Download zbot 1.22

Run this file through your terminal or command prompt. In your terminal or command prompt, enter in the command to run the ZBot jar file. This consists of both the IP address of the Jira server instance and the port number. Please provide both to proceed. Provide a name for your ZBot so that you know what it is for future purposes for example, when creating test automation tasks. After providing the name, you can now have the option to start, stop or kill your ZBot on the server.

To perform any of the actions, simply enter in the commands into your terminal or command prompt. This ZLoader variant is in active development. We have seen 25 versions released since the first one 1. As can be seen in Table 1, about new versions have been released each week:.

December January February March April At the time of writing, version 1. ZLoader employs several anti-analysis mechanisms to make it more difficult to detect and reverse engineer. An example of junk code and constant obfuscation can be seen in Figure The rest of the code is superfluous and is used to distract the analyst.

A Python implementation of the hashing algorithm is available on our GitHub. Table 2 lists some example Windows API functions and their hash values:. Windows API Function. Hash Value. The next anti-analysis mechanism is the encryption of strings. While it varies based on the campaign, we noticed aggressive blacklisting of sandboxes and malware analysis systems and significant blocking based on geography of the connecting source IP address.

Figure 2 shows an example of the BaseConfig decryption function:. It uses RC4 with a hardcoded key e. An example plaintext config is shown in Figure The POST data is encrypted in two layers.

The first layer is RC4 using the key from the BaseConfig. The header is bytes in size and contains:. The response data is encrypted similarly to requests. Once decrypted, it also typically uses the BinStorage structure. Botnet string from the BaseConfig.

Click your username in the top-right corner of the main Zephyr screen and select Download ZBot from the menu:. In the subsequent dialog, specify a name for your ZBot so that you can easily identify it in Zephyr and click Download :. You can start ZBot right after downloading, there is no need to configure it in any way.

You can also schedule to start ZBot automatically. A job is a task with a number of parameters. You use it to automate your test cases. A Script Automation job triggers a automation script that retrieves data from the specified test automation tool through ZBot and passes it to Zephyr. Script Automation. Suite Automation. Folder Watcher. For more information on Vortex, see Zephyr Vortex.