zgrat | 350442635ff576593330b847b158ace7ee273318ba4a6589b73f8003f992cb93

General

Target

3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe
Size

2.2MB
MD5

3cf040c41c92703f439c9f7e9e3928fc
SHA1

2cc2acec057898e67a512107217cdda2fc4d5fa1
SHA256

350442635ff576593330b847b158ace7ee273318ba4a6589b73f8003f992cb93
SHA512

01a7b52c234254fd16463ee2e91a74f8cc32acaca6db6fd5fbaa557c0ca6598d5d16ea99ad08b63c6acf0ca82ee960273e5f0349a0a4de6a802ea235c479d90a
SSDEEP

49152:VjcGr41xHm/X4YsCYCiLFzRf0K8TzTdyPbabsz2mpYJ:9EdMX4Y/kFzpD8TzMWbszIJ

Score

10^/10

zgrat collection discovery evasion rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/memory/2928-1-0x0000000001130000-0x00000000016A6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-2-0x0000000001130000-0x00000000016A6000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org
4	ip-api.com
6	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2928	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1940	2928	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2928	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe
2928	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe
2928	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1940	2928	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe	29
PID 2928 wrote to memory of 1940	2928	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe	29
PID 2928 wrote to memory of 1940	2928	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe	29
PID 2928 wrote to memory of 1940	2928	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cf040c41c92703f439c9f7e9e3928fc_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 1820
  2⤵
  - Program crash
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

4

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ywyRyyVwLyuPBRP24F00D4B61\6124F00D4BywyRyyVwLyuPBRP\Browsers\Passwords\Passwords_Edge.txt

Filesize
52B

MD5
fdec4452a98b7d7f3dc83904cd82a724

SHA1
2b447ea859993ab549ee1547c72071e59cace07c

SHA256
59b16ba683aaf821362d2061fef52b52a909ad63be1192ef3d2374f3e8a4b235

SHA512
87a573d8a9a085ffeea49335d213f96cd55385a3afa281d1a4a321043e82cd81a324d1131c764d024966d9dcbcc219d78514b0cdce74f849fe33e0f9ce2df432

Download Submit
memory/2928-0-0x0000000001130000-0x00000000016A6000-memory.dmp

Filesize
5.5MB

Download
memory/2928-1-0x0000000001130000-0x00000000016A6000-memory.dmp

Filesize
5.5MB

Download
memory/2928-2-0x0000000001130000-0x00000000016A6000-memory.dmp

Filesize
5.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads