44caliber | 72a9cb716529660a0026e61b0b4ad8a61d6be594d06e3ade9cf57186e62f6c3b

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe
Size

389KB
MD5

f309f13b086438be0a979bfba51097b6
SHA1

ee8b446af0f73adb726cb7ab72725441cac270c7
SHA256

72a9cb716529660a0026e61b0b4ad8a61d6be594d06e3ade9cf57186e62f6c3b
SHA512

a3b426214fa4794e694b28ec7453775b0968f5146fb4f8b6917ebe28ec47e189e110f0a2a7bb43e800af3d5f72e168c406d7015354cf992470a08ab64ae2360d
SSDEEP

6144:o1vG8GgGTe1GbgaxDgXtIClMiRAqXKlUBYRA9G5EGl0uvn7A+z6:YTaaRAqqviVYvT6

Score

10^/10

44caliber zgrat rat spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2748-0-0x0000000000F00000-0x0000000000F66000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2748	f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe
2748	f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe
2748	f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe
2748	f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
309B

MD5
a23a60e6e5b66c619bacd5109714c4cd

SHA1
9db479408c13cfbe6643e41a0ac6bf14b0eea58e

SHA256
e0de67fa76b6bc63e04e39aade9e80ea7aae75e207b0be4f3fa59bc60f7a50ee

SHA512
4396d70629ffb4148a91d6134ec4e27ceb5f72d5c1bbcf438d9cc36dfd375cfdd6d3179613bb2fd3cf566a1d278689cb09d03991bcbf15a25fadc47cf8e32236

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
324B

MD5
e28f55b8d8a9e1238c5ef67edb1cba53

SHA1
37ed72a6b26053e06f0d9d1c8c68fb7ed279c0c5

SHA256
8e857463c627b2e8525d17e7d86bd926ffd065f2d01211b8b05811f586141a9b

SHA512
e241a84c752bae402df9bd42a446af7268953ad91d4bdd97fd469f6adaa5656a310eedd5785197c7b4a22a6f4a7029e3e9f0b3b7ddee1562e19330c23ca0f013

Download Submit
memory/2748-0-0x0000000000F00000-0x0000000000F66000-memory.dmp

Filesize
408KB

Download
memory/2748-1-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-2-0x000000001B130000-0x000000001B1B0000-memory.dmp

Filesize
512KB

Download
memory/2748-50-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download