Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 12:08
Static task
static1
Behavioral task
behavioral1
Sample
ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe
-
Size
336KB
-
MD5
ff3d380d75da0970ca814403921a512d
-
SHA1
bd06d7efc8946846addb9593893ac91a668d1e75
-
SHA256
1c2437ae6ffc0eee1e868edc26540d7b1fc8992209ec776644fc8c83c83b0032
-
SHA512
0e9fcbd1f3753a11a5745e467d630fd36077879df982d8cf98e06e08718e4d369c452c7ad8819dbdf93ad6685e2fa99ec9b059cff0c5feaf69236ad80b280f3c
-
SSDEEP
6144:iFOwiyeVH0dxiroXWm/XFWdLUiIr5QhXY+lG9ijjz8QTOV0y4AS7E:yiyexQtVwYXyYOGe/811zn
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral1/memory/1244-6-0x0000000004FE0000-0x000000000504E000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-7-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-8-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-10-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-12-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-14-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-16-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-18-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-20-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-22-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-24-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-26-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-28-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-30-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-32-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-38-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-40-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-36-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-34-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-42-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-48-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-52-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-56-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-60-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-66-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-70-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-68-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-64-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-62-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-58-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-54-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-50-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-46-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 behavioral1/memory/1244-44-0x0000000004FE0000-0x0000000005049000-memory.dmp family_zgrat_v1 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ff3d380d75da0970ca814403921a512d_JaffaCakes118.exedescription pid process target process PID 1244 set thread context of 2416 1244 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1040 2416 WerFault.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ff3d380d75da0970ca814403921a512d_JaffaCakes118.exepid process 1244 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ff3d380d75da0970ca814403921a512d_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1244 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
ff3d380d75da0970ca814403921a512d_JaffaCakes118.exeff3d380d75da0970ca814403921a512d_JaffaCakes118.exedescription pid process target process PID 1244 wrote to memory of 2416 1244 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 1244 wrote to memory of 2416 1244 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 1244 wrote to memory of 2416 1244 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 1244 wrote to memory of 2416 1244 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 1244 wrote to memory of 2416 1244 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 1244 wrote to memory of 2416 1244 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 1244 wrote to memory of 2416 1244 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 1244 wrote to memory of 2416 1244 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 1244 wrote to memory of 2416 1244 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 1244 wrote to memory of 2416 1244 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 1244 wrote to memory of 2416 1244 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe PID 2416 wrote to memory of 1040 2416 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe WerFault.exe PID 2416 wrote to memory of 1040 2416 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe WerFault.exe PID 2416 wrote to memory of 1040 2416 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe WerFault.exe PID 2416 wrote to memory of 1040 2416 ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\ff3d380d75da0970ca814403921a512d_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ff3d380d75da0970ca814403921a512d_JaffaCakes118.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 2003⤵
- Program crash
PID:1040