zgrat | e0b69eb31cb55ed63d3c72cf163bb4b1a169a0667de55c7bad34380b64c17a1e

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 23:22

Target

52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe
Size

1.3MB
MD5

52023b5bef184dd2d797d7263d2d2fc3
SHA1

f3acec18ab64edb79c9882e05f4aaaca1be223a3
SHA256

e0b69eb31cb55ed63d3c72cf163bb4b1a169a0667de55c7bad34380b64c17a1e
SHA512

26cdb2c0ffb2222245e285322a464a21f48e4782b3cc8ff4dc9cedbd25c50abfd0f042b90c72c87adb41e3c31a8195613bd93c62c0860eccd5fcd0e91a4a54f1
SSDEEP

24576:4eHaEpawVp/IG968tWeySr3eVJ99W+h7puz2PV:4C/36YWRSr3Ac+hTV

Score

10^/10

zgrat rat

Detect ZGRat V2 1 IoCs

resource	yara_rule
behavioral1/memory/2012-1-0x00000000012E0000-0x0000000001428000-memory.dmp	family_zgrat_v2

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1580	2012	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1580	2012	52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe	28
PID 2012 wrote to memory of 1580	2012	52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe	28
PID 2012 wrote to memory of 1580	2012	52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe	28
PID 2012 wrote to memory of 1580	2012	52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1008
  2⤵
  - Program crash
  PID:1580

memory/2012-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

Filesize
4KB

Download
memory/2012-1-0x00000000012E0000-0x0000000001428000-memory.dmp

Filesize
1.3MB

Download
memory/2012-2-0x0000000074CD0000-0x00000000753BE000-memory.dmp

Filesize
6.9MB

Download
memory/2012-3-0x0000000000DE0000-0x0000000000E66000-memory.dmp

Filesize
536KB

Download
memory/2012-4-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

Filesize
4KB

Download
memory/2012-5-0x0000000074CD0000-0x00000000753BE000-memory.dmp

Filesize
6.9MB

Download