Analysis Overview
SHA256
bd7c06c6abb5fffe264a20b08aca73e7da11f2450cc8b9ecc63591d41ef83ccc
Threat Level: Known bad
The file 4aebbec0edebbe61d2245514793ab647_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
Remcos
ZGRat
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-31 02:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-31 02:38
Reported
2024-03-31 02:41
Platform
win7-20240221-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos
ZGRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2384 set thread context of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
Files
memory/2384-0-0x0000000001250000-0x00000000013A8000-memory.dmp
memory/2384-1-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/2384-2-0x00000000010E0000-0x0000000001228000-memory.dmp
memory/2384-3-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/2384-5-0x0000000004BF0000-0x0000000004C30000-memory.dmp
memory/2384-6-0x0000000000BA0000-0x0000000000BF0000-memory.dmp
\Users\Admin\AppData\Local\Temp\RegAsm.exe
| MD5 | b58b926c3574d28d5b7fdd2ca3ec30d5 |
| SHA1 | d260c4ffd603a9cfc057fcb83d678b1cecdf86f9 |
| SHA256 | 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3 |
| SHA512 | b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab |
memory/2704-10-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2704-12-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2704-14-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2704-16-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2704-18-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2704-20-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2704-22-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2704-24-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2704-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2704-28-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2704-31-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2384-32-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/2704-36-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2704-37-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2704-39-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2704-41-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2704-42-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2704-48-0x0000000000400000-0x0000000000479000-memory.dmp
C:\Users\Admin\AppData\Roaming\remcos\logs.dat
| MD5 | dc7853dc2f9fbed6647df1c39817ef03 |
| SHA1 | 2b845deee5f0489a9623503e5edf9fb36cb49074 |
| SHA256 | 9f64e23ff868a3a69387e9b035a38b48106384e4eab81e2af845baa855ceb625 |
| SHA512 | 5abdfed9bdb41e70bcf6803147bc528ade90b787de336e7409f200be50f1479058c367e89cf48a0e9340ee54786d4b9dca82c8c5a1aa11c5f4412601f128263a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-31 02:38
Reported
2024-03-31 02:41
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos
ZGRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2244 set thread context of 4344 | N/A | C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | cacgroups.hopto.org | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/2244-0-0x0000000000800000-0x0000000000958000-memory.dmp
memory/2244-1-0x0000000074C70000-0x0000000075420000-memory.dmp
memory/2244-2-0x0000000005340000-0x0000000005488000-memory.dmp
memory/2244-3-0x0000000074C70000-0x0000000075420000-memory.dmp
memory/2244-5-0x00000000054F0000-0x0000000005500000-memory.dmp
memory/2244-6-0x0000000005490000-0x00000000054E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
memory/4344-8-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4344-13-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2244-12-0x0000000074C70000-0x0000000075420000-memory.dmp
memory/4344-14-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4344-16-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4344-17-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4344-19-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4344-20-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4344-21-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4344-22-0x0000000000400000-0x0000000000479000-memory.dmp
C:\Users\Admin\AppData\Roaming\remcos\logs.dat
| MD5 | dc7853dc2f9fbed6647df1c39817ef03 |
| SHA1 | 2b845deee5f0489a9623503e5edf9fb36cb49074 |
| SHA256 | 9f64e23ff868a3a69387e9b035a38b48106384e4eab81e2af845baa855ceb625 |
| SHA512 | 5abdfed9bdb41e70bcf6803147bc528ade90b787de336e7409f200be50f1479058c367e89cf48a0e9340ee54786d4b9dca82c8c5a1aa11c5f4412601f128263a |