer\iexplore.exe”

[Sysmon Event 3] – Network communication to Gozi C2 from Temp directory
Image C:\Users\Steven\AppData\Local\Temp\893698.exe
User Steven-PC\Steven
Protocol tcp
SourceIp 192.168.4.239
DestinationIp 45.147.200.7
DestinationHostname
DestinationPort 443
DestinationPortName https

VirusTotal Link:
https://www.virustotal.com/gui/file/09242dcbde80bbc7be36e2e3cb257ad265c5d3659752db5a57d01005b6bc0c7b/detection