Malware Analysis Report

2024-11-30 20:06

Sample ID 240509-bz1n7sbb8w
Target 27ac58d73248ebb72b350a1d0642e866_JaffaCakes118
SHA256 bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349
Tags
zgrat evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349

Threat Level: Known bad

The file 27ac58d73248ebb72b350a1d0642e866_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

zgrat evasion rat trojan

Detect ZGRat V1

ZGRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 01:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 01:35

Reported

2024-05-09 01:38

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A
N/A N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Mail\ja-JP\explorer32.exe C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\it-IT\svchost32.exe C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\explorer32.exe C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A
N/A N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe"

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services32.exe

"C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cx53295.tmweb.ru udp
RU 5.23.50.207:80 cx53295.tmweb.ru tcp
US 8.8.8.8:53 vh402.timeweb.ru udp
RU 5.23.50.207:443 vh402.timeweb.ru tcp
RU 5.23.50.207:443 vh402.timeweb.ru tcp

Files

memory/2172-1-0x0000000076C21000-0x0000000076C22000-memory.dmp

memory/2172-0-0x0000000000A80000-0x00000000012BA000-memory.dmp

memory/2172-4-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-7-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-6-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-5-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-10-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-11-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-13-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-12-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-20-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-21-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-19-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-18-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-17-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-16-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-15-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-14-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-9-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-8-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-3-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-2-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-25-0x0000000000A80000-0x00000000012BA000-memory.dmp

C:\Program Files\Windows Sidebar\it-IT\svchost32.exe

MD5 27ac58d73248ebb72b350a1d0642e866
SHA1 88697d4f4d6e00a8ff29083a1a97c8d150f8939b
SHA256 bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349
SHA512 db8c968b3415d02868bc0fb01cb6104504a058c3f6dd1769a8e56bb1c47ed830e2b8d8e9873cd6fbfd15dfff4d46999f1562cb06c8427d9b007108ad1793f998

memory/2172-43-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2172-44-0x0000000006050000-0x000000000688A000-memory.dmp

memory/2172-46-0x0000000000A80000-0x00000000012BA000-memory.dmp

memory/2644-45-0x0000000000210000-0x0000000000A4A000-memory.dmp

memory/2172-47-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2644-50-0x0000000000210000-0x0000000000A4A000-memory.dmp

memory/2644-53-0x0000000000210000-0x0000000000A4A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 01:35

Reported

2024-05-09 01:38

Platform

win10v2004-20240426-en

Max time kernel

144s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Documents and Settings\svchost32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Documents and Settings\svchost32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Documents and Settings\svchost32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Documents and Settings\svchost32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Documents and Settings\svchost32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A
N/A N/A C:\Documents and Settings\svchost32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Documents and Settings\svchost32.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A
N/A N/A C:\Documents and Settings\svchost32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Documents and Settings\svchost32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\27ac58d73248ebb72b350a1d0642e866_JaffaCakes118.exe"

C:\Documents and Settings\svchost32.exe

"C:\Documents and Settings\svchost32.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2320 -ip 2320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 1548

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 cx53295.tmweb.ru udp
RU 5.23.50.207:80 cx53295.tmweb.ru tcp
US 8.8.8.8:53 vh402.timeweb.ru udp
RU 5.23.50.207:443 vh402.timeweb.ru tcp
US 8.8.8.8:53 207.50.23.5.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4992-4-0x0000000075840000-0x0000000075930000-memory.dmp

memory/4992-8-0x0000000075840000-0x0000000075930000-memory.dmp

memory/4992-7-0x0000000075840000-0x0000000075930000-memory.dmp

memory/4992-9-0x0000000075840000-0x0000000075930000-memory.dmp

memory/4992-6-0x0000000075840000-0x0000000075930000-memory.dmp

memory/4992-5-0x0000000075840000-0x0000000075930000-memory.dmp

memory/4992-3-0x0000000075840000-0x0000000075930000-memory.dmp

memory/4992-2-0x0000000075840000-0x0000000075930000-memory.dmp

memory/4992-12-0x0000000000690000-0x0000000000ECA000-memory.dmp

memory/4992-13-0x0000000005670000-0x0000000005702000-memory.dmp

memory/4992-1-0x0000000075860000-0x0000000075861000-memory.dmp

memory/4992-14-0x0000000005CC0000-0x0000000006264000-memory.dmp

memory/4992-0-0x0000000000690000-0x0000000000ECA000-memory.dmp

memory/4992-15-0x0000000000690000-0x0000000000ECA000-memory.dmp

C:\Users\svchost32.exe

MD5 27ac58d73248ebb72b350a1d0642e866
SHA1 88697d4f4d6e00a8ff29083a1a97c8d150f8939b
SHA256 bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349
SHA512 db8c968b3415d02868bc0fb01cb6104504a058c3f6dd1769a8e56bb1c47ed830e2b8d8e9873cd6fbfd15dfff4d46999f1562cb06c8427d9b007108ad1793f998

memory/4992-30-0x0000000075840000-0x0000000075930000-memory.dmp

memory/4992-31-0x0000000000690000-0x0000000000ECA000-memory.dmp

memory/2320-26-0x00000000007B0000-0x0000000000FEA000-memory.dmp

memory/2320-28-0x0000000075840000-0x0000000075930000-memory.dmp

memory/4992-27-0x0000000075860000-0x0000000075861000-memory.dmp

memory/2320-34-0x00000000007B0000-0x0000000000FEA000-memory.dmp

memory/2320-36-0x0000000075840000-0x0000000075930000-memory.dmp

memory/2320-37-0x00000000007B0000-0x0000000000FEA000-memory.dmp