Resubmissions

04-12-2024 03:12

241204-dqgwvaypcy 10

03-12-2024 21:44

241203-1lvy8swjgv 10

25-09-2024 06:02

240925-grgh9asblg 10

Analysis

  • max time kernel
    41s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 03:12

General

  • Target

    f55920966b4970588ce643af0fcc03a7_JaffaCakes118.dll

  • Size

    422KB

  • MD5

    f55920966b4970588ce643af0fcc03a7

  • SHA1

    97c44c58f24358442cb1811a7694e5b395e82d61

  • SHA256

    0d533321292f6854d7f9705a738d58ee5941c93b52674681083ec5c21a987ab1

  • SHA512

    b5e6f91e65eacd6c1ad5f563f0d9184fd21fb88848008c7ea568d7c40c63fcbf217eeee2830a521313a3152e538821a469630fe951e760405972afae8516023e

  • SSDEEP

    12288:yClc4hq+Ytl63+YzGKBTpJHtvgqYe7S9S:Tlc4kBl6OabpFtGgS0

Malware Config

Extracted

Family

zloader

Attributes
  • build_id

    49

Signatures

  • Zloader family
  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f55920966b4970588ce643af0fcc03a7_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f55920966b4970588ce643af0fcc03a7_JaffaCakes118.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2024
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
          PID:2976
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef8289758,0x7fef8289768,0x7fef8289778
        2⤵
          PID:2560
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1204 --field-trial-handle=1428,i,14281494693301095308,9435695558475411951,131072 /prefetch:2
          2⤵
            PID:1988
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1548 --field-trial-handle=1428,i,14281494693301095308,9435695558475411951,131072 /prefetch:8
            2⤵
              PID:1908
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1428,i,14281494693301095308,9435695558475411951,131072 /prefetch:8
              2⤵
                PID:2856
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1428,i,14281494693301095308,9435695558475411951,131072 /prefetch:1
                2⤵
                  PID:2444
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1428,i,14281494693301095308,9435695558475411951,131072 /prefetch:1
                  2⤵
                    PID:548
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1520 --field-trial-handle=1428,i,14281494693301095308,9435695558475411951,131072 /prefetch:2
                    2⤵
                      PID:2076
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2880 --field-trial-handle=1428,i,14281494693301095308,9435695558475411951,131072 /prefetch:1
                      2⤵
                        PID:848
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3752 --field-trial-handle=1428,i,14281494693301095308,9435695558475411951,131072 /prefetch:8
                        2⤵
                          PID:784
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3720 --field-trial-handle=1428,i,14281494693301095308,9435695558475411951,131072 /prefetch:1
                          2⤵
                            PID:1920
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3732 --field-trial-handle=1428,i,14281494693301095308,9435695558475411951,131072 /prefetch:8
                            2⤵
                              PID:2644
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3852 --field-trial-handle=1428,i,14281494693301095308,9435695558475411951,131072 /prefetch:8
                              2⤵
                                PID:2944
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1752 --field-trial-handle=1428,i,14281494693301095308,9435695558475411951,131072 /prefetch:1
                                2⤵
                                  PID:2768
                              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                1⤵
                                  PID:1120
                                • C:\Program Files\VideoLAN\VLC\vlc.exe
                                  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\InstallSuspend.3gp"
                                  1⤵
                                    PID:2376

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\64efb2e0-8d63-4681-8612-714fdea89d19.tmp

                                    Filesize

                                    350KB

                                    MD5

                                    a8bbb732147477a3d769d22858a061d8

                                    SHA1

                                    c361b71a7c246e4f9a9e27fe1815a075dddc0937

                                    SHA256

                                    eb181c18b3006fcb2c76fc8cd88a41b83c1fe82bb471cb84a98e545c01b5f995

                                    SHA512

                                    f721a46f34362e39656199adf7c5c1a459ab0d901fe1cace694e1688e4bc4c21c540d18f942f65e9f280c030c1522e0defb9ecc4e56181d49e52ac5ea505984a

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

                                    Filesize

                                    215KB

                                    MD5

                                    2be38925751dc3580e84c3af3a87f98d

                                    SHA1

                                    8a390d24e6588bef5da1d3db713784c11ca58921

                                    SHA256

                                    1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

                                    SHA512

                                    1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                    Filesize

                                    168B

                                    MD5

                                    cfdcec294a4803d4d8ab5eb704a872e6

                                    SHA1

                                    230f90a8a1e05d4bd9d9cce89f29fae9e6f82a5c

                                    SHA256

                                    ec0d91ec6af07df1977213247abb67bbde50f63ec58fb9a9cf39d0653a03e57c

                                    SHA512

                                    eeae3729dea127f924a481c70140f06ea07af9ac0261b1ca8e11bcec40a272d0d09eff8b76029223826d44eba23ff54aa0d59f960525de15bae1c04eee030a52

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                    Filesize

                                    168B

                                    MD5

                                    23fb30ea42a16fc072a23b503948ef01

                                    SHA1

                                    0bea0e5ff6f30f384f8dbec28605c79cd307a4fb

                                    SHA256

                                    15524afffd31a69c72fe76c87a81bbfa2fa7f9a0ae97089ee9ab333172a2d2e2

                                    SHA512

                                    b3a7c23bd5f26e52823c4ad976e930f1c4ae4d7aa20b7c8b75bf78207a5ef06b9b4db2bce1a03034bba301243a9ae02bbfad91c1d521b60d3ab0a28c7984027f

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                    Filesize

                                    168B

                                    MD5

                                    7c0e0fbf512916750614c9fca968f3c1

                                    SHA1

                                    c59bb0d22bf9b3cee37bd43237fa24625d8c4922

                                    SHA256

                                    cc5aa448e6537f61e6fea72194473f04fcfed1e9c9cc0dcf26d2ae08ad86f56a

                                    SHA512

                                    903bfa40929969f56d4902770ca8e12c8d93dcbe30d45f3aae838b2e863393ab00d80757df45b5a209cabbaed661fbac9e4c1e0d6cd896231801898a396a131d

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

                                    Filesize

                                    264KB

                                    MD5

                                    f50f89a0a91564d0b8a211f8921aa7de

                                    SHA1

                                    112403a17dd69d5b9018b8cede023cb3b54eab7d

                                    SHA256

                                    b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                    SHA512

                                    bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity~RFf79194b.TMP

                                    Filesize

                                    361B

                                    MD5

                                    dc7d221f5eb04fe87288b92b5b37c3df

                                    SHA1

                                    ddf903d09668a9473dc4b3a86b40b497ead375c2

                                    SHA256

                                    fbd9212b0461816aadad68c1c4d686301e83672554ea93c34171e6249f680eac

                                    SHA512

                                    f429272505c7eccbb6d6e0ccd13cb49419c5dc433b4a5aae3a8b1acc607817f910fbf140ef90983685f97df4a9f71ee045bd5133381f000b79bf3d00125ca841

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    d91a458a7abbbc59e6c543c8a3001900

                                    SHA1

                                    2f621f013342d29b2d592ea95ec1acd42437bd37

                                    SHA256

                                    24a4a1fd72ef84068d11736f161933306d201af4ecef535c9a37255d70d92911

                                    SHA512

                                    c3e1b5b8d06a87813acc45dd21fd9f2bb700f5661a3e99887e697033b3faa51548d72b7f5aa3a7d20abcf1ddb2559263df6c77dc4e2f8fd16670f28973bcde2d

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    bd716ba557dc70130678e501fbcc4c2c

                                    SHA1

                                    005b8afad936cc00b898378def14578c78003039

                                    SHA256

                                    28ce14d9df19f1263e001d1239ae363d546cc1977963a1e048523c7b876c7691

                                    SHA512

                                    e7ff25e40a62c45b23a6144c957776d5aad380ea47a36af014e44cfa6a09bd3c0400f9aa9eef227f9fc594b4d28ab01a5f16c0fe6f9e6512dd1bab40fc4a740d

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    121243136f4bf3f0fcd9c76b6e04e8d5

                                    SHA1

                                    4072b53844c47c95a213da71a6c93659749107b3

                                    SHA256

                                    71b4f94a39eb49c38ad3a6d679afc7d4feb0db2876bb51ab05327db66bc0b3ab

                                    SHA512

                                    f1aa8bf7359ee5d9fd2f4721de68fca53ba444aaa42c84aa161fc156f6f1520adf56daad873ce1f131e95b2833ad7a8a9fc9be11756c6f01832f69578ec946ed

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    aaebf8e8218faec57e8e1b8fe04375ce

