zeus | 049fc2018c02cf02f7b40a234544f1531f1bcb0c97b3b3ed3cb6bfbdce52d845

General

Target

7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe
Size

10.1MB
MD5

7d4c32d6cb113aedc60e6f6225a171f1
SHA1

c6ee7bdf6a5d0949bfdf0a0e9e35bd5068f729f6
SHA256

049fc2018c02cf02f7b40a234544f1531f1bcb0c97b3b3ed3cb6bfbdce52d845
SHA512

4ddf6ad0b04873c296db1492b55d11beb81baef6d5c9e4e6f588a26de60bc2b6ec3187a8ec788bf56e13cf14d37718a6b56129cea1c6289b5557e07722f89038
SSDEEP

196608:GfbBUgj3wTAH0JzQyohFnQqKHWWmV82gMNnZ3XEW7teOyFa6IMyDjRLaF1yp8:GTBUG4JzQyUGmwEnVXFMfOmTyO

Score

10^/10

zeus spyware stealer

Malware Config

Signatures

Zeus
zeus

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	cmpinstall.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinBrowModule.lnk	cmpinstall.tmp

Executes dropped EXE 6 IoCs

pid	Process
5032	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp
3524	cmpinstall.exe
888	cmpinstall.tmp
1604	ccsetup.exe
5088	cmpinstall.exe
2308	cmpinstall.tmp

Loads dropped DLL 1 IoCs

pid	Process
2308	cmpinstall.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2308	cmpinstall.tmp
2308	cmpinstall.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2308	cmpinstall.tmp

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 5032	2024	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe	83
PID 2024 wrote to memory of 5032	2024	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe	83
PID 2024 wrote to memory of 5032	2024	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe	83
PID 5032 wrote to memory of 3524	5032	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	84
PID 5032 wrote to memory of 3524	5032	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	84
PID 5032 wrote to memory of 3524	5032	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	84
PID 3524 wrote to memory of 888	3524	cmpinstall.exe	85
PID 3524 wrote to memory of 888	3524	cmpinstall.exe	85
PID 3524 wrote to memory of 888	3524	cmpinstall.exe	85
PID 5032 wrote to memory of 1604	5032	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	86
PID 5032 wrote to memory of 1604	5032	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	86
PID 5032 wrote to memory of 1604	5032	7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp	86
PID 1604 wrote to memory of 2852	1604	ccsetup.exe	87
PID 1604 wrote to memory of 2852	1604	ccsetup.exe	87
PID 888 wrote to memory of 5088	888	cmpinstall.tmp	88
PID 888 wrote to memory of 5088	888	cmpinstall.tmp	88
PID 888 wrote to memory of 5088	888	cmpinstall.tmp	88
PID 5088 wrote to memory of 2308	5088	cmpinstall.exe	91
PID 5088 wrote to memory of 2308	5088	cmpinstall.exe	91
PID 5088 wrote to memory of 2308	5088	cmpinstall.exe	91

C:\Users\Admin\AppData\Local\Temp\7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\is-9ENFS.tmp\7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9ENFS.tmp\7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp" /SL5="$901CE,10176139,286720,C:\Users\Admin\AppData\Local\Temp\7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\is-L6A2J.tmp\cmpinstall.exe
    "C:\Users\Admin\AppData\Local\Temp\is-L6A2J.tmp\cmpinstall.exe" /uid=7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\is-1NQKI.tmp\cmpinstall.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-1NQKI.tmp\cmpinstall.tmp" /SL5="$60116,239625,121344,C:\Users\Admin\AppData\Local\Temp\is-L6A2J.tmp\cmpinstall.exe" /uid=7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Users\Admin\AppData\Local\Temp\is-L6A2J.tmp\cmpinstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-L6A2J.tmp\cmpinstall.exe" /VERYSILENT /uid=7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5088
      - C:\Users\Admin\AppData\Local\Temp\is-QD9SI.tmp\cmpinstall.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QD9SI.tmp\cmpinstall.tmp" /SL5="$90118,239625,121344,C:\Users\Admin\AppData\Local\Temp\is-L6A2J.tmp\cmpinstall.exe" /VERYSILENT /uid=7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118
        6⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:2308
- - C:\Users\Admin\AppData\Local\Temp\is-L6A2J.tmp\ccsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-L6A2J.tmp\ccsetup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\system32\pcaui.exe
      "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {d5ceeb93-9830-4406-a772-e167287b96c4} -a "CCleaner" -v "Piriform Ltd" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 2 -f 2021048 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\is-L6A2J.tmp\ccsetup.exe"
      4⤵
      PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-1NQKI.tmp\cmpinstall.tmp

Filesize
1.1MB

MD5
90fc739c83cd19766acb562c66a7d0e2

SHA1
451f385a53d5fed15e7649e7891e05f231ef549a

SHA256
821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431

SHA512
4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9ENFS.tmp\7d4c32d6cb113aedc60e6f6225a171f1_JaffaCakes118.tmp

Filesize
1.3MB

MD5
86d64857e181ff96c9f427e1828ee811

SHA1
dfef85e6cd197d29590148d9a1d2b760a9a71377

SHA256
1addb55def9d6bc9fcc5314227332f5db7e06858b59d0edf9e1c63d5bd872c2f

SHA512
515bb44bf87aa52184ee8022d0c494f943727dbb5a56557757e7cf40584b255ffb2587bb80d7744d5b53b12b9e49d4d81cecc84e1d7b4a55bfe716488914ff87

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L6A2J.tmp\ccsetup.exe

Filesize
9.0MB

MD5
46fa3b1351774f0180914ddb3f30b48b

SHA1
347705a7cd4a4c20f0d4159fa1ff1589fa0fa9f5

SHA256
3e0b1faf12fc72445e48251731bc6f4b4687b1f154a9a66890040f8091655339

SHA512
e504bdd49947cf85e28a7343f06bcf71b59ddb4d28853dd72c41e0ba3a1cae6d40f54ebc0973e26708c0ee6780828baea51db23b786257e259ffffe8e5240552

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L6A2J.tmp\cmpinstall.exe

Filesize
621KB

MD5
4ef65d56e02cb28ff30d222357a98763

SHA1
409be6ca2bf87c95464179c70cff89bda9c10839

SHA256
f93ddbc3af2a4dca4993d7821f6cf1d85ea9316c4e7dca85f543dd37860644c7

SHA512
9c72fde7ff008373b06e2759399351f6929c96d20312f8da5633de01b2a3ad947e87e4865341ba393273227667dbc29a8f34b49dccd9276e08d085e1230c82b7

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftUpdate\chromecommon.dll

Filesize
192KB

MD5
e1c39d194d339aa6a4b4055b74daadc8

SHA1
b223e0e148cd3e639ca513532bccdb48a566f55c

SHA256
2f468922b993086c065a4b0a0b438daa15b88005f531ae7c1c809b612c746d37

SHA512
05d483d3c1aac443e171f9093bc2d59bfc442af1b3902cc2877291aca84116320f84b607b32404b5c4babbf4a8b1a7290ab38ab182e1286e1baf5bdfbf242741

Download Submit
memory/888-22-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/888-36-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2024-77-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2024-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2024-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2308-78-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3524-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3524-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3524-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5032-6-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/5032-75-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/5088-33-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5088-80-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing