adwind | 76e5152fac663c8b62216087394df3516eb574686df01c77c85e27c7b9b531b4

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe
Size

1.8MB
MD5

2f458c33db76f5a0cedacef12448de7a
SHA1

255009db52b3f7c248b531ccaaa92d06e87f0835
SHA256

76e5152fac663c8b62216087394df3516eb574686df01c77c85e27c7b9b531b4
SHA512

b815a34aad7e100aa493a4b4d05cb1379f28b0c4bd112675986945724aa4e47b434fc2de9a3efa0c0351559a6b7092463e59f97991f1e24e85f74187497a38a0
SSDEEP

24576:DZj28ewfikbzlKf8Y67OQGPrp0oB2PdEvNOSz3gPwB:FM3yJKsRcTB7vNHzV

Score

10^/10

adwind agenttesla zgrat collection discovery keylogger persistence rat spyware stealer trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Class file contains resources related to AdWind 1 IoCs

resource	yara_rule
sample	family_adwind5

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/4824-5-0x0000000004D80000-0x0000000004DA0000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4784	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyOtApp = "C:\\Users\\Admin\\AppData\\Roaming\\MyOtApp\\MyOtApp.exe"	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\test.txt	javaw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4824 set thread context of 5096	4824	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5096	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe
5096	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4824	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe
Token: SeDebugPrivilege	5096	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5096	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe
1692	javaw.exe
4088	java.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 5096	4824	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe	90
PID 4824 wrote to memory of 5096	4824	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe	90
PID 4824 wrote to memory of 5096	4824	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe	90
PID 4824 wrote to memory of 5096	4824	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe	90
PID 4824 wrote to memory of 5096	4824	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe	90
PID 4824 wrote to memory of 5096	4824	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe	90
PID 4824 wrote to memory of 5096	4824	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe	90
PID 4824 wrote to memory of 5096	4824	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe	90
PID 5096 wrote to memory of 1692	5096	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe	91
PID 5096 wrote to memory of 1692	5096	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe	91
PID 1692 wrote to memory of 4784	1692	javaw.exe	92
PID 1692 wrote to memory of 4784	1692	javaw.exe	92
PID 1692 wrote to memory of 4088	1692	javaw.exe	94
PID 1692 wrote to memory of 4088	1692	javaw.exe	94
PID 1692 wrote to memory of 1144	1692	javaw.exe	96
PID 1692 wrote to memory of 1144	1692	javaw.exe	96
PID 4088 wrote to memory of 1960	4088	java.exe	98
PID 4088 wrote to memory of 1960	4088	java.exe	98
PID 1144 wrote to memory of 4868	1144	cmd.exe	100
PID 1144 wrote to memory of 4868	1144	cmd.exe	100
PID 1960 wrote to memory of 4256	1960	cmd.exe	101
PID 1960 wrote to memory of 4256	1960	cmd.exe	101
PID 1692 wrote to memory of 2172	1692	javaw.exe	102
PID 1692 wrote to memory of 2172	1692	javaw.exe	102
PID 4088 wrote to memory of 3544	4088	java.exe	103
PID 4088 wrote to memory of 3544	4088	java.exe	103
PID 2172 wrote to memory of 3884	2172	cmd.exe	106
PID 2172 wrote to memory of 3884	2172	cmd.exe	106
PID 3544 wrote to memory of 612	3544	cmd.exe	107
PID 3544 wrote to memory of 612	3544	cmd.exe	107
PID 1692 wrote to memory of 4652	1692	javaw.exe	108
PID 1692 wrote to memory of 4652	1692	javaw.exe	108
PID 4088 wrote to memory of 4552	4088	java.exe	110
PID 4088 wrote to memory of 4552	4088	java.exe	110
PID 1692 wrote to memory of 4884	1692	javaw.exe	112
PID 1692 wrote to memory of 4884	1692	javaw.exe	112

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:5096
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tsd.jar"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      4⤵
      Modifies file permissions
      PID:4784
  - - C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.240959995357804558622598056442380931.class
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4088
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2785890494732473370.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2785890494732473370.vbs
        6⤵
        
        PID:4256
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1271359063452001103.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3544
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1271359063452001103.vbs
        6⤵
        
        PID:612
    - - C:\Windows\SYSTEM32\xcopy.exe
        
        xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
        5⤵
        
        PID:4552
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8138459046842943144.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1144
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8138459046842943144.vbs
        5⤵
        
        PID:4868
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7662019489415785045.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7662019489415785045.vbs
        5⤵
        
        PID:3884
  - - C:\Windows\SYSTEM32\xcopy.exe
      xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
      4⤵
      PID:4652
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe
      4⤵
      PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
0e127f9732766e762fe423e6ccd44bf0

SHA1
7769f2dc4bcb561f8e8bc85255421e2f96b38637

SHA256
0624c953eda7d00664f08fafa07ae24d7e6cb06d4cfa2f380f11b5edea5522f0

SHA512
27f057a033e237928ebdc91d1380d0d2bde59bdc9ea6cb3e8c60161f8393715736eb1ae045559d5341c4a88bc810ccec0b576a31014e807c108601b1854db767

