Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

651dda9c1c...18.exe

windows7-x64

10

651dda9c1c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    22/07/2024, 22:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    651dda9c1c2f12bec5a51df1344f5b6d_JaffaCakes118.exe

  • Size

    2.1MB

  • MD5

    651dda9c1c2f12bec5a51df1344f5b6d

  • SHA1

    d5edecc40781fb1d740bd48cf332231c882407bc

  • SHA256

    f50bbdcd2785aebcd03bca53cff3f7518e8a196dfdebbe6995989a332d76ba17

  • SHA512

    f04f717ee7f78216aac29b162834329563fc12d9edab1dc1a379ce35d55306ed2ea10395c6ea4b68c25bcbfa1806eb3506bc3179037e90a9e03f2317bbc508f3

  • SSDEEP

    49152:c9R8egZTr83JFAU/D7ct0QzPARbrsMiQoqUJH5Ax0:c9h4/85+UM0vRPsM0XY

Score
10/10
zgratevasionrat

Malware Config

Signatures

  • Detect ZGRat V2 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\651dda9c1c2f12bec5a51df1344f5b6d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\651dda9c1c2f12bec5a51df1344f5b6d_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2680

Network

  • flag-us
    DNS
    www.google.com
    651dda9c1c2f12bec5a51df1344f5b6d_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.187.228
  • flag-gb
    GET
    http://www.google.com/
    651dda9c1c2f12bec5a51df1344f5b6d_JaffaCakes118.exe
    Remote address:
    142.250.187.228:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
    Host: www.google.com
    Cache-Control: no-store,no-cache
    Pragma: no-cache
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGM_a-7QGIjDydIl9nuogWGBE6mTzc1hL14bm04piXIleFu0VHqmktCdbXP97uJTmhi6sfzYDjp0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIz9r7tAYQ_PeUkQISBMJuDUY
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-v0hHNFU_ZlG95mOhCKul_A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Mon, 22 Jul 2024 23:37:51 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AVYB7cqRx0O24vvnDrZ4jk2QGUtdbewsnW5dj7OduutQqX46DUfEeY0fKw; expires=Sat, 18-Jan-2025 23:37:51 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-gb
    GET
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGM_a-7QGIjDydIl9nuogWGBE6mTzc1hL14bm04piXIleFu0VHqmktCdbXP97uJTmhi6sfzYDjp0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    651dda9c1c2f12bec5a51df1344f5b6d_JaffaCakes118.exe
    Remote address:
    142.250.187.228:80
    Request
    GET /sorry/index?continue=http://www.google.com/&q=EgTCbg1GGM_a-7QGIjDydIl9nuogWGBE6mTzc1hL14bm04piXIleFu0VHqmktCdbXP97uJTmhi6sfzYDjp0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
    Accept-Encoding: gzip, deflate
    Host: www.google.com
    Cache-Control: no-store,no-cache
    Pragma: no-cache
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Mon, 22 Jul 2024 23:37:51 GMT
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Content-Type: text/html
    Server: HTTP server (unknown)
    Content-Length: 3052
    X-XSS-Protection: 0
  • flag-us
    DNS
    chromacheats.com
    651dda9c1c2f12bec5a51df1344f5b6d_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    chromacheats.com
    IN A
    Response
    chromacheats.com
    IN A
    103.224.182.242
  • flag-us
    POST
    http://chromacheats.com/chromaauth/auth.php
    651dda9c1c2f12bec5a51df1344f5b6d_JaffaCakes118.exe
    Remote address:
    103.224.182.242:80
    Request
    POST /chromaauth/auth.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
    Host: chromacheats.com
    Cache-Control: no-store,no-cache
    Pragma: no-cache
    Content-Length: 256
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    date: Mon, 22 Jul 2024 23:37:57 GMT
    server: Apache
    set-cookie: __tad=1721691478.5715971; expires=Thu, 20-Jul-2034 23:37:58 GMT; Max-Age=315360000
    vary: Accept-Encoding
    content-encoding: gzip
    content-length: 582
    content-type: text/html; charset=UTF-8
    connection: close
  • 142.250.187.228:80
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGM_a-7QGIjDydIl9nuogWGBE6mTzc1hL14bm04piXIleFu0VHqmktCdbXP97uJTmhi6sfzYDjp0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    http
    651dda9c1c2f12bec5a51df1344f5b6d_JaffaCakes118.exe
    935 B
     4.9kB
     7
    7

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302

    HTTP Request

    GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGM_a-7QGIjDydIl9nuogWGBE6mTzc1hL14bm04piXIleFu0VHqmktCdbXP97uJTmhi6sfzYDjp0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

    HTTP Response

    429
  • 103.224.182.242:80
    http://chromacheats.com/chromaauth/auth.php
    http
    651dda9c1c2f12bec5a51df1344f5b6d_JaffaCakes118.exe
    875 B
     1.2kB
     6
    6

    HTTP Request

    POST http://chromacheats.com/chromaauth/auth.php

    HTTP Response

    200
  • 8.8.8.8:53
    www.google.com
    dns
    651dda9c1c2f12bec5a51df1344f5b6d_JaffaCakes118.exe
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.187.228

  • 8.8.8.8:53
    chromacheats.com
    dns
    651dda9c1c2f12bec5a51df1344f5b6d_JaffaCakes118.exe
    62 B
     78 B
     1
    1

    DNS Request

    chromacheats.com

    DNS Response

    103.224.182.242

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2680-0-0x0000000000B20000-0x0000000000E84000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2680-1-0x0000000000B20000-0x0000000000E84000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2680-2-0x0000000000B20000-0x0000000000E84000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2680-3-0x0000000008360000-0x00000000083E6000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2680-5-0x0000000000B20000-0x0000000000E84000-memory.dmp

    Filesize

    3.4MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.