zgrat | 49bd52161ac80de23fde0851abc834f81e1765eb55880a04a7bec010616b1957

Analysis

max time kernel
128s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1831646a449684fc0787d08e147017d_JaffaCakes118.exe
Size

447KB
MD5

f1831646a449684fc0787d08e147017d
SHA1

e91efbd06b85b297db166d39c8dc18f7e7aa8365
SHA256

49bd52161ac80de23fde0851abc834f81e1765eb55880a04a7bec010616b1957
SHA512

c82eacbb11919f64523e791f65094a01b5258539a9078ff56fb057c6ef46ba98e26530c217c8c4f921691a51e28ea597992b62c4c056782da54f8fa8be3dffe1
SSDEEP

12288:DrQ2L1yXGK6ARkSetsRFPgRfhKFvExxLo7W:DDxASXSRFPg1EBExu

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2156-15-0x0000000007A30000-0x0000000007AA4000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-16-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-19-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-17-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-21-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-23-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-25-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-27-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-29-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-31-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-33-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-35-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-37-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-39-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-41-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-43-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-45-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-47-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-49-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-51-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-53-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-55-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-59-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-57-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-61-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-63-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-65-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-67-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-69-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-71-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-73-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-75-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-77-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1
behavioral2/memory/2156-79-0x0000000007A30000-0x0000000007A9E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f1831646a449684fc0787d08e147017d_JaffaCakes118.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

RegAsm.exe

pid process

4576 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

f1831646a449684fc0787d08e147017d_JaffaCakes118.exe

description pid process target process

PID 2156 set thread context of 4576 2156 f1831646a449684fc0787d08e147017d_JaffaCakes118.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3244 4576 WerFault.exe RegAsm.exe

pid	process
4576	RegAsm.exe

description	pid	process	target process
PID 2156 set thread context of 4576	2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe

pid	pid_target	process	target process
3244	4576	WerFault.exe	RegAsm.exe

Modifies registry class 1 IoCs

Processes:

f1831646a449684fc0787d08e147017d_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000_Classes\Local Settings	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f1831646a449684fc0787d08e147017d_JaffaCakes118.exepowershell.exe

pid	process
2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe
2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe
1992	powershell.exe
1992	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f1831646a449684fc0787d08e147017d_JaffaCakes118.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2156 f1831646a449684fc0787d08e147017d_JaffaCakes118.exe
Token: SeDebugPrivilege 1992 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe
Token: SeDebugPrivilege	1992	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

f1831646a449684fc0787d08e147017d_JaffaCakes118.exeWScript.exe

description	pid	process	target process
PID 2156 wrote to memory of 1196	2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	WScript.exe
PID 2156 wrote to memory of 1196	2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	WScript.exe
PID 2156 wrote to memory of 1196	2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	WScript.exe
PID 2156 wrote to memory of 4576	2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 4576	2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 4576	2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 4576	2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 4576	2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 4576	2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 4576	2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 4576	2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 4576	2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 4576	2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 4576	2156	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 1196 wrote to memory of 1992	1196	WScript.exe	powershell.exe
PID 1196 wrote to memory of 1992	1196	WScript.exe	powershell.exe
PID 1196 wrote to memory of 1992	1196	WScript.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\f1831646a449684fc0787d08e147017d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1831646a449684fc0787d08e147017d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ppgfqbvmulb.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Foxmaill\folder_1.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 628
3⤵
- Program crash
PID:3244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4136,i,7593277344190429033,13055212002259797845,262144 --variations-seed-version --mojo-platform-channel-handle=1440 /prefetch:8
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4576 -ip 4576
1⤵
PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Ppgfqbvmulb.vbs

Filesize
185B

MD5
343d60694a1ed44f6a8d2e72af01398a

SHA1
e94d1fca2e525ed16e415d7aad35213611e986e1

SHA256
6715233ec92e74ef3f97f66d957f7ebf66fa89130bb9fbce390a8dd7ff9ad4f8

SHA512
cd460ca23ca4199a661f194b3d6eb5369fdca348c615f20bcbecf4ff1366d2c91551beab7e41e0fb02be74f70321dfa44ffcfba016da4b8e8ec2910a49ddaff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dk0glzep.0kl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1992-2179-0x0000000007870000-0x00000000078A2000-memory.dmp

Filesize
200KB

Download
memory/1992-2177-0x0000000006920000-0x000000000696C000-memory.dmp

Filesize
304KB

Download
memory/1992-2197-0x0000000007E10000-0x0000000007E1E000-memory.dmp

Filesize
56KB

Download
memory/1992-2196-0x0000000007DE0000-0x0000000007DF1000-memory.dmp

Filesize
68KB

Download
memory/1992-2195-0x0000000007E60000-0x0000000007EF6000-memory.dmp

Filesize
600KB

Download
memory/1992-2194-0x0000000007C50000-0x0000000007C5A000-memory.dmp

Filesize
40KB

Download
memory/1992-2193-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

Filesize
104KB

Download
memory/1992-2192-0x0000000008220000-0x000000000889A000-memory.dmp

Filesize
6.5MB

Download
memory/1992-2191-0x0000000007AB0000-0x0000000007B53000-memory.dmp

Filesize
652KB

Download
memory/1992-2190-0x0000000006E90000-0x0000000006EAE000-memory.dmp

Filesize
120KB

Download
memory/1992-2180-0x0000000075A10000-0x0000000075A5C000-memory.dmp

Filesize
304KB

Download
memory/1992-2199-0x0000000007F20000-0x0000000007F3A000-memory.dmp

Filesize
104KB

Download
memory/1992-2178-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/1992-2198-0x0000000007E20000-0x0000000007E34000-memory.dmp

Filesize
80KB

Download
memory/1992-2176-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/1992-2175-0x0000000006440000-0x0000000006794000-memory.dmp

Filesize
3.3MB

Download
memory/1992-2170-0x00000000062D0000-0x0000000006336000-memory.dmp

Filesize
408KB

Download
memory/1992-2200-0x0000000007F00000-0x0000000007F08000-memory.dmp

Filesize
32KB

Download
memory/1992-2164-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/1992-2163-0x0000000005920000-0x0000000005942000-memory.dmp

Filesize
136KB

Download
memory/1992-2162-0x0000000005B50000-0x0000000006178000-memory.dmp

Filesize
6.2MB

Download
memory/1992-2161-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/1992-2158-0x0000000002F90000-0x0000000002FC6000-memory.dmp

Filesize
216KB

Download
memory/1992-2160-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/1992-2159-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/1992-2203-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/2156-21-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-33-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-45-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-47-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-49-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-51-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-53-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-55-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-59-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-57-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-61-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-63-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-65-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-67-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-69-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-71-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-73-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-75-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-77-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-79-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-41-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-39-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-2155-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2156-37-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-35-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-43-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-31-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-29-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-27-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-25-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-23-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-0-0x0000000000420000-0x0000000000496000-memory.dmp

Filesize
472KB

Download
memory/2156-17-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-19-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-16-0x0000000007A30000-0x0000000007A9E000-memory.dmp

Filesize
440KB

Download
memory/2156-15-0x0000000007A30000-0x0000000007AA4000-memory.dmp

Filesize
464KB

Download
memory/2156-14-0x00000000078A0000-0x00000000078F2000-memory.dmp

Filesize
328KB

Download
memory/2156-13-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2156-12-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2156-11-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2156-10-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2156-9-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2156-8-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2156-7-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2156-6-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2156-5-0x0000000004E60000-0x0000000004E6A000-memory.dmp

Filesize
40KB

Download
memory/2156-4-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2156-3-0x0000000004EA0000-0x0000000004F32000-memory.dmp

Filesize
584KB

Download
memory/2156-2-0x0000000005450000-0x00000000059F4000-memory.dmp

Filesize
5.6MB

Download
memory/2156-1-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download