Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ecf7e1dba8...18.exe

windows7-x64

9

ecf7e1dba8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/04/2024, 08:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ecf7e1dba888e815ec3b2a05dc2a4b13_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    ecf7e1dba888e815ec3b2a05dc2a4b13

  • SHA1

    cc68c2eed09f46ddf19e42ba4160dd14cf0c3949

  • SHA256

    6226b37a948914ea8bdfb9e8a1d35e26349ba1be6809ece009584a5627f52188

  • SHA512

    df839884a0ceda1feeeb1de6848a1eb620142e85c9804ce531ed156da530d8000fd9f5c481657aaceae334f85f1ecb3984574f644d52e7834d2065824e1dc48c

  • SSDEEP

    24576:FBJkmZYyxZvX9WFypOpcDnuWa9aktyqNQKe5GKrLr:amZYoZVIpckaktDQOK3

Score
10/10
massloggerzgratcollectionevasionratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecf7e1dba888e815ec3b2a05dc2a4b13_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ecf7e1dba888e815ec3b2a05dc2a4b13_JaffaCakes118.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ecf7e1dba888e815ec3b2a05dc2a4b13_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2164
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uhYLboPPS.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1364
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uhYLboPPS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpED6D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2688
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uhYLboPPS.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2792
    • C:\Users\Admin\AppData\Local\Temp\ecf7e1dba888e815ec3b2a05dc2a4b13_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\ecf7e1dba888e815ec3b2a05dc2a4b13_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:4520

Network

  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.197.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.197.17.2.in-addr.arpa
    IN PTR
    Response
    240.197.17.2.in-addr.arpa
    IN PTR
    a2-17-197-240deploystaticakamaitechnologiescom
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    17.143.109.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.143.109.104.in-addr.arpa
    IN PTR
    Response
    17.143.109.104.in-addr.arpa
    IN PTR
    a104-109-143-17deploystaticakamaitechnologiescom
  • flag-us
    DNS
    api.ipify.org
    ecf7e1dba888e815ec3b2a05dc2a4b13_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN A
    104.26.13.205
    api.ipify.org
    IN A
    172.67.74.152
    api.ipify.org
    IN A
    104.26.12.205
  • flag-us
    GET
    http://api.ipify.org/
    ecf7e1dba888e815ec3b2a05dc2a4b13_JaffaCakes118.exe
    Remote address:
    104.26.13.205:80
    Request
    GET / HTTP/1.1
    Host: api.ipify.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 11 Apr 2024 08:16:38 GMT
    Content-Type: text/plain
    Content-Length: 14
    Connection: keep-alive
    Vary: Origin
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8729891dab2a6403-LHR
  • flag-us
    DNS
    205.13.26.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.13.26.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • 104.26.13.205:80
    http://api.ipify.org/
    http
    ecf7e1dba888e815ec3b2a05dc2a4b13_JaffaCakes118.exe
    247 B
     362 B
     4
    3

    HTTP Request

    GET http://api.ipify.org/

    HTTP Response

    200
  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    240.197.17.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    240.197.17.2.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    17.143.109.104.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    17.143.109.104.in-addr.arpa

  • 8.8.8.8:53
    api.ipify.org
    dns
    ecf7e1dba888e815ec3b2a05dc2a4b13_JaffaCakes118.exe
    59 B
     107 B
     1
    1

    DNS Request

    api.ipify.org

    DNS Response

    104.26.13.205
    172.67.74.152
    104.26.12.205

  • 8.8.8.8:53
    205.13.26.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    205.13.26.104.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    1cfba7e7d52cd0e19c9be9d18d6c1b32

    SHA1

    3ffcb5e2102b9f2037cc0a74159137f5a1c903e8

    SHA256

    21e23a198407ddcedf4e404d4c82b3a1f38dc280acc5fc6543ce34a121d575a5

    SHA512

    da7f0a55d9f53d1e71e537854b2ce258a2f984209bf5ce7b2d0abd009c153293eb00a70a7c34acbb800f8ca8a5ff65ab72f9e310de42baf3cea2137d79672ab5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wopfgana.zxc.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpED6D.tmp
    Filesize

    1KB

    MD5

    f36ae5bb10c0a250c03cc14b0f348ab9

    SHA1

    8c385fc7de2029f29fd1f741c991d5ff7441b2c8

    SHA256

    62c04d4e8d0ce7925d134b0127a7728fae83e94e2818611cd7357838e42816bd

    SHA512

    18ae7086021120108bccf62d73c23852c7e18d3a2c4d6e10c3d930767622389cd6ac13903026065d62acddb9664efe802eb8a160f534b381eb4b5cb638ce609e

    Download Submit

  • memory/644-55-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/644-4-0x0000000005960000-0x00000000059F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/644-5-0x0000000005810000-0x0000000005820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/644-7-0x0000000005B60000-0x0000000005BB6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/644-8-0x0000000005E70000-0x0000000005E88000-memory.dmp

    Filesize

    96KB

    Download

  • memory/644-9-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/644-10-0x0000000005810000-0x0000000005820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/644-11-0x0000000007650000-0x000000000774E000-memory.dmp

    Filesize

    1016KB

    Download

  • memory/644-12-0x0000000009D50000-0x0000000009E02000-memory.dmp

    Filesize

    712KB

    Download

  • memory/644-1-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/644-3-0x0000000005F10000-0x00000000064B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/644-2-0x00000000058C0000-0x000000000595C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/644-6-0x0000000005AF0000-0x0000000005AFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/644-0-0x0000000000EE0000-0x0000000001030000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/644-13-0x000000000D800000-0x000000000D866000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1364-114-0x0000000007CA0000-0x0000000007CAE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1364-115-0x0000000007CB0000-0x0000000007CC4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1364-39-0x0000000002E60000-0x0000000002E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1364-97-0x0000000002E60000-0x0000000002E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1364-86-0x000000007FD70000-0x000000007FD80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1364-37-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1364-117-0x0000000007D90000-0x0000000007D98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1364-120-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1364-87-0x000000006F380000-0x000000006F3CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1364-40-0x0000000002E60000-0x0000000002E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2164-101-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2164-33-0x0000000005FC0000-0x0000000006314000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2164-126-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2164-14-0x0000000004F50000-0x0000000004F86000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2164-15-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2164-18-0x0000000002B70000-0x0000000002B80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2164-17-0x00000000055C0000-0x0000000005BE8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2164-68-0x00000000076B0000-0x00000000076E2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2164-69-0x000000006F380000-0x000000006F3CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2164-79-0x0000000006A70000-0x0000000006A8E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2164-81-0x0000000002B70000-0x0000000002B80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2164-82-0x00000000076F0000-0x0000000007793000-memory.dmp

    Filesize

    652KB

    Download

  • memory/2164-80-0x0000000002B70000-0x0000000002B80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2164-67-0x000000007F3A0000-0x000000007F3B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2164-83-0x0000000007E20000-0x000000000849A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2164-84-0x00000000077E0000-0x00000000077FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2164-85-0x0000000007850000-0x000000000785A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2164-38-0x0000000006560000-0x00000000065AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2164-35-0x00000000064B0000-0x00000000064CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2164-116-0x0000000007B20000-0x0000000007B3A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2164-98-0x0000000007A60000-0x0000000007AF6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2164-99-0x00000000079E0000-0x00000000079F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2164-16-0x0000000002B70000-0x0000000002B80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2164-20-0x0000000005DE0000-0x0000000005E46000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2164-19-0x00000000054E0000-0x0000000005502000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2164-113-0x0000000002B70000-0x0000000002B80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2792-127-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2792-111-0x000000007FB00000-0x000000007FB10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2792-100-0x000000006F380000-0x000000006F3CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2792-112-0x0000000003030000-0x0000000003040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2792-56-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2792-57-0x0000000003030000-0x0000000003040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4520-52-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4520-51-0x00000000050A0000-0x00000000050E4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4520-53-0x0000000004E80000-0x0000000004E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4520-41-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/4520-128-0x00000000709E0000-0x00000000709F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4520-129-0x0000000004E80000-0x0000000004E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4520-130-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4520-131-0x0000000004E80000-0x0000000004E90000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.