Analysis Overview
SHA256
61a69b0eb00727462d5599153fb2acb617d15fcc2e9e4ec3270a5fca8837a3ba
Threat Level: Known bad
The file 962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Xloader
Detect ZGRat V1
ZGRat
Xloader payload
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-02 20:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 20:15
Reported
2024-04-02 20:18
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
Network
Files
memory/2156-0-0x00000000002E0000-0x000000000042C000-memory.dmp
memory/2156-1-0x00000000743E0000-0x0000000074ACE000-memory.dmp
memory/2156-2-0x0000000004810000-0x000000000494E000-memory.dmp
memory/2156-3-0x00000000743E0000-0x0000000074ACE000-memory.dmp
memory/2156-4-0x0000000001F60000-0x0000000001FA0000-memory.dmp
memory/2156-5-0x00000000002B0000-0x00000000002DE000-memory.dmp
memory/2156-6-0x00000000743E0000-0x0000000074ACE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-02 20:15
Reported
2024-04-02 20:18
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
158s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xloader
ZGRat
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1988 set thread context of 4472 | N/A | C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\962ae24141e7b1abf36ae99d1fbc7315_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| NL | 142.251.39.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 106.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 5.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
memory/1988-0-0x00000000005B0000-0x00000000006FC000-memory.dmp
memory/1988-1-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/1988-2-0x0000000005120000-0x000000000525E000-memory.dmp
memory/1988-3-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/1988-4-0x0000000004FC0000-0x0000000004FD0000-memory.dmp
memory/1988-5-0x00000000050C0000-0x00000000050EE000-memory.dmp
memory/4472-6-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4472-8-0x0000000001AD0000-0x0000000001E1A000-memory.dmp
memory/1988-9-0x0000000074BF0000-0x00000000753A0000-memory.dmp