Overview

overview

10

Static

static

3

adba2ac8f0...18.dll

windows7-x64

10

adba2ac8f0...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-08-2024 03:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    adba2ac8f027946da258155b140c068a_JaffaCakes118.dll

  • Size

    345KB

  • MD5

    adba2ac8f027946da258155b140c068a

  • SHA1

    91b1dceb17403910d7aa9bee1029f11153accff4

  • SHA256

    b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279

  • SHA512

    356865ecaf00b10af50ec1f7ffdcc89249e1eaf2a1648c970393d7c66359e578ce9d6987f66dc49cb769e36e8ea62c4ff17d6b173bc793b61fa81e11e619229f

  • SSDEEP

    6144:q9xZILKtmfbcPK2U6gRURSxE8efnQe+R+FNHmZ04aR31cdpN0V:q9xZIL1bcPRUrURAOn8gTGCPMwV

Score
10/10
zloadernut16/02botnetdiscoverytrojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

16/02

C2

https://wewalk.cl/post.php

https://dpack-co.com/post.php

https://dr-mirahmadi.ir/post.php

https://indiaastrologyfoundation.in/post.php

https://metisacademy.ir/post.php

https://lan-samarinda.com/post.php

https://pyouleigorgawimbwans.tk/post.php
Attributes
  • build_id

    351

rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Blocklisted process makes network request 20 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\adba2ac8f027946da258155b140c068a_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\adba2ac8f027946da258155b140c068a_JaffaCakes118.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3764
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Blocklisted process makes network request
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3528
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4132,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8
    1⤵
      PID:1636

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4446FC12B68E1A179B3B0CE6496080AE
      Filesize

      1KB

      MD5

      2ac72be869168b36fd74e93016e11e3b

      SHA1

      ff9ceb13c83f15b800e6eff987b2c72e01b4b320

      SHA256

      129fb5de501e24041cd14a81075fd1cde257408d4a353e636912e38bdda2d3fb

      SHA512

      691ab3144879b757bb24299bb68a485bcc285ff8f16f590d7bf9ddc930f65cbc99da33f349288ad2242faf26b2af33c2592afc6b65ab6850bffe8dee20274247

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4446FC12B68E1A179B3B0CE6496080AE
      Filesize

      198B

      MD5

      ce48df76286e9843e6334d2c630b9d25

      SHA1

      1d7a90eadbfe103a098632511baae3cc19fba10e

      SHA256

      e8566ccd45a5cf6e023a2de11798d0c5afe979e26aa4e269ea92d337122a9f10

      SHA512

      2a257d8c65cc4b0e93ae5a8bbb2d9139ca8a6081a3590bedaf95ae92a19672653d45bf7b996f16516f5d995201f3f58b06da24ef05c43eaf610dbd2400e5760c

      Download Submit

    • memory/3528-10-0x0000000000D80000-0x0000000000DA9000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3528-13-0x0000000000D80000-0x0000000000DA9000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3528-4-0x0000000000D80000-0x0000000000DA9000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3528-12-0x0000000000D80000-0x0000000000DA9000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3528-11-0x0000000000D80000-0x0000000000DA9000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3528-8-0x0000000000D80000-0x0000000000DA9000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3764-3-0x0000000074880000-0x0000000074935000-memory.dmp

      Filesize

      724KB

      Download

    • memory/3764-6-0x00000000748D7000-0x00000000748DB000-memory.dmp

      Filesize

      16KB

      Download

    • memory/3764-7-0x0000000074880000-0x0000000074935000-memory.dmp

      Filesize

      724KB

      Download

    • memory/3764-0-0x00000000748D7000-0x00000000748DB000-memory.dmp

      Filesize

      16KB

      Download

    • memory/3764-2-0x0000000074880000-0x0000000074935000-memory.dmp

      Filesize

      724KB

      Download

    • memory/3764-1-0x0000000074880000-0x0000000074935000-memory.dmp

      Filesize

      724KB

      Download