zeus | 049fc2018c02cf02f7b40a234544f1531f1bcb0c97b3b3ed3cb6bfbdce52d845

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe
Size

10.1MB
MD5

7d4c32d6cb113aedc60e6f6225a171f1
SHA1

c6ee7bdf6a5d0949bfdf0a0e9e35bd5068f729f6
SHA256

049fc2018c02cf02f7b40a234544f1531f1bcb0c97b3b3ed3cb6bfbdce52d845
SHA512

4ddf6ad0b04873c296db1492b55d11beb81baef6d5c9e4e6f588a26de60bc2b6ec3187a8ec788bf56e13cf14d37718a6b56129cea1c6289b5557e07722f89038
SSDEEP

196608:GfbBUgj3wTAH0JzQyohFnQqKHWWmV82gMNnZ3XEW7teOyFa6IMyDjRLaF1yp8:GTBUG4JzQyUGmwEnVXFMfOmTyO

Score

10^/10

zeus discovery spyware stealer

Malware Config

Signatures

Zeus
zeus

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinBrowModule.lnk	cmpinstall.tmp

Executes dropped EXE 6 IoCs

pid	Process
1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp
2348	cmpinstall.exe
1116	cmpinstall.tmp
1668	cmpinstall.exe
1960	ccsetup.exe
1264	cmpinstall.tmp

Loads dropped DLL 20 IoCs

pid	Process
2236	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe
1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp
2348	cmpinstall.exe
1116	cmpinstall.tmp
1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp
1116	cmpinstall.tmp
1116	cmpinstall.tmp
1116	cmpinstall.tmp
1668	cmpinstall.exe
1960	ccsetup.exe
1960	ccsetup.exe
1264	cmpinstall.tmp
1960	ccsetup.exe
1960	ccsetup.exe
1960	ccsetup.exe
1960	ccsetup.exe
1960	ccsetup.exe
1960	ccsetup.exe
1960	ccsetup.exe
1960	ccsetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2628	ping.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1264	cmpinstall.tmp
1264	cmpinstall.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1264	cmpinstall.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1960	ccsetup.exe
1960	ccsetup.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1820	2236	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe	30
PID 2236 wrote to memory of 1820	2236	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe	30
PID 2236 wrote to memory of 1820	2236	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe	30
PID 2236 wrote to memory of 1820	2236	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe	30
PID 2236 wrote to memory of 1820	2236	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe	30
PID 2236 wrote to memory of 1820	2236	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe	30
PID 2236 wrote to memory of 1820	2236	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe	30
PID 1820 wrote to memory of 2348	1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	31
PID 1820 wrote to memory of 2348	1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	31
PID 1820 wrote to memory of 2348	1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	31
PID 1820 wrote to memory of 2348	1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	31
PID 1820 wrote to memory of 2348	1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	31
PID 1820 wrote to memory of 2348	1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	31
PID 1820 wrote to memory of 2348	1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	31
PID 2348 wrote to memory of 1116	2348	cmpinstall.exe	32
PID 2348 wrote to memory of 1116	2348	cmpinstall.exe	32
PID 2348 wrote to memory of 1116	2348	cmpinstall.exe	32
PID 2348 wrote to memory of 1116	2348	cmpinstall.exe	32
PID 2348 wrote to memory of 1116	2348	cmpinstall.exe	32
PID 2348 wrote to memory of 1116	2348	cmpinstall.exe	32
PID 2348 wrote to memory of 1116	2348	cmpinstall.exe	32
PID 1116 wrote to memory of 1668	1116	cmpinstall.tmp	33
PID 1116 wrote to memory of 1668	1116	cmpinstall.tmp	33
PID 1116 wrote to memory of 1668	1116	cmpinstall.tmp	33
PID 1116 wrote to memory of 1668	1116	cmpinstall.tmp	33
PID 1116 wrote to memory of 1668	1116	cmpinstall.tmp	33
PID 1116 wrote to memory of 1668	1116	cmpinstall.tmp	33
PID 1116 wrote to memory of 1668	1116	cmpinstall.tmp	33
PID 1820 wrote to memory of 1960	1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	34
PID 1820 wrote to memory of 1960	1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	34
PID 1820 wrote to memory of 1960	1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	34
PID 1820 wrote to memory of 1960	1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	34
PID 1820 wrote to memory of 1960	1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	34
PID 1820 wrote to memory of 1960	1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	34
PID 1820 wrote to memory of 1960	1820	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	34
PID 1668 wrote to memory of 1264	1668	cmpinstall.exe	35
PID 1668 wrote to memory of 1264	1668	cmpinstall.exe	35
PID 1668 wrote to memory of 1264	1668	cmpinstall.exe	35
PID 1668 wrote to memory of 1264	1668	cmpinstall.exe	35
PID 1668 wrote to memory of 1264	1668	cmpinstall.exe	35
PID 1668 wrote to memory of 1264	1668	cmpinstall.exe	35
PID 1668 wrote to memory of 1264	1668	cmpinstall.exe	35
PID 1960 wrote to memory of 2628	1960	ccsetup.exe	37
PID 1960 wrote to memory of 2628	1960	ccsetup.exe	37
PID 1960 wrote to memory of 2628	1960	ccsetup.exe	37
PID 1960 wrote to memory of 2628	1960	ccsetup.exe	37

C:\Users\Admin\AppData\Local\Temp\7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\is-LIUBH.tmp\7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LIUBH.tmp\7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp" /SL5="$70122,10176139,286720,C:\Users\Admin\AppData\Local\Temp\7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\is-UV3KA.tmp\cmpinstall.exe
    "C:\Users\Admin\AppData\Local\Temp\is-UV3KA.tmp\cmpinstall.exe" /uid=7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\is-ACMFP.tmp\cmpinstall.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-ACMFP.tmp\cmpinstall.tmp" /SL5="$301F8,239625,121344,C:\Users\Admin\AppData\Local\Temp\is-UV3KA.tmp\cmpinstall.exe" /uid=7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1116
    - - C:\Users\Admin\AppData\Local\Temp\is-UV3KA.tmp\cmpinstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UV3KA.tmp\cmpinstall.exe" /VERYSILENT /uid=7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Users\Admin\AppData\Local\Temp\is-DP71P.tmp\cmpinstall.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DP71P.tmp\cmpinstall.tmp" /SL5="$401F8,239625,121344,C:\Users\Admin\AppData\Local\Temp\is-UV3KA.tmp\cmpinstall.exe" /VERYSILENT /uid=7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118
        6⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:1264
- - C:\Users\Admin\AppData\Local\Temp\is-UV3KA.tmp\ccsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-UV3KA.tmp\ccsetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\SysWOW64\ping.exe
      ping -n 1 -w 1000 www.piriform.com
      4⤵
      Runs ping.exe
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst5A71.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5A71.tmp\ui\res\CC_logo_72x66.png

Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5A71.tmp\ui\res\PF_computer.png

Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5A71.tmp\ui\res\PF_logo.png

Filesize
3KB

MD5
079cca30760cca3c01863b6b96e87848

SHA1
98c2ca01f248bc61817db7e5faea4a3d8310db50

SHA256
8dd37d3721e25c32c5bf878b6dba9e61d04b7ce8aec45bdf703a41bc41802dfa

SHA512
3e25c10e3a5830584c608b9178ab062e93e0e9009a7d897bb5e3561180b0b0910bd4178063d982eb33806a005c93931ae2ec5be520ec0d0c9a7c452cb78fd6a8

Download Submit
\Users\Admin\AppData\Local\Temp\is-ACMFP.tmp\cmpinstall.tmp

Filesize
1.1MB

MD5
90fc739c83cd19766acb562c66a7d0e2

SHA1
451f385a53d5fed15e7649e7891e05f231ef549a

SHA256
821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431

SHA512
4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

Download Submit
\Users\Admin\AppData\Local\Temp\is-LIUBH.tmp\7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp

Filesize
1.3MB

MD5
86d64857e181ff96c9f427e1828ee811

SHA1
dfef85e6cd197d29590148d9a1d2b760a9a71377

SHA256
1addb55def9d6bc9fcc5314227332f5db7e06858b59d0edf9e1c63d5bd872c2f

SHA512
515bb44bf87aa52184ee8022d0c494f943727dbb5a56557757e7cf40584b255ffb2587bb80d7744d5b53b12b9e49d4d81cecc84e1d7b4a55bfe716488914ff87

Download Submit
\Users\Admin\AppData\Local\Temp\is-UV3KA.tmp\ccsetup.exe

Filesize
9.0MB

MD5
46fa3b1351774f0180914ddb3f30b48b

SHA1
347705a7cd4a4c20f0d4159fa1ff1589fa0fa9f5

SHA256
3e0b1faf12fc72445e48251731bc6f4b4687b1f154a9a66890040f8091655339

SHA512
e504bdd49947cf85e28a7343f06bcf71b59ddb4d28853dd72c41e0ba3a1cae6d40f54ebc0973e26708c0ee6780828baea51db23b786257e259ffffe8e5240552

Download Submit
\Users\Admin\AppData\Local\Temp\is-UV3KA.tmp\cmpinstall.exe

Filesize
621KB

MD5
4ef65d56e02cb28ff30d222357a98763

SHA1
409be6ca2bf87c95464179c70cff89bda9c10839

SHA256
f93ddbc3af2a4dca4993d7821f6cf1d85ea9316c4e7dca85f543dd37860644c7

SHA512
9c72fde7ff008373b06e2759399351f6929c96d20312f8da5633de01b2a3ad947e87e4865341ba393273227667dbc29a8f34b49dccd9276e08d085e1230c82b7

Download Submit
\Users\Admin\AppData\Local\Temp\nst5A71.tmp\System.dll

Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
\Users\Admin\AppData\Local\Temp\nst5A71.tmp\UserInfo.dll

Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
\Users\Admin\AppData\Local\Temp\nst5A71.tmp\g\gtapi_signed.dll

Filesize
71KB

MD5
61bc40d1fad9e0faa9a07219b90ba0e4

SHA1
5b5c3badedba915707000d2047eaf13f27b8925e

SHA256
89e157a4f61d7d18180cb7f901c0095da3b7a5cc5a9fd58d710099e5f0ee505a

SHA512
fa341aa975c471082b4b6c380f794d1e9ab3939382972cfb9e1dbb3491f68296ad1cedc8f03736921c8e133f62432997de29642e223c2a97f1cab5ce91d68af9

Download Submit
\Users\Admin\AppData\Local\Temp\nst5A71.tmp\nsDialogs.dll

Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
\Users\Admin\AppData\Local\Temp\nst5A71.tmp\nsExec.dll

Filesize
6KB

MD5
5ed60250f74fa36a5a247a715bcd026e

SHA1
ff5f3ad0b32ede49a28e744664d086f6fe9e46b0

SHA256
ea8026766adc2d7cc26e2206cfdf5f0865b1426bfe3bc2aec8f43d3fc9a072ef

SHA512
2dd77324c1e0fea801a5cac1fe1d67349a5a93d4a9a459ee1e6b469f6ccce309fc45e513f38de238971b0a83d31e0afe3a2686eca8887772445209cde5735cee

Download Submit
\Users\Admin\AppData\Local\Temp\nst5A71.tmp\p\syschk.dll

Filesize
253KB

MD5
f46bc8015929e17a2b1aff097d7df0e4

SHA1
6c30de3e6a004021e231aaa62a2c5cedec72bc6d

SHA256
26602d21203cf28b0c840a57bee8f1ff52ff885223095797180c9afe91265c32

SHA512
ddee56e56a60db139029bc6a43e281d0eaeb8425363e28847e43819425e0ec28bb807408488a18fa492dbfe92f27f91f83575275f952cf35c81cee7b250d5cb2

Download Submit
\Users\Admin\AppData\Local\Temp\nst5A71.tmp\ui\pfUI.dll

Filesize
3.8MB

MD5
ad0964a9aab2c163e3f8972940654d7b

SHA1
76d40d601851fedf899c09502bb88dce46cef25a

SHA256
fbf5d2cf2bc07dd709a472dc7a6cd7c20fbed206a1515c63cfcd662c26dc1647

SHA512
10b40775ff7facd019c800d9fe0eb225f07b9c7f18c647f02844768c2361c451a6b5155700c03cc336e61a6312fe2824451e33e9bfca8b9d5011b25607ab11f2

Download Submit
\Users\Admin\AppData\Roaming\MicrosoftUpdate\chromecommon.dll

Filesize
192KB

MD5
e1c39d194d339aa6a4b4055b74daadc8

SHA1
b223e0e148cd3e639ca513532bccdb48a566f55c

SHA256
2f468922b993086c065a4b0a0b438daa15b88005f531ae7c1c809b612c746d37

SHA512
05d483d3c1aac443e171f9093bc2d59bfc442af1b3902cc2877291aca84116320f84b607b32404b5c4babbf4a8b1a7290ab38ab182e1286e1baf5bdfbf242741

Download Submit
memory/1116-35-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1264-210-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1668-212-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1668-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1820-102-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/1820-8-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/2236-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2236-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2236-104-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2348-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2348-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download