Overview

overview

10

Static

static

3

d2852a3b2a...18.dll

windows7-x64

10

d2852a3b2a...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d2852a3b2a20846528cec53426fd5f9c_JaffaCakes118.dll

  • Size

    362KB

  • MD5

    d2852a3b2a20846528cec53426fd5f9c

  • SHA1

    1fa892f9280708e7c82e958bec516bb2b09351f3

  • SHA256

    8e50da51386c2f267afaf1a419e4467d62c01c9704f0e17c4aa188d0c090c8b2

  • SHA512

    247fae9f2c9bdca9d7eb4f44996e7e28d2cd9b7c87ea05a15b72ecb073750c8d9199d585771366687c43d802eb474e9486bb328d2984abeb4aacee62916ca2b6

  • SSDEEP

    6144:X5fVAHOvzY7zHY0Uxen/0TP1a2arz7JjOGG3v2WYXmpHdwpc2:X5wgmY0ZMTZIOGyv2WYWNdI

Score
10/10
zloaderkev08/02botnetdiscoverytrojan

Malware Config

Extracted

Family

zloader

Botnet

kev

Campaign

08/02

C2

https://earfetti.com/post.php

https://evalynews.com/post.php

https://zeistatwalk.tk/post.php

https://spiraninendreamneu.tk/post.php
Attributes
  • build_id

    332

rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d2852a3b2a20846528cec53426fd5f9c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d2852a3b2a20846528cec53426fd5f9c_JaffaCakes118.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2992-3-0x00000000008D0000-0x00000000008F9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2992-9-0x00000000008D0000-0x00000000008F9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2992-10-0x00000000008D0000-0x00000000008F9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2992-8-0x00000000008D0000-0x00000000008F9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/4008-0-0x00000000756C9000-0x00000000756CD000-memory.dmp

    Filesize

    16KB

    Download

  • memory/4008-1-0x0000000075670000-0x00000000756E0000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4008-2-0x0000000075670000-0x00000000756E0000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4008-6-0x0000000075670000-0x00000000756E0000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4008-5-0x00000000756C9000-0x00000000756CD000-memory.dmp

    Filesize

    16KB

    Download