Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

fdc4abf2e1...18.exe

windows7-x64

10

fdc4abf2e1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20/04/2024, 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe

  • Size

    811KB

  • MD5

    fdc4abf2e1c2e105b0fa96ccfc96a9b1

  • SHA1

    4cff46ba63bf0437bc3e64107ca175ce09b5dc8e

  • SHA256

    db095ae406f75b62e5d37408aa744fa4373249383b377a391bb31b551f095dd7

  • SHA512

    251382140f53f9d6ba7f421cff7a2edb899d36c7b7f4857614f93101e9abd2b3aa27dc1a8bc6f5361c58e66ce99a14aa5587b37c2fbe16d2fcb8aa304f40aea8

  • SSDEEP

    12288:9VLFvth+w7GodQpbelTL3P8oDP/qDHNmzkmx61RVvriwUE47DRC3QVfF62Ud:9vv/Nv+kTTVPaHFmIBv7IfR8Qo

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V1 33 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fdc4abf2e1c2e105b0fa96ccfc96a9b1_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3064
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2492
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1640
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2224
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:840
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1452
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1836
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1072
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:600
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2784
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2724
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2756
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3032
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:664
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2392
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2088
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2064
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1420
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    40df14797d750f8d4f00dd75d1bbc183

    SHA1

    11416872e38c43ce0cddb5d406e8a3d24123e2b0

    SHA256

    de0b4a054c7d5480841e3692b86920dbf20643c7cde9f6c1bccb6929484b96e6

    SHA512

    586fe8f147aa127dc249a3072903f40689023b70980e52f073062b74b4ab65bf582f7f75317ca2feee1c87af4189ed6f7111b536c120f6119531af437ae2dca5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    bbf0df07c19510d8843080123bc471e8

    SHA1

    d1a34074e0b92ba7055820610c28552f77e9a953

    SHA256

    406c927c219eb6c6df9275e7c727b78c633610eaa4c181903d2d5dbfe8647e68

    SHA512

    a1600b1ac1757c160a7b1a3212f9c263f1d9c1b654074b19c69c84612bd92feeea45efc85a5b7fb2f031f7ddc49eb96b0dac166b6f952a4dbf6fc63897c0d9b2

    Download Submit

  • memory/600-98-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/600-97-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/600-96-0x00000000005A0000-0x00000000005E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/600-95-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/840-61-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/840-58-0x00000000029E0000-0x0000000002A20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/840-59-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/840-57-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/840-60-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1072-87-0x00000000027F0000-0x0000000002830000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1072-86-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1072-88-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1072-89-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1452-69-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1452-68-0x0000000002A30000-0x0000000002A70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1452-67-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1452-70-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1640-41-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1640-36-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1640-39-0x0000000002C90000-0x0000000002CD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1640-38-0x0000000002C90000-0x0000000002CD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1640-40-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1640-37-0x0000000002C90000-0x0000000002CD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1836-79-0x0000000002A80000-0x0000000002AC0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1836-80-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1836-77-0x0000000002A80000-0x0000000002AC0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1836-78-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1836-76-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2224-51-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2224-47-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2224-48-0x0000000002F20000-0x0000000002F60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2224-50-0x0000000002F20000-0x0000000002F60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2224-49-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2492-15-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2492-16-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2492-17-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2492-19-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2492-18-0x0000000002AF0000-0x0000000002B30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2724-114-0x0000000002950000-0x0000000002990000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2724-116-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2724-113-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2724-115-0x000000006F850000-0x000000006FDFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2756-125-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2756-126-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2756-124-0x0000000002AE0000-0x0000000002B20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2756-123-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-107-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-104-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-105-0x0000000002A00000-0x0000000002A40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2784-106-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2888-30-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2888-25-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2888-27-0x0000000002850000-0x0000000002890000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2888-26-0x000000006FAD0000-0x000000007007B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2940-205-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-221-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-0-0x0000000001210000-0x00000000012DE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/2940-3-0x0000000000CB0000-0x0000000000D04000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2940-239-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-1-0x00000000749E0000-0x00000000750CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2940-241-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-243-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-245-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-29-0x00000000011C0000-0x0000000001200000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2940-200-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-201-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-203-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-28-0x00000000749E0000-0x00000000750CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2940-207-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-219-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-217-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-215-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-213-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-211-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-209-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-2-0x00000000011C0000-0x0000000001200000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2940-225-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-227-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-229-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-231-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-223-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-235-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-233-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-237-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-251-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-257-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-259-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-255-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-253-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-263-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-261-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-249-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2940-247-0x0000000005510000-0x0000000005572000-memory.dmp

    Filesize

    392KB

    Download

  • memory/3064-9-0x000000006FB00000-0x00000000700AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3064-8-0x0000000002C10000-0x0000000002C50000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3064-7-0x000000006FB00000-0x00000000700AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3064-6-0x000000006FB00000-0x00000000700AB000-memory.dmp

    Filesize

    5.7MB

    Download