Overview

overview

10

Static

static

3

291d775d55...18.exe

windows7-x64

3

291d775d55...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 08:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    291d775d55a75bb207922bf0d28ce052_JaffaCakes118.exe

  • Size

    942KB

  • MD5

    291d775d55a75bb207922bf0d28ce052

  • SHA1

    50e259313a63370304c62d9b68b74152a08ef123

  • SHA256

    19c5d6ab953cd04cf91ba1370f14d527cf89de375c8a340ce3e34ef777cba84e

  • SHA512

    cd8e88564edb628714d0fcee6f01da1df21497ebd8015054678b7d46a379a4fa67b57866dfa34d71da80b336d9693623ce21edc2d18d69e9760f41a7d6df90b6

  • SSDEEP

    12288:jymKWkYsoI8yZx+AC5iFY96R/uySH2qQQ0b2OTE/7jJbcN0Oc5slwA0MI2EJuuo8:5KWlALZsAIqR/uyRu/7eqOB2yHEJ/o

Score
10/10
massloggerzgratcollectionratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\291d775d55a75bb207922bf0d28ce052_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\291d775d55a75bb207922bf0d28ce052_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpED6D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:972
    • C:\Users\Admin\AppData\Local\Temp\291d775d55a75bb207922bf0d28ce052_JaffaCakes118.exe
      "{path}"
      2⤵
        PID:3780
      • C:\Users\Admin\AppData\Local\Temp\291d775d55a75bb207922bf0d28ce052_JaffaCakes118.exe
        "{path}"
        2⤵
          PID:3456
        • C:\Users\Admin\AppData\Local\Temp\291d775d55a75bb207922bf0d28ce052_JaffaCakes118.exe
          "{path}"
          2⤵
            PID:5112
          • C:\Users\Admin\AppData\Local\Temp\291d775d55a75bb207922bf0d28ce052_JaffaCakes118.exe
            "{path}"
            2⤵
            • Checks computer location settings
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • outlook_office_path
            • outlook_win_path
            PID:3804

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Persistence

        Scheduled Task/Job

        1
        T1053

        Privilege Escalation

        Scheduled Task/Job

        1
        T1053

        Defense Evasion

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Email Collection

        1
        T1114

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpED6D.tmp
          Filesize

          1KB

          MD5

          5df9b30424a296ece9e128b71387780a

          SHA1

          caa84ce847983c574a00e20794e663c09f383441

          SHA256

          ba1e95d76b9b37fbc93d943078f956d07b82418a86445705fa45df51e8ab1f51

          SHA512

          748f540f3188b6344fb783731206538e7e7395f7b31212e982c80923b8eca3185fc223b80a39a9bf1ece4768caa9ea163caaa44649ae1468bcb2486915f97be9

          Download Submit
        • memory/1584-10-0x0000000006790000-0x0000000006852000-memory.dmp
          Filesize

          776KB

          Download
        • memory/1584-3-0x0000000005220000-0x00000000052B2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/1584-1-0x0000000000780000-0x0000000000872000-memory.dmp
          Filesize

          968KB

          Download
        • memory/1584-4-0x00000000052D0000-0x00000000052DA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/1584-5-0x0000000074D80000-0x0000000075530000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/1584-6-0x0000000008120000-0x00000000081BC000-memory.dmp
          Filesize

          624KB

          Download
        • memory/1584-7-0x00000000053C0000-0x00000000053C8000-memory.dmp
          Filesize

          32KB

          Download
        • memory/1584-8-0x0000000074D80000-0x0000000075530000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/1584-20-0x0000000074D80000-0x0000000075530000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/1584-0-0x0000000074D8E000-0x0000000074D8F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1584-9-0x0000000008360000-0x0000000008426000-memory.dmp
          Filesize

          792KB

          Download
        • memory/1584-2-0x0000000005720000-0x0000000005CC4000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/3804-37-0x0000000074D80000-0x0000000075530000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3804-17-0x0000000005300000-0x0000000005378000-memory.dmp
          Filesize

          480KB

          Download
        • memory/3804-19-0x0000000074D80000-0x0000000075530000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3804-18-0x00000000053F0000-0x0000000005456000-memory.dmp
          Filesize

          408KB

          Download
        • memory/3804-16-0x0000000074D80000-0x0000000075530000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3804-21-0x0000000074D80000-0x0000000075530000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3804-22-0x0000000074D80000-0x0000000075530000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3804-23-0x0000000074D80000-0x0000000075530000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3804-24-0x00000000079B0000-0x0000000007A00000-memory.dmp
          Filesize

          320KB

          Download
        • memory/3804-14-0x0000000000400000-0x00000000004B8000-memory.dmp
          Filesize

          736KB

          Download