Malware Analysis Report

2025-01-02 03:22

Sample ID 240404-atcvhshf98
Target aade455507f667318c83c42a95b3fc3c_JaffaCakes118
SHA256 b774d45c6788cc48716eee3e81002e5b74996a3c2610967f3d19115646ca4d6a
Tags
remcos zgrat remotehost persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b774d45c6788cc48716eee3e81002e5b74996a3c2610967f3d19115646ca4d6a

Threat Level: Known bad

The file aade455507f667318c83c42a95b3fc3c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remcos zgrat remotehost persistence rat

Remcos

ZGRat

Detect ZGRat V1

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 00:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 00:29

Reported

2024-04-04 00:32

Platform

win7-20240221-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Remcos

rat remcos

ZGRat

rat zgrat

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\notepad = "\"C:\\Users\\Admin\\AppData\\Local\\notepad.exe\"" C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1704 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1704 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1704 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1704 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1704 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1704 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1704 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1704 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1704 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1704 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1704 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1704 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1704 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1704 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1704 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lplazadtemins.duckdns.org udp
UA 194.147.140.45:443 lplazadtemins.duckdns.org tcp
UA 194.147.140.45:443 lplazadtemins.duckdns.org tcp
UA 194.147.140.45:443 lplazadtemins.duckdns.org tcp
US 8.8.8.8:53 lplazadtemins.duckdns.org udp
UA 194.147.140.45:443 lplazadtemins.duckdns.org tcp
UA 194.147.140.45:443 lplazadtemins.duckdns.org tcp

Files

memory/1704-0-0x0000000001380000-0x0000000001532000-memory.dmp

memory/1704-1-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/1704-2-0x0000000004C00000-0x0000000004C40000-memory.dmp

memory/1704-3-0x0000000004A50000-0x0000000004BC8000-memory.dmp

memory/1704-4-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/1704-5-0x0000000004C00000-0x0000000004C40000-memory.dmp

memory/1704-7-0x0000000000C40000-0x0000000000C90000-memory.dmp

memory/2484-8-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2484-10-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2484-12-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2484-14-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2484-16-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2484-18-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2484-20-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2484-22-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2484-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2484-26-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2484-28-0x0000000000400000-0x0000000000479000-memory.dmp

memory/1704-30-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/2484-29-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2484-32-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2484-33-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2484-34-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2484-39-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2484-40-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2484-41-0x0000000000400000-0x0000000000479000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 b3040e142cfdd8a4cad832f2d80e25b4
SHA1 1cb34bc494fd63af359479f4f305fdad9376c3d2
SHA256 84684ff3594e1ff36a2ec4c106fafe63cf93d20d97889b985805ae35fd017899
SHA512 38c4bcfec91dc7d067cdaf3f12096d2c5e42ef05bafed5221bff7b501592a455978cf473a41b0c6c324d3cfd43659f5cc44d032b7f6d596d1314255686477d15

memory/2484-46-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2484-47-0x0000000000400000-0x0000000000479000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 00:29

Reported

2024-04-04 00:32

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Remcos

rat remcos

ZGRat

rat zgrat

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad = "\"C:\\Users\\Admin\\AppData\\Local\\notepad.exe\"" C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1804 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1804 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1804 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1804 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1804 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1804 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1804 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1804 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1804 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1804 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1804 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe
PID 1804 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\aade455507f667318c83c42a95b3fc3c_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 lplazadtemins.duckdns.org udp
UA 194.147.140.45:443 lplazadtemins.duckdns.org tcp
UA 194.147.140.45:443 lplazadtemins.duckdns.org tcp
US 8.8.8.8:53 201.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
UA 194.147.140.45:443 lplazadtemins.duckdns.org tcp
US 8.8.8.8:53 lplazadtemins.duckdns.org udp
UA 194.147.140.45:443 lplazadtemins.duckdns.org tcp
UA 194.147.140.45:443 lplazadtemins.duckdns.org tcp
US 8.8.8.8:53 udp

Files

memory/1804-0-0x0000000000A00000-0x0000000000BB2000-memory.dmp

memory/1804-1-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/1804-2-0x0000000003150000-0x0000000003160000-memory.dmp

memory/1804-3-0x0000000005580000-0x00000000056F8000-memory.dmp

memory/1804-4-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/1804-5-0x0000000003150000-0x0000000003160000-memory.dmp

memory/1804-7-0x0000000005C60000-0x0000000005CB0000-memory.dmp

memory/224-8-0x0000000000400000-0x0000000000479000-memory.dmp

memory/224-10-0x0000000000400000-0x0000000000479000-memory.dmp

memory/224-11-0x0000000000400000-0x0000000000479000-memory.dmp

memory/224-15-0x0000000000400000-0x0000000000479000-memory.dmp

memory/1804-13-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/224-12-0x0000000000400000-0x0000000000479000-memory.dmp

memory/224-16-0x0000000000400000-0x0000000000479000-memory.dmp

memory/224-17-0x0000000000400000-0x0000000000479000-memory.dmp

memory/224-22-0x0000000000400000-0x0000000000479000-memory.dmp

memory/224-23-0x0000000000400000-0x0000000000479000-memory.dmp

memory/224-24-0x0000000000400000-0x0000000000479000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 741f42745981fa96cab4b0ffec136795
SHA1 633ec14ab06fbfae81dc2aa372d9d8bb3fda1af7
SHA256 0904eac72d2d439ce60dc15c2e55e47bb158935585f1e2d0fffff3e4c8b354e7
SHA512 c332ebd8b46e07970712022ad7b2d51b372a05f9d3d6f2faf3a238b8e15038c91b638c05b94c84fef25eda4fe48b5a22aaf8398b31d80d7147fa6c49a5cef7c4

memory/224-29-0x0000000000400000-0x0000000000479000-memory.dmp

memory/224-30-0x0000000000400000-0x0000000000479000-memory.dmp

memory/224-36-0x0000000000400000-0x0000000000479000-memory.dmp

memory/224-37-0x0000000000400000-0x0000000000479000-memory.dmp

memory/224-42-0x0000000000400000-0x0000000000479000-memory.dmp

memory/224-43-0x0000000000400000-0x0000000000479000-memory.dmp