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2f458c33db76f5a0cedacef12448de7a_JaffaCakes118.exe.log

Filesize
1KB

MD5
8a806010f1c0bf52164f9ba750ebe937

SHA1
934560414cd5075bfed7778cbbe04ed31eb32bcc

SHA256
d85553adf0396b733496220dde928f5b5424d0836be8c9f00cf040f8e6c85eda

SHA512
6b2bd12a9756774817411b13fe6395497767c524c4d64e452758c6f6838eb861a0f37c374aaefa994cc71ed308c068d0c55cab0608a9c20aa560c0b36f06e96f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive2785890494732473370.vbs

Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive7662019489415785045.vbs

Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.240959995357804558622598056442380931.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3558294865-3673844354-2255444939-1000\83aa4cc77f591dfc2374580bbd95f6ba_39fbc0df-d496-4ae0-b1d7-bde60e245d90

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tsd.jar

Filesize
473KB

MD5
7da7000ca39ce69997bbcad56fa8d180

SHA1
5178465612c87a838fdfaa03b2148baf05a71768

SHA256
9d817b32fd59dbbe3a17f0c73d4be0b3301df89be5389bb2e81532bda93e34f8

SHA512
5999a976b75bbc457c1b38fa6e0f8149e9ffeedf3e5895d9b4478ffa94d53bf8d38b1df8aa8238423f6eb5b89c0a4bb36fa342033c6597214d12c6def53887d4

Download Submit
memory/1692-135-0x0000021D236E0000-0x0000021D236E1000-memory.dmp

Filesize
4KB

Download
memory/1692-183-0x0000021D236E0000-0x0000021D236E1000-memory.dmp

Filesize
4KB

Download
memory/1692-161-0x0000021D236E0000-0x0000021D236E1000-memory.dmp

Filesize
4KB

Download
memory/1692-224-0x0000021D236E0000-0x0000021D236E1000-memory.dmp

Filesize
4KB

Download
memory/1692-150-0x0000021D236E0000-0x0000021D236E1000-memory.dmp

Filesize
4KB

Download
memory/1692-149-0x0000021D236E0000-0x0000021D236E1000-memory.dmp

Filesize
4KB

Download
memory/1692-223-0x0000021D236E0000-0x0000021D236E1000-memory.dmp

Filesize
4KB

Download
memory/1692-175-0x0000021D25000000-0x0000021D25270000-memory.dmp

Filesize
2.4MB

Download
memory/1692-55-0x0000021D236E0000-0x0000021D236E1000-memory.dmp

Filesize
4KB

Download
memory/1692-84-0x0000021D236E0000-0x0000021D236E1000-memory.dmp

Filesize
4KB

Download
memory/1692-184-0x0000021D236E0000-0x0000021D236E1000-memory.dmp

Filesize
4KB

Download
memory/1692-70-0x0000021D236E0000-0x0000021D236E1000-memory.dmp

Filesize
4KB

Download
memory/1692-26-0x0000021D25000000-0x0000021D25270000-memory.dmp

Filesize
2.4MB

Download
memory/1692-191-0x0000021D236E0000-0x0000021D236E1000-memory.dmp

Filesize
4KB

Download
memory/1692-227-0x0000021D236E0000-0x0000021D236E1000-memory.dmp

Filesize
4KB

Download
memory/1692-211-0x0000021D236E0000-0x0000021D236E1000-memory.dmp

Filesize
4KB

Download
memory/4088-136-0x000001D4722B0000-0x000001D4722B1000-memory.dmp

Filesize
4KB

Download
memory/4088-73-0x000001D4722B0000-0x000001D4722B1000-memory.dmp

Filesize
4KB

Download
memory/4088-134-0x000001D4722B0000-0x000001D4722B1000-memory.dmp

Filesize
4KB

Download
memory/4824-8-0x0000000006A50000-0x0000000006AEC000-memory.dmp

Filesize
624KB

Download
memory/4824-1-0x0000000000160000-0x000000000032C000-memory.dmp

Filesize
1.8MB

Download
memory/4824-2-0x0000000005360000-0x0000000005904000-memory.dmp

Filesize
5.6MB

Download
memory/4824-3-0x0000000004CE0000-0x0000000004D72000-memory.dmp

Filesize
584KB

Download
memory/4824-4-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4824-5-0x0000000004D80000-0x0000000004DA0000-memory.dmp

Filesize
128KB

Download
memory/4824-6-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/4824-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/4824-7-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4824-12-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/5096-16-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/5096-9-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/5096-13-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/5096-14-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/5096-15-0x0000000005360000-0x0000000005378000-memory.dmp

Filesize
96KB

Download
memory/5096-63-0x0000000006FB0000-0x0000000006FBA000-memory.dmp

Filesize
40KB

Download
memory/5096-17-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/5096-25-0x0000000006900000-0x000000000690A000-memory.dmp

Filesize
40KB

Download
memory/5096-27-0x0000000006F60000-0x0000000006FB0000-memory.dmp

Filesize
320KB

Download