zloader | 21587aadce40fc29bdf220e3ad7b63e87f9210dcc3742cf77dc7544438b8db32

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcb6960b9f204fe1a299e44d011964c3_JaffaCakes118.dll
Size

155KB
MD5

bcb6960b9f204fe1a299e44d011964c3
SHA1

9463ef0923c751223a676fd962d90345edf198ac
SHA256

21587aadce40fc29bdf220e3ad7b63e87f9210dcc3742cf77dc7544438b8db32
SHA512

1b075f1ae357e8d1af4a86c687a674a58991e108b2a7c2d45dda9119bc3d1f111c491176e034266efd741f687e203d4ee91d2a13d3f7ad74a06ebb69cd14dae1
SSDEEP

3072:h35KkzBoJJ9DGW4tJ80rV81TSFtIWzepbhfm4OPdvl7h8iCP:edDGpJ8+V8CtIauh+4udkiC

Score

10^/10

zloader nut 16/02 botnet discovery trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

16/02

https://wewalk.cl/post.php

https://dpack-co.com/post.php

https://dr-mirahmadi.ir/post.php

https://indiaastrologyfoundation.in/post.php

https://metisacademy.ir/post.php

https://lan-samarinda.com/post.php

https://pyouleigorgawimbwans.tk/post.php

Attributes

build_id
351

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 23 IoCs

Processes:

msiexec.exe

flow	pid	process
51	708	msiexec.exe
52	708	msiexec.exe
54	708	msiexec.exe
55	708	msiexec.exe
56	708	msiexec.exe
57	708	msiexec.exe
59	708	msiexec.exe
61	708	msiexec.exe
63	708	msiexec.exe
64	708	msiexec.exe
68	708	msiexec.exe
69	708	msiexec.exe
78	708	msiexec.exe
79	708	msiexec.exe
81	708	msiexec.exe
84	708	msiexec.exe
85	708	msiexec.exe
86	708	msiexec.exe
89	708	msiexec.exe
90	708	msiexec.exe
97	708	msiexec.exe
102	708	msiexec.exe
103	708	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1752 set thread context of 708 1752 rundll32.exe msiexec.exe

description	pid	process	target process
PID 1752 set thread context of 708	1752	rundll32.exe	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exemsiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 708 msiexec.exe
Token: SeSecurityPrivilege 708 msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	708	msiexec.exe
Token: SeSecurityPrivilege	708	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 732 wrote to memory of 1752	732	rundll32.exe	rundll32.exe
PID 732 wrote to memory of 1752	732	rundll32.exe	rundll32.exe
PID 732 wrote to memory of 1752	732	rundll32.exe	rundll32.exe
PID 1752 wrote to memory of 708	1752	rundll32.exe	msiexec.exe
PID 1752 wrote to memory of 708	1752	rundll32.exe	msiexec.exe
PID 1752 wrote to memory of 708	1752	rundll32.exe	msiexec.exe
PID 1752 wrote to memory of 708	1752	rundll32.exe	msiexec.exe
PID 1752 wrote to memory of 708	1752	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bcb6960b9f204fe1a299e44d011964c3_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:732
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bcb6960b9f204fe1a299e44d011964c3_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4446FC12B68E1A179B3B0CE6496080AE

Filesize
1KB

MD5
2ac72be869168b36fd74e93016e11e3b

SHA1
ff9ceb13c83f15b800e6eff987b2c72e01b4b320

SHA256
129fb5de501e24041cd14a81075fd1cde257408d4a353e636912e38bdda2d3fb

SHA512
691ab3144879b757bb24299bb68a485bcc285ff8f16f590d7bf9ddc930f65cbc99da33f349288ad2242faf26b2af33c2592afc6b65ab6850bffe8dee20274247

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4446FC12B68E1A179B3B0CE6496080AE

Filesize
198B

MD5
a898b93829be8f6feb32833ddab9aa38

SHA1
2807bc50cdbd247f815c2c5a8acb4a4b4de8019b

SHA256
27bb4aae66bee8f8285c81137949826ad049346ac68205d900402ece7452984e

SHA512
0cd55ac60a0ef1d4c2d2e6f55bde33fab1af41c50567aeb47ad88e6e3a14d7f1ffe0a59dc784610e678921ed85f81eda09a239f8a1cb69a14d49422934127833

Download Submit
memory/708-0-0x00000000010F0000-0x0000000001119000-memory.dmp

Filesize
164KB

Download
memory/708-1-0x00000000010F0000-0x0000000001119000-memory.dmp

Filesize
164KB

Download
memory/708-4-0x00000000010F0000-0x0000000001119000-memory.dmp

Filesize
164KB

Download
memory/708-5-0x00000000010F0000-0x0000000001119000-memory.dmp

Filesize
164KB

Download
memory/708-3-0x00000000010F0000-0x0000000001119000-memory.dmp

Filesize
164KB

Download
memory/708-6-0x00000000010F0000-0x0000000001119000-memory.dmp

Filesize
164KB

Download