Overview

overview

10

Static

static

10

52023b5bef...18.exe

windows7-x64

10

52023b5bef...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2024 23:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    52023b5bef184dd2d797d7263d2d2fc3

  • SHA1

    f3acec18ab64edb79c9882e05f4aaaca1be223a3

  • SHA256

    e0b69eb31cb55ed63d3c72cf163bb4b1a169a0667de55c7bad34380b64c17a1e

  • SHA512

    26cdb2c0ffb2222245e285322a464a21f48e4782b3cc8ff4dc9cedbd25c50abfd0f042b90c72c87adb41e3c31a8195613bd93c62c0860eccd5fcd0e91a4a54f1

  • SSDEEP

    24576:4eHaEpawVp/IG968tWeySr3eVJ99W+h7puz2PV:4C/36YWRSr3Ac+hTV

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V2 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1008
      2⤵
      • Program crash
      PID:1580

Network

  • flag-us
    DNS
    www.chromacheats.com
    52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.chromacheats.com
    IN A
    Response
    www.chromacheats.com
    IN A
    103.224.182.242
  • flag-us
    POST
    http://www.chromacheats.com/forum/test_4.php
    52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe
    Remote address:
    103.224.182.242:80
    Request
    POST /forum/test_4.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
    Host: www.chromacheats.com
    Cache-Control: no-store,no-cache
    Pragma: no-cache
    Content-Length: 172
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    date: Fri, 17 May 2024 23:23:05 GMT
    server: Apache
    set-cookie: __tad=1715988185.7253437; expires=Mon, 15-May-2034 23:23:05 GMT; Max-Age=315360000
    vary: Accept-Encoding
    content-encoding: gzip
    content-length: 587
    content-type: text/html; charset=UTF-8
    connection: close
  • 103.224.182.242:80
    http://www.chromacheats.com/forum/test_4.php
    http
    52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe
    792 B
     1.2kB
     6
    6

    HTTP Request

    POST http://www.chromacheats.com/forum/test_4.php

    HTTP Response

    200
  • 8.8.8.8:53
    www.chromacheats.com
    dns
    52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe
    66 B
     82 B
     1
    1

    DNS Request

    www.chromacheats.com

    DNS Response

    103.224.182.242

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2012-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2012-1-0x00000000012E0000-0x0000000001428000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2012-2-0x0000000074CD0000-0x00000000753BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2012-3-0x0000000000DE0000-0x0000000000E66000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2012-4-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2012-5-0x0000000074CD0000-0x00000000753BE000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.