Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 22:51

General

  • Target

    651dda9c1c2f12bec5a51df1344f5b6d_JaffaCakes118.exe

  • Size

    2.1MB

  • MD5

    651dda9c1c2f12bec5a51df1344f5b6d

  • SHA1

    d5edecc40781fb1d740bd48cf332231c882407bc

  • SHA256

    f50bbdcd2785aebcd03bca53cff3f7518e8a196dfdebbe6995989a332d76ba17

  • SHA512

    f04f717ee7f78216aac29b162834329563fc12d9edab1dc1a379ce35d55306ed2ea10395c6ea4b68c25bcbfa1806eb3506bc3179037e90a9e03f2317bbc508f3

  • SSDEEP

    49152:c9R8egZTr83JFAU/D7ct0QzPARbrsMiQoqUJH5Ax0:c9h4/85+UM0vRPsM0XY

Score
10/10

Malware Config

Signatures

  • Detect ZGRat V2 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\651dda9c1c2f12bec5a51df1344f5b6d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\651dda9c1c2f12bec5a51df1344f5b6d_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2680-0-0x0000000000B20000-0x0000000000E84000-memory.dmp

    Filesize

    3.4MB

  • memory/2680-1-0x0000000000B20000-0x0000000000E84000-memory.dmp

    Filesize

    3.4MB

  • memory/2680-2-0x0000000000B20000-0x0000000000E84000-memory.dmp

    Filesize

    3.4MB

  • memory/2680-3-0x0000000008360000-0x00000000083E6000-memory.dmp

    Filesize

    536KB

  • memory/2680-5-0x0000000000B20000-0x0000000000E84000-memory.dmp

    Filesize

    3.4MB