zloader | 384f3719ba4fbcf355cc206e27f3bfca94e7bf14dd928de62ab5f74de90df34a

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb8439d5ee379f19d25c2445d28e135a_JaffaCakes118.dll
Size

144KB
MD5

eb8439d5ee379f19d25c2445d28e135a
SHA1

5426510acb07efc464c47bbe0cc413489365a3d9
SHA256

384f3719ba4fbcf355cc206e27f3bfca94e7bf14dd928de62ab5f74de90df34a
SHA512

5bbda761ff6c0286d346dd0fda5df2abeeb6ffb81149d0537db969feb682658dc1e5a75bb1d09a13398b26fee4163ace7d35bbd69196628b3daef53c0efdc982
SSDEEP

3072:c2kHDNNqo9hPNER+/2p1Ludye/w4FeNqEKJ7exog/Dt5eFSbvth90:cZHRNNbuc2HLxrgL7exx5ecv

Score

10^/10

zloader botnet discovery persistence trojan

Malware Config

Extracted

Family

zloader

Attributes

build_id
49

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aguh = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Byyhed\\ebcec.dll,DllRegisterServer"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1672 set thread context of 2124 1672 regsvr32.exe msiexec.exe

description	pid	process	target process
PID 1672 set thread context of 2124	1672	regsvr32.exe	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

regsvr32.exemsiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 2124 msiexec.exe
Token: SeSecurityPrivilege 2124 msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	2124	msiexec.exe
Token: SeSecurityPrivilege	2124	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2784 wrote to memory of 1672	2784	regsvr32.exe	regsvr32.exe
PID 2784 wrote to memory of 1672	2784	regsvr32.exe	regsvr32.exe
PID 2784 wrote to memory of 1672	2784	regsvr32.exe	regsvr32.exe
PID 1672 wrote to memory of 2124	1672	regsvr32.exe	msiexec.exe
PID 1672 wrote to memory of 2124	1672	regsvr32.exe	msiexec.exe
PID 1672 wrote to memory of 2124	1672	regsvr32.exe	msiexec.exe
PID 1672 wrote to memory of 2124	1672	regsvr32.exe	msiexec.exe
PID 1672 wrote to memory of 2124	1672	regsvr32.exe	msiexec.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\eb8439d5ee379f19d25c2445d28e135a_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\eb8439d5ee379f19d25c2445d28e135a_JaffaCakes118.dll
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2124-0-0x0000000000360000-0x0000000000389000-memory.dmp

Filesize
164KB

Download
memory/2124-2-0x0000000000360000-0x0000000000389000-memory.dmp

Filesize
164KB

Download
memory/2124-3-0x0000000000360000-0x0000000000389000-memory.dmp

Filesize
164KB

Download