Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 22:29
Static task
static1
Behavioral task
behavioral1
Sample
fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
fb4e9686e8d934c6e71f69fbf69cbba6
-
SHA1
91b52740a1d9a46bddb568cfc6e9d035c5160b22
-
SHA256
f9c069523cc221dcea4a5b46281e6752ba4a567480b7c81e3a80d369c73b07ff
-
SHA512
36c09106eeaa9bbd452fef2bb8d6dda58e1894f1a54963af4b27f61c73ddbf45bb6c523b10a18a22dce138fb6fa5ffba72a7190c6a9e3c2ff24eaf166ba2f87d
-
SSDEEP
24576:K/86WY0n6q9nXshv7ogKw+/dA1hhLdiIIjE6YdZxua7Fz:nSrqRXshMgushQm6Yjxua7Fz
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral1/memory/1888-4-0x00000000021C0000-0x0000000002236000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-5-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-6-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-8-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-10-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-12-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-14-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-16-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-18-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-20-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-22-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-24-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-26-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-28-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-30-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-32-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-34-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-36-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-38-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-40-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-42-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-44-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-48-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-46-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-50-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-52-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-56-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-54-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-58-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-60-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-62-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-68-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-66-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-64-0x00000000021C0000-0x000000000222F000-memory.dmp family_zgrat_v1 -
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor payload 2 IoCs
resource yara_rule behavioral1/memory/3012-2327-0x0000000000400000-0x00000000005F7000-memory.dmp family_webmonitor behavioral1/memory/3012-2341-0x0000000000400000-0x00000000005F7000-memory.dmp family_webmonitor -
resource yara_rule behavioral1/memory/3012-2327-0x0000000000400000-0x00000000005F7000-memory.dmp upx behavioral1/memory/3012-2341-0x0000000000400000-0x00000000005F7000-memory.dmp upx -
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 185.141.152.26 Destination IP 1.2.4.8 Destination IP 185.141.152.26 Destination IP 185.141.152.26 Destination IP 1.2.4.8 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1888 set thread context of 3012 1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe 1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe 2932 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe Token: SeDebugPrivilege 3012 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeShutdownPrivilege 3012 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1888 wrote to memory of 912 1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe 30 PID 1888 wrote to memory of 912 1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe 30 PID 1888 wrote to memory of 912 1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe 30 PID 1888 wrote to memory of 912 1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe 30 PID 1888 wrote to memory of 3012 1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe 31 PID 1888 wrote to memory of 3012 1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe 31 PID 1888 wrote to memory of 3012 1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe 31 PID 1888 wrote to memory of 3012 1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe 31 PID 1888 wrote to memory of 3012 1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe 31 PID 1888 wrote to memory of 3012 1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe 31 PID 1888 wrote to memory of 3012 1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe 31 PID 912 wrote to memory of 2932 912 WScript.exe 32 PID 912 wrote to memory of 2932 912 WScript.exe 32 PID 912 wrote to memory of 2932 912 WScript.exe 32 PID 912 wrote to memory of 2932 912 WScript.exe 32 PID 1888 wrote to memory of 3012 1888 fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Zdazrmkyf.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Adobe\Vegas.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
-
C:\Users\Admin\AppData\Local\Temp\fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fb4e9686e8d934c6e71f69fbf69cbba6_JaffaCakes118.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
179B
MD5d7208d15ac113b64589278beda42796c
SHA18989f6676a01a34240ad7f6c275bfdaa0e5836e1
SHA2562d9b6aee07eb1062249ca329f22d5bbeb04dcd5ed40ba06fb53e3e4667f9e41b
SHA5122ad9cf8b3a6f0960e41eb7a12641320338899b6da395e46883caf85d73bd529027bcec252e3eace02cc5a7c91639f94209962f2458188eb965465673929cb57e