zgrat | bd3b6502224d6aa64a38ec8854d9aa4d015c803b90bf5ccc2527f5d3021fbaf8

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dab021a3f3de36764faea9bdf6a58a4_JaffaCakes118.msi
Size

412KB
MD5

3dab021a3f3de36764faea9bdf6a58a4
SHA1

db94f26d20b10730445deb16a1c2b521b4f15849
SHA256

bd3b6502224d6aa64a38ec8854d9aa4d015c803b90bf5ccc2527f5d3021fbaf8
SHA512

8ef5db5de0e100f06f45b34cd28b564b3cc792fd284fcd87f647b3c35683114751925359b65f5aec829dd65ed8c3e99ec889275c7d6e6f2d179c8b7c855af998
SSDEEP

12288:yEHgAVG3oSEKyNJD4xEbMMEOn8c23H93:yEAlyVNJD8qR8c2X

Score

10^/10

zgrat agilenet persistence rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/4380-14-0x0000000007160000-0x0000000007188000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/4380-14-0x0000000007160000-0x0000000007188000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe -boot"	svchost.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	MSIA960.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1112 set thread context of 2948	1112	svchost.exe	114

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57a76b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a76b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA8B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA960.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
4380	MSIA960.tmp
1112	svchost.exe
2948	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000073c7eb973396fb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000073c7eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900073c7eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d073c7eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000073c7eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
752	msiexec.exe
752	msiexec.exe
4380	MSIA960.tmp
4380	MSIA960.tmp
1112	svchost.exe
1112	svchost.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3788	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3788	msiexec.exe
Token: SeSecurityPrivilege	752	msiexec.exe
Token: SeCreateTokenPrivilege	3788	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3788	msiexec.exe
Token: SeLockMemoryPrivilege	3788	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3788	msiexec.exe
Token: SeMachineAccountPrivilege	3788	msiexec.exe
Token: SeTcbPrivilege	3788	msiexec.exe
Token: SeSecurityPrivilege	3788	msiexec.exe
Token: SeTakeOwnershipPrivilege	3788	msiexec.exe
Token: SeLoadDriverPrivilege	3788	msiexec.exe
Token: SeSystemProfilePrivilege	3788	msiexec.exe
Token: SeSystemtimePrivilege	3788	msiexec.exe
Token: SeProfSingleProcessPrivilege	3788	msiexec.exe
Token: SeIncBasePriorityPrivilege	3788	msiexec.exe
Token: SeCreatePagefilePrivilege	3788	msiexec.exe
Token: SeCreatePermanentPrivilege	3788	msiexec.exe
Token: SeBackupPrivilege	3788	msiexec.exe
Token: SeRestorePrivilege	3788	msiexec.exe
Token: SeShutdownPrivilege	3788	msiexec.exe
Token: SeDebugPrivilege	3788	msiexec.exe
Token: SeAuditPrivilege	3788	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3788	msiexec.exe
Token: SeChangeNotifyPrivilege	3788	msiexec.exe
Token: SeRemoteShutdownPrivilege	3788	msiexec.exe
Token: SeUndockPrivilege	3788	msiexec.exe
Token: SeSyncAgentPrivilege	3788	msiexec.exe
Token: SeEnableDelegationPrivilege	3788	msiexec.exe
Token: SeManageVolumePrivilege	3788	msiexec.exe
Token: SeImpersonatePrivilege	3788	msiexec.exe
Token: SeCreateGlobalPrivilege	3788	msiexec.exe
Token: SeBackupPrivilege	3580	vssvc.exe
Token: SeRestorePrivilege	3580	vssvc.exe
Token: SeAuditPrivilege	3580	vssvc.exe
Token: SeBackupPrivilege	752	msiexec.exe
Token: SeRestorePrivilege	752	msiexec.exe
Token: SeRestorePrivilege	752	msiexec.exe
Token: SeTakeOwnershipPrivilege	752	msiexec.exe
Token: SeRestorePrivilege	752	msiexec.exe
Token: SeTakeOwnershipPrivilege	752	msiexec.exe
Token: SeRestorePrivilege	752	msiexec.exe
Token: SeTakeOwnershipPrivilege	752	msiexec.exe
Token: SeDebugPrivilege	4380	MSIA960.tmp
Token: SeRestorePrivilege	752	msiexec.exe
Token: SeTakeOwnershipPrivilege	752	msiexec.exe
Token: SeRestorePrivilege	752	msiexec.exe
Token: SeTakeOwnershipPrivilege	752	msiexec.exe
Token: SeBackupPrivilege	3756	srtasks.exe
Token: SeRestorePrivilege	3756	srtasks.exe
Token: SeSecurityPrivilege	3756	srtasks.exe
Token: SeTakeOwnershipPrivilege	3756	srtasks.exe
Token: SeDebugPrivilege	1112	svchost.exe
Token: SeBackupPrivilege	3756	srtasks.exe
Token: SeRestorePrivilege	3756	srtasks.exe
Token: SeSecurityPrivilege	3756	srtasks.exe
Token: SeTakeOwnershipPrivilege	3756	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3788	msiexec.exe
3788	msiexec.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 3756	752	msiexec.exe	104
PID 752 wrote to memory of 3756	752	msiexec.exe	104
PID 752 wrote to memory of 4380	752	msiexec.exe	106
PID 752 wrote to memory of 4380	752	msiexec.exe	106
PID 752 wrote to memory of 4380	752	msiexec.exe	106
PID 4380 wrote to memory of 416	4380	MSIA960.tmp	107
PID 4380 wrote to memory of 416	4380	MSIA960.tmp	107
PID 4380 wrote to memory of 416	4380	MSIA960.tmp	107
PID 4380 wrote to memory of 4616	4380	MSIA960.tmp	110
PID 4380 wrote to memory of 4616	4380	MSIA960.tmp	110
PID 4380 wrote to memory of 4616	4380	MSIA960.tmp	110
PID 5088 wrote to memory of 1112	5088	explorer.exe	112
PID 5088 wrote to memory of 1112	5088	explorer.exe	112
PID 5088 wrote to memory of 1112	5088	explorer.exe	112
PID 1112 wrote to memory of 2948	1112	svchost.exe	114
PID 1112 wrote to memory of 2948	1112	svchost.exe	114
PID 1112 wrote to memory of 2948	1112	svchost.exe	114
PID 1112 wrote to memory of 2948	1112	svchost.exe	114
PID 1112 wrote to memory of 2948	1112	svchost.exe	114
PID 1112 wrote to memory of 2948	1112	svchost.exe	114
PID 1112 wrote to memory of 2948	1112	svchost.exe	114
PID 1112 wrote to memory of 2948	1112	svchost.exe	114
PID 1112 wrote to memory of 2948	1112	svchost.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3dab021a3f3de36764faea9bdf6a58a4_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3788