                                    SHA1

                                    6aa5be7372f73abfe30bbeb943a76551b2f91641

                                    SHA256

                                    5d88e5db1f023462598a683433ac31b8457a41d80c00b747852ce8580bfc1832

                                    SHA512

                                    6420fcc1d5c3f6faf52bf418d92d07a406a5a1d95dccea556221eea60c62fa765bdadecf4d3b9531401bd12344ef5b9c0d130da12e9c222f7efd6fa722df749b

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

                                    Filesize

                                    16B

                                    MD5

                                    18e723571b00fb1694a3bad6c78e4054

                                    SHA1

                                    afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                    SHA256

                                    8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                    SHA512

                                    43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                    Filesize

                                    349KB

                                    MD5

                                    f57c24e2bbbd633a233504cf6690405e

                                    SHA1

                                    47f6ec8f0f8631a1d875f2235b75c15871462c37

                                    SHA256

                                    168ded2f7fd86dafd48e7d88befdc56e099dd6bf1c708723a71ebd1325d45922

                                    SHA512

                                    6375016576b758235af1fe9599860c8c9dc5633463a9417257c161f3d9408f67568984db312918005d175007c6e7d7f767aec0c0139052c079d48d913e26cdf9

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                    Filesize

                                    170KB

                                    MD5

                                    49a03fb81842cba5ee73aa27c6f8a71b

                                    SHA1

                                    d9173859099bc0cde9c923906f2e8bed623d991c

                                    SHA256

                                    f79c1aca9dbdd21a6421d7a7d88b0d605dc456ca02ec49a980ff493bda2de1c6

                                    SHA512

                                    17f5264adf5e8cb65659d84e324016440d721dc3ce1ad0973045f23b533ed79bfcac454cbf5628546920b2bb6f6cf1447ea1652fb1b114b123f611d87ddd8fbb

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                    Filesize

                                    366KB

                                    MD5

                                    7a5f35d8b7787285d33442489fbe5131

                                    SHA1

                                    32132e215f9461d03259151845a5667154ac6a2c

                                    SHA256

                                    23ee667c8c77563809d28cd2a3f9b8f56670cb2198f502e4dcd8b5b3724c876e

                                    SHA512

                                    58e32bbabda22425ccd0c3a831c84bb8c6f19c15f6806c0dfa378567586489d6a79218d2cc811e6045a6aa47c44c16169acac616cbe73825e422d3d185642b7c

                                  • \??\pipe\crashpad_2676_RVFYJFMANKISMSPE

                                    MD5

                                    d41d8cd98f00b204e9800998ecf8427e

                                    SHA1

                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                    SHA256

                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                    SHA512

                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                  • memory/2024-120-0x0000000002330000-0x0000000002CA0000-memory.dmp

                                    Filesize

                                    9.4MB

                                  • memory/2024-177-0x0000000002330000-0x0000000002CA0000-memory.dmp

                                    Filesize

                                    9.4MB

                                  • memory/2024-96-0x0000000002330000-0x0000000002CA0000-memory.dmp

                                    Filesize

                                    9.4MB

                                  • memory/2024-123-0x0000000002330000-0x0000000002CA0000-memory.dmp

                                    Filesize

                                    9.4MB

                                  • memory/2024-155-0x0000000002330000-0x0000000002CA0000-memory.dmp

                                    Filesize

                                    9.4MB

                                  • memory/2024-0-0x0000000002330000-0x0000000002CA0000-memory.dmp

                                    Filesize

                                    9.4MB

                                  • memory/2024-97-0x0000000002394000-0x0000000002397000-memory.dmp

                                    Filesize

                                    12KB

                                  • memory/2024-150-0x0000000002330000-0x0000000002CA0000-memory.dmp

                                    Filesize

                                    9.4MB

                                  • memory/2024-143-0x0000000002330000-0x0000000002CA0000-memory.dmp

                                    Filesize

                                    9.4MB

                                  • memory/2976-175-0x00000000000C0000-0x00000000000C1000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/2976-194-0x0000000000090000-0x00000000000BC000-memory.dmp

                                    Filesize

                                    176KB

                                  • memory/2976-193-0x0000000000090000-0x00000000000BC000-memory.dmp

                                    Filesize

                                    176KB

                                  • memory/2976-174-0x0000000000090000-0x00000000000BC000-memory.dmp

                                    Filesize

                                    176KB

                                  • memory/2976-176-0x0000000000090000-0x00000000000BC000-memory.dmp

                                    Filesize

                                    176KB