Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
11-05-2024 07:26
General
-
Target
336e6d4b9e8b8ac0d191a99d992e40b0_JaffaCakes118.exe
-
Size
564KB
-
MD5
336e6d4b9e8b8ac0d191a99d992e40b0
-
SHA1
d204e15e169d909171fbae5a8445c8f974d316c9
-
SHA256
ceb87ebc670d67f91d08ccc0ea6c6a24f974e99890839d5147f7feb597b51489
-
SHA512
c52e6ce618810df0719fe647b8e70ff275199bb4a0d5628429de40b16d466b6d4538704024f03db8fad91b658c8d351637ca016eba1d8566af736fb3035029dd
-
SSDEEP
12288:sREMc3GfziFWwrOO4pe+F3Q4/Pa6K6g+RgDNEV1850RixGs4Pi7ot:sqMqyFwrODpe+C36K6g+R6EHe0RixP4f
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\336e6d4b9e8b8ac0d191a99d992e40b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\336e6d4b9e8b8ac0d191a99d992e40b0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\336e6d4b9e8b8ac0d191a99d992e40b0_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\AdobeReder10.exe"2⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\AdobeReder10.exe"2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\AdobeReder10.exe"C:\Users\Admin\AppData\Local\AdobeReder10.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\AdobeReder10.exe"C:\Users\Admin\AppData\Local\AdobeReder10.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
564KB
MD5336e6d4b9e8b8ac0d191a99d992e40b0
SHA1d204e15e169d909171fbae5a8445c8f974d316c9
SHA256ceb87ebc670d67f91d08ccc0ea6c6a24f974e99890839d5147f7feb597b51489
SHA512c52e6ce618810df0719fe647b8e70ff275199bb4a0d5628429de40b16d466b6d4538704024f03db8fad91b658c8d351637ca016eba1d8566af736fb3035029dd
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
696KB
-
Filesize
88KB
-
Filesize
96KB
-
Filesize
408KB
-
Filesize
160KB
-
Filesize
64KB
-
Filesize
344KB
-
Filesize
624KB
-
Filesize
24KB
-
Filesize
704KB
-
Filesize
7.7MB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
224KB
-
Filesize
584KB
-
Filesize
7.7MB