zloader | 3aa6735651a8c21a6beff73d8c0a8ed8e7f5e62165a9f44e85cdedd063464252

Analysis

max time kernel
133s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1688213bc5f70643deab5bdb02c0ae6c_JaffaCakes118.dll
Size

570KB
MD5

1688213bc5f70643deab5bdb02c0ae6c
SHA1

b126be6cbc4543a57474a97bf8d4c439de56b4c2
SHA256

3aa6735651a8c21a6beff73d8c0a8ed8e7f5e62165a9f44e85cdedd063464252
SHA512

46798f5350024a6b8ca8303bc6c1cdd97ae13056ea722dd41bf72aaed9bdd627c024669ee4ba5bdc91efb0840965c86b929835f1acb64094705137c1a1cb9c6f
SSDEEP

6144:pXhlbaTbLY6VhaQOJz3utQd24SQ5J5HvoNQ/JyRpYrC:pXh5a7BV83utQd24JvorRpY

Score

10^/10

zloader bat1k2 bat1k2 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

bat1k2

Campaign

bat1k2

http://as9897234135.xyz/LKhwojehDgwegSDG/gateJKjdsh.php

http://as9897234135.org/LKhwojehDgwegSDG/gateJKjdsh.php

http://as9897234135.net/LKhwojehDgwegSDG/gateJKjdsh.php

http://as9897234135.in/LKhwojehDgwegSDG/gateJKjdsh.php

http://as9897234135.com/LKhwojehDgwegSDG/gateJKjdsh.php

Attributes

build_id
36

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1620	2324	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 2324	4192	rundll32.exe	83
PID 4192 wrote to memory of 2324	4192	rundll32.exe	83
PID 4192 wrote to memory of 2324	4192	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1688213bc5f70643deab5bdb02c0ae6c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1688213bc5f70643deab5bdb02c0ae6c_JaffaCakes118.dll,#1
  2⤵
  PID:2324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 592
    3⤵
    - Program crash
    PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2324 -ip 2324
1⤵
PID:4820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2324-0-0x0000000000C20000-0x0000000000C6B000-memory.dmp

Filesize
300KB

Download
memory/2324-1-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download