zloader | c91229d90c423cd5b5bf870cec714e5c956058c62f4b2036607d44f1767c50d2

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 02:11

Target

22c1b894002c6ffd1fdc2a75b48ddcda_JaffaCakes118.dll
Size

723KB
MD5

22c1b894002c6ffd1fdc2a75b48ddcda
SHA1

5037543f108882d6a0d5b1907d125d40e4126e32
SHA256

c91229d90c423cd5b5bf870cec714e5c956058c62f4b2036607d44f1767c50d2
SHA512

67fe107a5bf13fa041eed46c4477ced5fd1af826cd6fc7e5b0661f3690d1a1eeeb69973ef9ccb50c13bc38740711ad0070daaa4b23ef49c9f28c164a881c4a67
SSDEEP

6144:GuPnPogxyU47hhfJHOtrfIx2yDsOyXMPfMPTPtP/PvPxPLPLPVPbPPxPTPDpP/PY:G4A8h4l1Rmr02GsOynnx9VQ

Score

10^/10

Family

zloader

Botnet

bat1k3

Campaign

bat1k3

http://as9897234135.xyz/LKhwojehDgwegSDG/gateJKjdsh.php

http://as9897234135.org/LKhwojehDgwegSDG/gateJKjdsh.php

http://as9897234135.net/LKhwojehDgwegSDG/gateJKjdsh.php

http://as9897234135.in/LKhwojehDgwegSDG/gateJKjdsh.php

http://as9897234135.com/LKhwojehDgwegSDG/gateJKjdsh.php

Attributes

rc4.plain

rsa_pubkey.plain

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2172 created 1192	2172	rundll32.exe	21

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 2512	2172	rundll32.exe	29

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2172	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2172	2452	rundll32.exe	28
PID 2452 wrote to memory of 2172	2452	rundll32.exe	28
PID 2452 wrote to memory of 2172	2452	rundll32.exe	28
PID 2452 wrote to memory of 2172	2452	rundll32.exe	28
PID 2452 wrote to memory of 2172	2452	rundll32.exe	28
PID 2452 wrote to memory of 2172	2452	rundll32.exe	28
PID 2452 wrote to memory of 2172	2452	rundll32.exe	28
PID 2172 wrote to memory of 2512	2172	rundll32.exe	29
PID 2172 wrote to memory of 2512	2172	rundll32.exe	29
PID 2172 wrote to memory of 2512	2172	rundll32.exe	29
PID 2172 wrote to memory of 2512	2172	rundll32.exe	29
PID 2172 wrote to memory of 2512	2172	rundll32.exe	29
PID 2172 wrote to memory of 2512	2172	rundll32.exe	29
PID 2172 wrote to memory of 2512	2172	rundll32.exe	29
PID 2172 wrote to memory of 2512	2172	rundll32.exe	29
PID 2172 wrote to memory of 2512	2172	rundll32.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\22c1b894002c6ffd1fdc2a75b48ddcda_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\22c1b894002c6ffd1fdc2a75b48ddcda_JaffaCakes118.dll,#1
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2172
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2512

memory/2172-0-0x0000000000320000-0x000000000034D000-memory.dmp

Filesize
180KB

Download
memory/2172-2-0x0000000000250000-0x00000000002CC000-memory.dmp

Filesize
496KB

Download
memory/2172-3-0x0000000000320000-0x000000000034D000-memory.dmp

Filesize
180KB

Download
memory/2172-9-0x0000000000320000-0x000000000034D000-memory.dmp

Filesize
180KB

Download
memory/2512-6-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2512-4-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/2512-8-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/2512-10-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/2512-12-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/2512-13-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/2512-15-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download