Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    07-04-2024 19:21

General

  • Target

    e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe

  • Size

    947KB

  • MD5

    e5ac6f9f85c0e55f0d164afa56a45890

  • SHA1

    06f0eccf410176d514b86b02f602699d58d56b5a

  • SHA256

    f173cd6a86e6aaf1ebaddd4e14b8933516246d1bb320ddbe7c221895bb9281b6

  • SHA512

    7d067b3a1f13057588c6cbb751b9ce16fd4d444af130780d9ade2ded97ba43160a0bdf70eae33459483d73e737f8e99f096053b8b7213192ef08c5bbb3f2a075

  • SSDEEP

    12288:O1UVGInYjg53VLFvth+w7GodQpbelTw4cMb9eQ1kPHSlFi48soHo:O1UVGInYj6vv/Nv+kTJ9kQ1SyLoH

Malware Config

Signatures

  • Detect ZGRat V1 33 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3020
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1712
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1644
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1864
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1648
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2748
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:268
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2368
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1748
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2248
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1516
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2024
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2460
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1352
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:992
    • C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
      2⤵
      • Accesses Microsoft Outlook profiles
      • outlook_office_path
      • outlook_win_path
      PID:2492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    db646c29325a13637d357b458b12684d

    SHA1

    4d386717ffc95cc7effd21ad57603c54b0b563bc

    SHA256

    7c360adb4296af585a387c0b2b897801b08aca67ddd5f16b45fca92d0d2e3d74

    SHA512

    b79c06e142f9844815f70b3a0bc9a2c49db3536bb092eeaf5bc2d4d18afa6813d95eac9e92ae49457614384deb192f9571f448b15feb9323db4eae960ed6bf8e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    af7135eb3edcf89dd1502dfc2cbc6b0a

    SHA1

    5fedf75e6e424ea57ec9fcbe72af23acefc3a7ca

    SHA256

    2f684760b996b855dd76bbd796b59b8b0c78d8d99264009bcb1e2dc6e774daf6

    SHA512

    ec90eca8e55877c66342eb40e76b9afa462f130171d967e77c4ea116d3c5f6039669505d1ef5f02031f86a7ae4fc6981e55b40b89703b7840c7ac77ecd974050

  • \??\PIPE\srvsvc

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • memory/268-75-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/268-73-0x0000000002920000-0x0000000002960000-memory.dmp

    Filesize

    256KB

  • memory/268-72-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/268-74-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1516-111-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1516-110-0x0000000002720000-0x0000000002760000-memory.dmp

    Filesize

    256KB

  • memory/1516-109-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1516-108-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1516-107-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1644-32-0x0000000002900000-0x0000000002940000-memory.dmp

    Filesize

    256KB

  • memory/1644-34-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1644-29-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1644-30-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1644-31-0x0000000002900000-0x0000000002940000-memory.dmp

    Filesize

    256KB

  • memory/1648-56-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1648-54-0x0000000002B00000-0x0000000002B40000-memory.dmp

    Filesize

    256KB

  • memory/1648-52-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1648-55-0x0000000002B00000-0x0000000002B40000-memory.dmp

    Filesize

    256KB

  • memory/1648-53-0x0000000002B00000-0x0000000002B40000-memory.dmp

    Filesize

    256KB

  • memory/1648-51-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1712-23-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/1712-18-0x0000000002910000-0x0000000002950000-memory.dmp

    Filesize

    256KB

  • memory/1712-17-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/1712-19-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/1712-21-0x0000000002910000-0x0000000002950000-memory.dmp

    Filesize

    256KB

  • memory/1712-20-0x0000000002910000-0x0000000002950000-memory.dmp

    Filesize

    256KB

  • memory/1748-93-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1748-90-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1748-91-0x0000000002820000-0x0000000002860000-memory.dmp

    Filesize

    256KB

  • memory/1748-92-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1864-41-0x0000000002A60000-0x0000000002AA0000-memory.dmp

    Filesize

    256KB

  • memory/1864-44-0x0000000002A60000-0x0000000002AA0000-memory.dmp

    Filesize

    256KB

  • memory/1864-43-0x0000000002A60000-0x0000000002AA0000-memory.dmp

    Filesize

    256KB

  • memory/1864-45-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/1864-40-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/1864-42-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/1888-152-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-213-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-179-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-181-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-0-0x00000000008A0000-0x0000000000992000-memory.dmp

    Filesize

    968KB

  • memory/1888-167-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-185-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-155-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-189-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-193-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-33-0x0000000004C60000-0x0000000004CA0000-memory.dmp

    Filesize

    256KB

  • memory/1888-22-0x00000000747B0000-0x0000000074E9E000-memory.dmp

    Filesize

    6.9MB

  • memory/1888-195-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-197-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-199-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-201-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-203-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-207-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-209-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-5-0x0000000000B30000-0x0000000000B86000-memory.dmp

    Filesize

    344KB

  • memory/1888-4-0x0000000000850000-0x00000000008A6000-memory.dmp

    Filesize

    344KB

  • memory/1888-3-0x00000000004C0000-0x0000000000516000-memory.dmp

    Filesize

    344KB

  • memory/1888-2-0x0000000004C60000-0x0000000004CA0000-memory.dmp

    Filesize

    256KB

  • memory/1888-211-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-215-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-205-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-191-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-1-0x00000000747B0000-0x0000000074E9E000-memory.dmp

    Filesize

    6.9MB

  • memory/1888-187-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-153-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-165-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-183-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-171-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-163-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-161-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-159-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-157-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-169-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-177-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-175-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/1888-173-0x00000000054E0000-0x0000000005556000-memory.dmp

    Filesize

    472KB

  • memory/2024-117-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/2024-118-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/2024-119-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/2248-101-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/2248-99-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/2248-100-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/2368-83-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/2368-81-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/2368-82-0x0000000002B10000-0x0000000002B50000-memory.dmp

    Filesize

    256KB

  • memory/2368-84-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/2460-125-0x000000006F8A0000-0x000000006FE4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2748-66-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/2748-62-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/2748-63-0x0000000001F00000-0x0000000001F40000-memory.dmp

    Filesize

    256KB

  • memory/2748-64-0x000000006F620000-0x000000006FBCB000-memory.dmp

    Filesize

    5.7MB

  • memory/2748-65-0x0000000001F00000-0x0000000001F40000-memory.dmp

    Filesize

    256KB

  • memory/3020-10-0x000000006F8D0000-0x000000006FE7B000-memory.dmp

    Filesize

    5.7MB

  • memory/3020-11-0x000000006F8D0000-0x000000006FE7B000-memory.dmp

    Filesize

    5.7MB

  • memory/3020-8-0x000000006F8D0000-0x000000006FE7B000-memory.dmp

    Filesize

    5.7MB

  • memory/3020-9-0x00000000028F0000-0x0000000002930000-memory.dmp

    Filesize

    256KB