zloader | dbe9477ae91c832c2f8749829b9300435efda9299c6dd2b1bd06d49452083827

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll
Size

648KB
MD5

041ebd55472e90b6539ed5d520c01f99
SHA1

94cd854b532681dfce63dcd26275ffe735c2cfc2
SHA256

dbe9477ae91c832c2f8749829b9300435efda9299c6dd2b1bd06d49452083827
SHA512

371e5d64c9857b5c417a1080f97911a24c0001d60a989052bafe336264b1a858304f7abb1944de6d799e5e8019c78c32e58103d64dc32ee731cd14e2e33856d7
SSDEEP

12288:ftFeHgffXM9vO6Ca7urSHjoPmWnj+AtPQZwGWXzwjGFiJEvSm6l:fxffXMD7urYinnjvteJWXZievSHl

Score

10^/10

zloader miguel 10/04 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

miguel

Campaign

10/04

https://gynrhcoe.pw/wp-config.php

https://wlqaqife.icu/wp-config.php

Attributes

build_id
142

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2952 set thread context of 800 2952 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 800 msiexec.exe
Token: SeSecurityPrivilege 800 msiexec.exe

description	pid	process	target process
PID 2952 set thread context of 800	2952	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	800	msiexec.exe
Token: SeSecurityPrivilege	800	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2344 wrote to memory of 2952	2344	rundll32.exe	rundll32.exe
PID 2344 wrote to memory of 2952	2344	rundll32.exe	rundll32.exe
PID 2344 wrote to memory of 2952	2344	rundll32.exe	rundll32.exe
PID 2344 wrote to memory of 2952	2344	rundll32.exe	rundll32.exe
PID 2344 wrote to memory of 2952	2344	rundll32.exe	rundll32.exe
PID 2344 wrote to memory of 2952	2344	rundll32.exe	rundll32.exe
PID 2344 wrote to memory of 2952	2344	rundll32.exe	rundll32.exe
PID 2952 wrote to memory of 800	2952	rundll32.exe	msiexec.exe
PID 2952 wrote to memory of 800	2952	rundll32.exe	msiexec.exe
PID 2952 wrote to memory of 800	2952	rundll32.exe	msiexec.exe
PID 2952 wrote to memory of 800	2952	rundll32.exe	msiexec.exe
PID 2952 wrote to memory of 800	2952	rundll32.exe	msiexec.exe
PID 2952 wrote to memory of 800	2952	rundll32.exe	msiexec.exe
PID 2952 wrote to memory of 800	2952	rundll32.exe	msiexec.exe
PID 2952 wrote to memory of 800	2952	rundll32.exe	msiexec.exe
PID 2952 wrote to memory of 800	2952	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:800

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/800-16-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/800-15-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/800-13-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/800-19-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/800-22-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/800-23-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/800-21-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/800-24-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/2952-0-0x0000000074F10000-0x0000000074FC9000-memory.dmp

Filesize
740KB

Download
memory/2952-2-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2952-1-0x0000000074F10000-0x0000000074FC9000-memory.dmp

Filesize
740KB

Download
memory/2952-18-0x0000000074F10000-0x0000000074FC9000-memory.dmp

Filesize
740KB

Download