zloader | 830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46

General

Target

efddc2807ecbdffd694cd97936404053_JaffaCakes118.dll
Size

493KB
MD5

efddc2807ecbdffd694cd97936404053
SHA1

c68b7b94e591fbc4cda9bdb8c2caaa33880464c7
SHA256

830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46
SHA512

e6b0fd0f52c5b7e82bb66d08c4a3f8a4bddf1ce75c140e73afb4c1f57131df81e5d39f7833de15b40e980f0605bfd1840f81b610134634db000f6e18388bf09a
SSDEEP

12288:WsCr6MfAEtHaqxnXmtkl0CMh+1wY7JuegO4I9y:Wsi6MBtHBzlRMg1wY34I9y

Score

10^/10

zloader nut 18/02 botnet discovery trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

18/02

C2

https://ramkanshop.ir/post.php

https://lph786.com/post.php

https://efaschoolfarooka.com/post.php

https://forexstick.com/post.php

https://firteccom.com/post.php

https://www.psychologynewmind.com/post.php

https://dirashightapbide.tk/post.php

Attributes

build_id
358

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 24 IoCs

flow	pid	Process
14	1436	msiexec.exe
15	1436	msiexec.exe
16	1436	msiexec.exe
17	1436	msiexec.exe
18	1436	msiexec.exe
19	1436	msiexec.exe
20	1436	msiexec.exe
21	1436	msiexec.exe
22	1436	msiexec.exe
23	1436	msiexec.exe
24	1436	msiexec.exe
25	1436	msiexec.exe
26	1436	msiexec.exe
27	1436	msiexec.exe
28	1436	msiexec.exe
29	1436	msiexec.exe
30	1436	msiexec.exe
31	1436	msiexec.exe
32	1436	msiexec.exe
33	1436	msiexec.exe
34	1436	msiexec.exe
36	1436	msiexec.exe
37	1436	msiexec.exe
38	1436	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1088 set thread context of 1436	1088	rundll32.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1436	msiexec.exe
Token: SeSecurityPrivilege	1436	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1088	2108	rundll32.exe	30
PID 2108 wrote to memory of 1088	2108	rundll32.exe	30
PID 2108 wrote to memory of 1088	2108	rundll32.exe	30
PID 2108 wrote to memory of 1088	2108	rundll32.exe	30
PID 2108 wrote to memory of 1088	2108	rundll32.exe	30
PID 2108 wrote to memory of 1088	2108	rundll32.exe	30
PID 2108 wrote to memory of 1088	2108	rundll32.exe	30
PID 1088 wrote to memory of 1436	1088	rundll32.exe	32
PID 1088 wrote to memory of 1436	1088	rundll32.exe	32
PID 1088 wrote to memory of 1436	1088	rundll32.exe	32
PID 1088 wrote to memory of 1436	1088	rundll32.exe	32
PID 1088 wrote to memory of 1436	1088	rundll32.exe	32
PID 1088 wrote to memory of 1436	1088	rundll32.exe	32
PID 1088 wrote to memory of 1436	1088	rundll32.exe	32
PID 1088 wrote to memory of 1436	1088	rundll32.exe	32
PID 1088 wrote to memory of 1436	1088	rundll32.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\efddc2807ecbdffd694cd97936404053_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\efddc2807ecbdffd694cd97936404053_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-0-0x0000000074EEA000-0x0000000074EEE000-memory.dmp

Filesize
16KB

Download
memory/1088-2-0x0000000074E70000-0x0000000074F4D000-memory.dmp

Filesize
884KB

Download
memory/1088-1-0x0000000074E70000-0x0000000074F4D000-memory.dmp

Filesize
884KB

Download
memory/1088-3-0x0000000074E70000-0x0000000074F4D000-memory.dmp

Filesize
884KB

Download
memory/1088-11-0x0000000074E70000-0x0000000074F4D000-memory.dmp

Filesize
884KB

Download
memory/1088-10-0x0000000074EEA000-0x0000000074EEE000-memory.dmp

Filesize
16KB

Download
memory/1436-8-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1436-6-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1436-5-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1436-12-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1436-14-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1436-16-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1436-15-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1436-17-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing