zgrat | 099d824705f8ae8fc4a018a21a7c893de9385841dcb6c9629e2565c718368c05

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe
Size

939KB
MD5

f8170ab44e4c08d2088104a02aae5f40
SHA1

e03ecbc4d42e94818ef900ba50e1ffaa25c59281
SHA256

099d824705f8ae8fc4a018a21a7c893de9385841dcb6c9629e2565c718368c05
SHA512

fedf7b92f800ed3e990d93e13db6104a1a99cb9d91bfbe8c1683764c1b11ce63b05d54260a4936da991d09b439559a05dd5b73720a3648401539d08abbb38b48
SSDEEP

12288:WjVLFvth+w7GodQpbelTQ2JK7Q0+AnCG53rfFBe1QZoU8:Wjvv/Nv+kTQ2XNYCG5TFBeOuU8

Score

10^/10

zgrat collection rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2072-168-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-169-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-171-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-173-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-175-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-177-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-179-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-181-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-183-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-185-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-187-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-189-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-191-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-193-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-195-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-197-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-199-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-201-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-203-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-205-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-207-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-209-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-211-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-213-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-215-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-217-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-219-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-221-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-223-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-225-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-227-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-229-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2072-231-0x0000000005E80000-0x0000000005EF3000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe

description	pid	process	target process
PID 2072 set thread context of 2084	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exef8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe

pid	process
2540	powershell.exe
2412	powershell.exe
676	powershell.exe
2728	powershell.exe
1672	powershell.exe
112	powershell.exe
1880	powershell.exe
1920	powershell.exe
896	powershell.exe
2288	powershell.exe
2992	powershell.exe
2620	powershell.exe
2308	powershell.exe
2732	powershell.exe
2044	powershell.exe
2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeIncreaseQuotaPrivilege	2540	powershell.exe
Token: SeSecurityPrivilege	2540	powershell.exe
Token: SeTakeOwnershipPrivilege	2540	powershell.exe
Token: SeLoadDriverPrivilege	2540	powershell.exe
Token: SeSystemProfilePrivilege	2540	powershell.exe
Token: SeSystemtimePrivilege	2540	powershell.exe
Token: SeProfSingleProcessPrivilege	2540	powershell.exe
Token: SeIncBasePriorityPrivilege	2540	powershell.exe
Token: SeCreatePagefilePrivilege	2540	powershell.exe
Token: SeBackupPrivilege	2540	powershell.exe
Token: SeRestorePrivilege	2540	powershell.exe
Token: SeShutdownPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeSystemEnvironmentPrivilege	2540	powershell.exe
Token: SeRemoteShutdownPrivilege	2540	powershell.exe
Token: SeUndockPrivilege	2540	powershell.exe
Token: SeManageVolumePrivilege	2540	powershell.exe
Token: 33	2540	powershell.exe
Token: 34	2540	powershell.exe
Token: 35	2540	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeIncreaseQuotaPrivilege	2412	powershell.exe
Token: SeSecurityPrivilege	2412	powershell.exe
Token: SeTakeOwnershipPrivilege	2412	powershell.exe
Token: SeLoadDriverPrivilege	2412	powershell.exe
Token: SeSystemProfilePrivilege	2412	powershell.exe
Token: SeSystemtimePrivilege	2412	powershell.exe
Token: SeProfSingleProcessPrivilege	2412	powershell.exe
Token: SeIncBasePriorityPrivilege	2412	powershell.exe
Token: SeCreatePagefilePrivilege	2412	powershell.exe
Token: SeBackupPrivilege	2412	powershell.exe
Token: SeRestorePrivilege	2412	powershell.exe
Token: SeShutdownPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeSystemEnvironmentPrivilege	2412	powershell.exe
Token: SeRemoteShutdownPrivilege	2412	powershell.exe
Token: SeUndockPrivilege	2412	powershell.exe
Token: SeManageVolumePrivilege	2412	powershell.exe
Token: 33	2412	powershell.exe
Token: 34	2412	powershell.exe
Token: 35	2412	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeIncreaseQuotaPrivilege	676	powershell.exe
Token: SeSecurityPrivilege	676	powershell.exe
Token: SeTakeOwnershipPrivilege	676	powershell.exe
Token: SeLoadDriverPrivilege	676	powershell.exe
Token: SeSystemProfilePrivilege	676	powershell.exe
Token: SeSystemtimePrivilege	676	powershell.exe
Token: SeProfSingleProcessPrivilege	676	powershell.exe
Token: SeIncBasePriorityPrivilege	676	powershell.exe
Token: SeCreatePagefilePrivilege	676	powershell.exe
Token: SeBackupPrivilege	676	powershell.exe
Token: SeRestorePrivilege	676	powershell.exe
Token: SeShutdownPrivilege	676	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeSystemEnvironmentPrivilege	676	powershell.exe
Token: SeRemoteShutdownPrivilege	676	powershell.exe
Token: SeUndockPrivilege	676	powershell.exe
Token: SeManageVolumePrivilege	676	powershell.exe
Token: 33	676	powershell.exe
Token: 34	676	powershell.exe
Token: 35	676	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe

description	pid	process	target process
PID 2072 wrote to memory of 2540	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2540	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2540	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2540	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2412	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2412	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2412	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2412	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 676	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 676	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 676	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 676	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2728	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2728	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2728	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2728	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 1672	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 1672	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 1672	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 1672	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 112	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 112	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 112	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 112	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 1880	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 1880	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 1880	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 1880	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 1920	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 1920	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 1920	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 1920	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 896	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 896	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 896	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 896	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2288	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2288	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2288	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2288	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2992	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2992	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2992	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2992	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2620	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2620	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2620	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2620	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2308	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2308	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2308	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2308	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2732	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2732	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2732	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2732	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2044	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2044	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2044	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2044	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	powershell.exe
PID 2072 wrote to memory of 2084	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe
PID 2072 wrote to memory of 2084	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe
PID 2072 wrote to memory of 2084	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe
PID 2072 wrote to memory of 2084	2072	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe

outlook_office_path 1 IoCs

Processes:

f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe

outlook_win_path 1 IoCs

Processes:

f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044

C:\Users\Admin\AppData\Local\Temp\f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f8170ab44e4c08d2088104a02aae5f40_JaffaCakes118.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
b59b5034bb60de59b94e820b4f10f008

SHA1
742fc40ab4b028b399b4e42e4802badd256805b1

SHA256
23d6dd8b91868ce58c86a1bea32e4dbf3242dcd6eacb2e21a97023db9f9d5c99

SHA512
3602aefd4b757c1e0bf288a9901a432d0ec98c73a256b145f6d69c8722f9bfcb7aa5771ade7675bef9b02bfe7416a721d4d50bd9d212e1a90827657905312a32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0e8deab3593320fae45667baeaf0f5a9

SHA1
4f57260c579cc53ef7c33a395484998cf98620d8

SHA256
9983ba836e613b5df8b2563860775eece70861238436b5cd226a4a454eeecd3a

SHA512
3ca95a1ba7acdbd2283b3d22d2c10bb29965f2727616323aa92d3008e3a494ea0ba051aa15055d3c0bf6d7a821e64f74a3fe5b6d175c92c16bed6371e118fdac

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/112-64-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/112-63-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

Filesize
5.7MB

Download
memory/112-65-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

Filesize
5.7MB

Download
memory/112-67-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/112-68-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

Filesize
5.7MB

Download
memory/112-66-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/676-29-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/676-30-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/676-34-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/676-33-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/676-31-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/896-102-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/896-101-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/896-99-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/896-98-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/896-100-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/1672-56-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/1672-52-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1672-51-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/1672-53-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1672-54-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1672-55-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/1672-57-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1880-77-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1880-74-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/1880-75-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1880-76-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/1880-78-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1880-79-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/1920-92-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/1920-91-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

Filesize
5.7MB

Download
memory/1920-89-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/1920-86-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

Filesize
5.7MB

Download
memory/1920-87-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/1920-88-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/1920-90-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

Filesize
5.7MB

Download
memory/2072-183-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-203-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-231-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-229-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-227-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-225-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-32-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/2072-223-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-221-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-21-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2072-219-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-217-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-215-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-213-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-211-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-209-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-207-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-205-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-201-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-4-0x0000000001F80000-0x0000000001FD6000-memory.dmp

Filesize
344KB

Download
memory/2072-3-0x0000000000790000-0x00000000007E6000-memory.dmp

Filesize
344KB

Download
memory/2072-2-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/2072-1-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2072-199-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-197-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-195-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-193-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-191-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-168-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-169-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-171-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-173-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-175-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-177-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-179-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-181-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-0-0x00000000001C0000-0x00000000002B0000-memory.dmp

Filesize
960KB

Download
memory/2072-185-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-187-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2072-189-0x0000000005E80000-0x0000000005EF3000-memory.dmp

Filesize
460KB

Download
memory/2288-111-0x00000000024B0000-0x00000000024F0000-memory.dmp

Filesize
256KB

Download
memory/2288-110-0x00000000024B0000-0x00000000024F0000-memory.dmp

Filesize
256KB

Download
memory/2288-109-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

Filesize
5.7MB

Download
memory/2288-108-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

Filesize
5.7MB

Download
memory/2288-112-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-18-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-23-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-22-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2412-20-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2412-19-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-7-0x000000006FB60000-0x000000007010B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-12-0x000000006FB60000-0x000000007010B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-11-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/2540-10-0x000000006FB60000-0x000000007010B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-9-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/2540-8-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/2728-45-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

Filesize
5.7MB

Download
memory/2728-41-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

Filesize
5.7MB

Download
memory/2728-42-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

Filesize
5.7MB

Download
memory/2728-43-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/2728-44-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download