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\Installer\MSIA960.tmp
  "C:\Windows\Installer\MSIA960.tmp"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Windows\Installer\MSIA960.tmp" "C:\Users\Admin\AppData\Local\svchost.exe"
    3⤵
    PID:416
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\svchost.exe"
    3⤵
    PID:4616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Local\svchost.exe
  "C:\Users\Admin\AppData\Local\svchost.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\AppData\Local\svchost.exe
    "C:\Users\Admin\AppData\Local\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a76e.rbs

Filesize
663B

MD5
635359e7c40dc82be6675100c015eb70

SHA1
5e289eebcfc6d95cd342f43e5d450a8e17f21121

SHA256
73ca4586bb0938abefa6b1515d9296ea1f5ad2f241f7c4af705b1a1c5ab18157

SHA512
7cf207d01ae9f3c6c00b3ade015b73a1a6736e95765ae0898beb98b0e65a6ae1e17bc8fa7b1fb24dee9672b0feca4d9d4a6bcff20115a6582a72f592c95af14d

Download Submit
C:\Windows\Installer\MSIA960.tmp

Filesize
385KB

MD5
82c87b45d33e0b49c0c0bb71e8e89ffa

SHA1
19214137d254c6ae23a719cb3b20236a6cae05c3

SHA256
b1ae085c89f7fa234cd08cf94b2256deb9fcb61960b38d707798be0374a71816

SHA512
041f6cbe568ea979041da911a09488996174ceba124e371f1cc53d7a45bfb268a9df8a2cf171a07a31d3030d0092ac6cb8b42c02ea8271c468d70678b769dcba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
8b8dab6822e82fdb2f13ee090f75a874

SHA1
3d691b29c17aba855de1300188a90abbc42b88fe

SHA256
eb44629bb597668b9a2fdb2ecf790aa9ab40a4bc456ce1ebceecc9bb5d126664

SHA512
bd471ba3d24db00d07bc206d0008ca2ff5f8265507cf554f5e2dc84d317bf7aae0973a0942c8222295c1619c9c63ad25dcbe331cde83883ef96870e3dbaf9c11

Download Submit
\??\Volume{b97e3c07-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2b4ccd16-cfb5-4d7b-9bfc-620bc424deda}_OnDiskSnapshotProp

Filesize
6KB

MD5
bd0c1fe6385a43d4a1ab9f6d00a4ffb3

SHA1
c402184274853487224be3f2d6c4de6f8958c8cd

SHA256
e0eaaf79c0b6a4c4242219e3d815791e67b2ae0d6abf70f3eba22b4fa4db3bf6

SHA512
0b607e79d72c9874356edbf15d0a7d39d0ad99a1f2c847cce18e519029b7332eb7774d77847cce1db453c7ba5c6db5ca4e16c0b45ff6d1ee2408357f59c084ba

Download Submit
memory/1112-34-0x0000000008BF0000-0x0000000008C8C000-memory.dmp

Filesize
624KB

Download
memory/4380-12-0x0000000000220000-0x0000000000286000-memory.dmp

Filesize
408KB

Download
memory/4380-13-0x0000000007080000-0x00000000070F4000-memory.dmp

Filesize
464KB

Download
memory/4380-14-0x0000000007160000-0x0000000007188000-memory.dmp

Filesize
160KB

Download
memory/4380-15-0x0000000007740000-0x0000000007CE4000-memory.dmp

Filesize
5.6MB

Download
memory/4380-16-0x0000000007280000-0x0000000007312000-memory.dmp

Filesize
584KB

Download