matiex | 2f9c6244fa0ed0d62188100de444fdd5244a3930ba845d5615322ff89e85bbf8

General

Target

ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
Size

780KB
MD5

ee012ccf95286d03ea9cc4d508fee46e
SHA1

03d86e7dad5b312e03bd3d928c1514f293d79051
SHA256

2f9c6244fa0ed0d62188100de444fdd5244a3930ba845d5615322ff89e85bbf8
SHA512

c9c95663c3a5e25d8e0d97870387b7ca7a735409297655c590f3117299b3feda7c47dd476ac8e207259f5ead961fe77dbbc5f1b3a2defbb99531bf78e3d656f2
SSDEEP

12288:0l6ttSwR5amrYMNygJvPch2tFbwv7IhpSxITamCTnKeWzzJnWqN2Ev2K1Bc5BmM0:ryk5nCIhx6B

Score

10^/10

matiex zgrat collection keylogger rat spyware stealer

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1395392888:AAFrJovDdZICOFB0gX0eGWrAUzEKCRpv8xo/sendMessage?chat_id=1300181783

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5104-9-0x0000000004AB0000-0x0000000004AC6000-memory.dmp	family_zgrat_v1

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3760-10-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral2/memory/3760-15-0x0000000005830000-0x0000000005840000-memory.dmp	family_matiex

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 checkip.dyndns.org
16 freegeoip.app
17 freegeoip.app

flow	ioc
6	checkip.dyndns.org
16	freegeoip.app
17	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

Processes:

ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe

description	pid	process	target process
PID 5104 set thread context of 3760	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

408 3760 WerFault.exe ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe

pid	pid_target	process	target process
408	3760	WerFault.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe

pid	process
5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exeee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
Token: SeDebugPrivilege	3760	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe

outlook_office_path 1 IoCs

Processes:

ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe

outlook_win_path 1 IoCs

Processes:

ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104

C:\Users\Admin\AppData\Local\Temp\ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe"
2⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe"
2⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe"
2⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 2288
3⤵
- Program crash
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3760 -ip 3760
1⤵
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe.log

Filesize
886B

MD5
adee6fb564e48f4dbda9d98bd2aacad8

SHA1
f2f291e4460a2247d63df73ccb35dc7b53e266e7

SHA256
3399d074790192d222b9c886656f60bde71df3cff3103b10c88a4323386afd73

SHA512
c461ae2006d3cb512c2c9083102c72b34c31a54ea97e0aaa1c0353eb51bc2ea47f119065b47cd92f4aba7df86699a2dbe4c1e62a9be05fd058703ca84386d907

Download Submit
memory/3760-10-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3760-17-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/3760-15-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/3760-14-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/3760-13-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-4-0x0000000004BA0000-0x0000000004C16000-memory.dmp

Filesize
472KB

Download
memory/5104-7-0x0000000004A80000-0x0000000004A9E000-memory.dmp

Filesize
120KB

Download
memory/5104-8-0x0000000004D50000-0x0000000004DB6000-memory.dmp

Filesize
408KB

Download
memory/5104-9-0x0000000004AB0000-0x0000000004AC6000-memory.dmp

Filesize
88KB

Download
memory/5104-6-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/5104-5-0x0000000004C20000-0x0000000004CBC000-memory.dmp

Filesize
624KB

Download
memory/5104-0-0x0000000000180000-0x000000000024A000-memory.dmp

Filesize
808KB

Download
memory/5104-3-0x0000000004B00000-0x0000000004B92000-memory.dmp

Filesize
584KB

Download
memory/5104-2-0x00000000050B0000-0x0000000005654000-memory.dmp

Filesize
5.6MB

Download
memory/5104-16-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-1-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download

description	pid	process	target process
PID 5104 wrote to memory of 528	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
PID 5104 wrote to memory of 528	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
PID 5104 wrote to memory of 528	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
PID 5104 wrote to memory of 3680	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
PID 5104 wrote to memory of 3680	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
PID 5104 wrote to memory of 3680	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
PID 5104 wrote to memory of 5100	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
PID 5104 wrote to memory of 5100	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
PID 5104 wrote to memory of 5100	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
PID 5104 wrote to memory of 3760	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
PID 5104 wrote to memory of 3760	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
PID 5104 wrote to memory of 3760	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
PID 5104 wrote to memory of 3760	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
PID 5104 wrote to memory of 3760	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
PID 5104 wrote to memory of 3760	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
PID 5104 wrote to memory of 3760	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe
PID 5104 wrote to memory of 3760	5104	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe	ee012ccf95286d03ea9cc4d508fee46e_JaffaCakes118.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads