Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 23:22
Behavioral task
behavioral1
Sample
52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe
Resource
win7-20240221-en
5 signatures
150 seconds
General
-
Target
52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
52023b5bef184dd2d797d7263d2d2fc3
-
SHA1
f3acec18ab64edb79c9882e05f4aaaca1be223a3
-
SHA256
e0b69eb31cb55ed63d3c72cf163bb4b1a169a0667de55c7bad34380b64c17a1e
-
SHA512
26cdb2c0ffb2222245e285322a464a21f48e4782b3cc8ff4dc9cedbd25c50abfd0f042b90c72c87adb41e3c31a8195613bd93c62c0860eccd5fcd0e91a4a54f1
-
SSDEEP
24576:4eHaEpawVp/IG968tWeySr3eVJ99W+h7puz2PV:4C/36YWRSr3Ac+hTV
Malware Config
Signatures
-
Detect ZGRat V2 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2012-1-0x00000000012E0000-0x0000000001428000-memory.dmp family_zgrat_v2 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1580 2012 WerFault.exe 52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2012 52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exedescription pid process target process PID 2012 wrote to memory of 1580 2012 52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe WerFault.exe PID 2012 wrote to memory of 1580 2012 52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe WerFault.exe PID 2012 wrote to memory of 1580 2012 52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe WerFault.exe PID 2012 wrote to memory of 1580 2012 52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\52023b5bef184dd2d797d7263d2d2fc3_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 10082⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2012-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmpFilesize
4KB
-
memory/2012-1-0x00000000012E0000-0x0000000001428000-memory.dmpFilesize
1.3MB
-
memory/2012-2-0x0000000074CD0000-0x00000000753BE000-memory.dmpFilesize
6.9MB
-
memory/2012-3-0x0000000000DE0000-0x0000000000E66000-memory.dmpFilesize
536KB
-
memory/2012-4-0x0000000074CDE000-0x0000000074CDF000-memory.dmpFilesize
4KB
-
memory/2012-5-0x0000000074CD0000-0x00000000753BE000-memory.dmpFilesize
6.9MB