Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-09-2024 17:56

General

  • Target

    d2852a3b2a20846528cec53426fd5f9c_JaffaCakes118.dll

  • Size

    362KB

  • MD5

    d2852a3b2a20846528cec53426fd5f9c

  • SHA1

    1fa892f9280708e7c82e958bec516bb2b09351f3

  • SHA256

    8e50da51386c2f267afaf1a419e4467d62c01c9704f0e17c4aa188d0c090c8b2

  • SHA512

    247fae9f2c9bdca9d7eb4f44996e7e28d2cd9b7c87ea05a15b72ecb073750c8d9199d585771366687c43d802eb474e9486bb328d2984abeb4aacee62916ca2b6

  • SSDEEP

    6144:X5fVAHOvzY7zHY0Uxen/0TP1a2arz7JjOGG3v2WYXmpHdwpc2:X5wgmY0ZMTZIOGyv2WYWNdI

Malware Config

Extracted

Family

zloader

Botnet

kev

Campaign

08/02

C2

https://earfetti.com/post.php

https://evalynews.com/post.php

https://zeistatwalk.tk/post.php

https://spiraninendreamneu.tk/post.php

Attributes
  • build_id

    332

rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d2852a3b2a20846528cec53426fd5f9c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d2852a3b2a20846528cec53426fd5f9c_JaffaCakes118.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2244-0-0x0000000074819000-0x000000007481D000-memory.dmp

    Filesize

    16KB

  • memory/2244-1-0x00000000747C0000-0x0000000074830000-memory.dmp

    Filesize

    448KB

  • memory/2244-2-0x00000000747C0000-0x0000000074830000-memory.dmp

    Filesize

    448KB

  • memory/2244-10-0x00000000747C0000-0x0000000074830000-memory.dmp

    Filesize

    448KB

  • memory/2244-9-0x0000000074819000-0x000000007481D000-memory.dmp

    Filesize

    16KB

  • memory/2796-5-0x00000000000C0000-0x00000000000C1000-memory.dmp

    Filesize

    4KB

  • memory/2796-3-0x0000000000090000-0x00000000000B9000-memory.dmp

    Filesize

    164KB

  • memory/2796-7-0x0000000000090000-0x00000000000B9000-memory.dmp

    Filesize

    164KB

  • memory/2796-11-0x00000000747C0000-0x00000000747C9000-memory.dmp

    Filesize

    36KB

  • memory/2796-15-0x0000000000090000-0x00000000000B9000-memory.dmp

    Filesize

    164KB

  • memory/2796-14-0x0000000000090000-0x00000000000B9000-memory.dmp

    Filesize

    164KB

  • memory/2796-13-0x0000000000090000-0x00000000000B9000-memory.dmp

    Filesize

    164KB