Analysis

W32/Zbot.JAIK!tr is a detection for botnet malware, which may have the capabilities to remote access connection handling, perform Denial of Service (DoS) or Distributed DoS (DDoS), capture keyboard inputs, delete file or object, or terminate process.

The following are the behaviours of the botnet: * Injects malicious code into explorer.exe and create a mutex named with randomly generated SID

  • Makes a copy of itself in %APPDATA%/[random folder name]/[random name].exe

  • Deletes the original copy of itself

  • Creates the following registry entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run [random SID]: [random folder name]/[random name].exe (The path where it drops a copy of itself)

  • The botnet connects to a series IP addresses that are hardcoded before finally connecting to a generated domain name.

Telemetry logoTelemetry