Overview

overview

10

Static

static

3

1688213bc5...18.dll

windows7-x64

10

1688213bc5...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-05-2024 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1688213bc5f70643deab5bdb02c0ae6c_JaffaCakes118.dll

  • Size

    570KB

  • MD5

    1688213bc5f70643deab5bdb02c0ae6c

  • SHA1

    b126be6cbc4543a57474a97bf8d4c439de56b4c2

  • SHA256

    3aa6735651a8c21a6beff73d8c0a8ed8e7f5e62165a9f44e85cdedd063464252

  • SHA512

    46798f5350024a6b8ca8303bc6c1cdd97ae13056ea722dd41bf72aaed9bdd627c024669ee4ba5bdc91efb0840965c86b929835f1acb64094705137c1a1cb9c6f

  • SSDEEP

    6144:pXhlbaTbLY6VhaQOJz3utQd24SQ5J5HvoNQ/JyRpYrC:pXh5a7BV83utQd24JvorRpY

Score
10/10
zloaderbat1k2bat1k2botnettrojan

Malware Config

Extracted

Family

zloader

Botnet

bat1k2

Campaign

bat1k2

C2

http://as9897234135.xyz/LKhwojehDgwegSDG/gateJKjdsh.php

http://as9897234135.org/LKhwojehDgwegSDG/gateJKjdsh.php

http://as9897234135.net/LKhwojehDgwegSDG/gateJKjdsh.php

http://as9897234135.in/LKhwojehDgwegSDG/gateJKjdsh.php

http://as9897234135.com/LKhwojehDgwegSDG/gateJKjdsh.php
Attributes
  • build_id

    36

rc4.plain
rsa_pubkey.plain

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\1688213bc5f70643deab5bdb02c0ae6c_JaffaCakes118.dll,#1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\1688213bc5f70643deab5bdb02c0ae6c_JaffaCakes118.dll,#1
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2352
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2152

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2152-3-0x0000000000090000-0x00000000000BD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2152-4-0x00000000000C0000-0x00000000000C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2152-5-0x0000000000090000-0x00000000000BD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2152-9-0x0000000000090000-0x00000000000BD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2152-8-0x0000000000090000-0x00000000000BD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2352-1-0x00000000002A0000-0x00000000002CD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2352-0-0x00000000002A0000-0x00000000002CD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2352-2-0x00000000001C0000-0x000000000020B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2352-6-0x00000000002A0000-0x00000000002CD000-memory.dmp

      Filesize

      180KB

      Download