zgrat | eb8d4be3f8cb5b348afd8a574eb38e8c419e6e8a6678d38f06c0369703dacffb

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 02:36

Target

3d942f261cc748e9c2ab91a26a6b53d4_JaffaCakes118.exe
Size

340KB
MD5

3d942f261cc748e9c2ab91a26a6b53d4
SHA1

c5dc06b29bb38eb86fbe22b3b681a5f523f68293
SHA256

eb8d4be3f8cb5b348afd8a574eb38e8c419e6e8a6678d38f06c0369703dacffb
SHA512

ba32e2ae6067059c2c4895025d25fbb2837032e21e5af40bd8137642dd9f631e5477b853caa853054a0ebc51bce519ab9244f4ecb7bdf75bcf0641a435a65920
SSDEEP

3072:tNd6gEYAqvZvxN3p4pxKqcJ0GYNNSWv4bwEZypklN3yoXeIU/4HjBLPMQ/BN63hw:fEOv5xVp4pxhcCE04bB/LGDTU

Score

10^/10

zgrat rat

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1788-1-0x0000000000C00000-0x0000000000C5A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 pastebin.com
1 pastebin.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3144 1788 WerFault.exe 3d942f261cc748e9c2ab91a26a6b53d4_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3d942f261cc748e9c2ab91a26a6b53d4_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 1788 3d942f261cc748e9c2ab91a26a6b53d4_JaffaCakes118.exe

flow	ioc
2	pastebin.com
1	pastebin.com

pid	pid_target	process	target process
3144	1788	WerFault.exe	3d942f261cc748e9c2ab91a26a6b53d4_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1788	3d942f261cc748e9c2ab91a26a6b53d4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3d942f261cc748e9c2ab91a26a6b53d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d942f261cc748e9c2ab91a26a6b53d4_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1752
  2⤵
  - Program crash
  PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1788 -ip 1788
1⤵
PID:4024

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

memory/1788-0-0x000000007515E000-0x000000007515F000-memory.dmp

Filesize
4KB

Download
memory/1788-1-0x0000000000C00000-0x0000000000C5A000-memory.dmp

Filesize
360KB

Download
memory/1788-2-0x0000000005600000-0x000000000569C000-memory.dmp

Filesize
624KB

Download
memory/1788-3-0x0000000005C50000-0x00000000061F4000-memory.dmp

Filesize
5.6MB

Download
memory/1788-4-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/1788-5-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download