zloader | d7ea78ed27fd9b409d82b101317e7fc3f513efe456de24d62c13d443033e3165

General

Target

7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe
Size

199KB
MD5

7366f05f1ae2ac01e37e0e1585471611
SHA1

38fec58363128d9f2722cb0662b30c20740e9685
SHA256

d7ea78ed27fd9b409d82b101317e7fc3f513efe456de24d62c13d443033e3165
SHA512

8af15534ca621210adf23d22da1f859f76fb10a6857e07167f23cb53ebff39c51d0b38fa7caa26c4de76a63f066ca070f0ff30139dd46335fefd6c9ccebd71ad
SSDEEP

3072:if1BDZ0kVB67Duw9AMcizbPgpgNCfG0UeiWv10DxjumDqcEf/hypWqY3ZRV4+kLX:i9X0G24p2x0HXvSDZTgfZypW9mbb

Score

10^/10

zloader sg sg botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

SG

Campaign

SG

C2

https://imagn.at/LKhwojehDgwegSDG/gateJKjdsh.php

https://freebreez.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://makaronz.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://ricklick.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://litlblockblack.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://vaktorianpackif.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://hbamefphmqsdgkqojgwe.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://wuktmlbilrsbvsbkdetb.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://yrsfuaegsevyffrfsgpj.com/LKhwojehDgwegSDG/gateJKjdsh.php

Attributes

build_id
107

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2788 created 1204	2788	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	21

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Loads dropped DLL 1 IoCs

pid	Process
2240	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe

Blocklisted process makes network request 7 IoCs

flow	pid	Process
11	2396	msiexec.exe
13	2396	msiexec.exe
14	2396	msiexec.exe
15	2396	msiexec.exe
16	2396	msiexec.exe
17	2396	msiexec.exe
18	2396	msiexec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2240 set thread context of 2788	2240	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	28
PID 2788 set thread context of 2396	2788	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2788	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2240	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe
Token: SeSecurityPrivilege	2396	msiexec.exe
Token: SeSecurityPrivilege	2396	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2788	2240	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2788	2240	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2788	2240	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2788	2240	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2788	2240	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2788	2240	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2788	2240	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2788	2240	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2788	2240	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2788	2240	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2788	2240	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2788	2240	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	28
PID 2788 wrote to memory of 2396	2788	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	29
PID 2788 wrote to memory of 2396	2788	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	29
PID 2788 wrote to memory of 2396	2788	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	29
PID 2788 wrote to memory of 2396	2788	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	29
PID 2788 wrote to memory of 2396	2788	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	29
PID 2788 wrote to memory of 2396	2788	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	29
PID 2788 wrote to memory of 2396	2788	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	29
PID 2788 wrote to memory of 2396	2788	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	29
PID 2788 wrote to memory of 2396	2788	7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7366f05f1ae2ac01e37e0e1585471611_JaffaCakes118.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2788
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA51C.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.txt

Filesize
4B

MD5
f2dd0dedb2c260419ece4a9e03b2e828

SHA1
0aaf76f425c6e0f43a36197de768e67d9e035abb

SHA256
26b25d457597a7b0463f9620f666dd10aa2c4373a505967c7c8d70922a2d6ece

SHA512
fecd7b408089255b3467dc1f7231cc6388c9e1c65dcaa5e50f3b460235d18bc44033b08184018b65ac013fdae68c0088381644a6302b9d89e468f57ff9a005dd

Download Submit
\Users\Admin\AppData\Local\Temp\nso5F41.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/2396-44-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/2396-43-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2396-42-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/2396-51-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/2396-50-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/2396-49-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/2788-47-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2788-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2788-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2788-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing