Overview

overview

10

Static

static

3

041ebd5547...18.dll

windows7-x64

10

041ebd5547...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    57s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 01:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll

  • Size

    648KB

  • MD5

    041ebd55472e90b6539ed5d520c01f99

  • SHA1

    94cd854b532681dfce63dcd26275ffe735c2cfc2

  • SHA256

    dbe9477ae91c832c2f8749829b9300435efda9299c6dd2b1bd06d49452083827

  • SHA512

    371e5d64c9857b5c417a1080f97911a24c0001d60a989052bafe336264b1a858304f7abb1944de6d799e5e8019c78c32e58103d64dc32ee731cd14e2e33856d7

  • SSDEEP

    12288:ftFeHgffXM9vO6Ca7urSHjoPmWnj+AtPQZwGWXzwjGFiJEvSm6l:fxffXMD7urYinnjvteJWXZievSHl

Score
10/10
zloadermiguel10/04botnettrojan

Malware Config

Extracted

Family

zloader

Botnet

miguel

Campaign

10/04

C2

https://gynrhcoe.pw/wp-config.php

https://wlqaqife.icu/wp-config.php
Attributes
  • build_id

    142

rc4.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1312-0-0x0000000075430000-0x00000000754E9000-memory.dmp
    Filesize

    740KB

    Download
  • memory/1312-1-0x0000000075430000-0x00000000754E9000-memory.dmp
    Filesize

    740KB

    Download
  • memory/1312-2-0x0000000000770000-0x0000000000771000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1312-9-0x0000000075430000-0x00000000754E9000-memory.dmp
    Filesize

    740KB

    Download
  • memory/2508-7-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

    Download
  • memory/2508-11-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

    Download
  • memory/2508-12-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

    Download