Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/03/2024, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
3d7d4ced171a608319381205863c8789_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
3d7d4ced171a608319381205863c8789_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
3d7d4ced171a608319381205863c8789
-
SHA1
f4ec81158f766f5fed20b936637ae6db1bcca2c1
-
SHA256
3a0b3da99b6c5f838bd0efec535f635e2d19d16834981f727f12a4539b61766d
-
SHA512
a080cb52287e547379fd2f70f47e7c151ffcf1cebccb3a3a879da137fdec74ec0afd5a9aa89569a4a1a43e4eafde39c4e1c1cb56c4387b2d97cb314e3a164416
-
SSDEEP
24576:NKRW6x7LrxYcu2/Lth0U8a1dD0ut69+cbeIBvLURuvh//xYHegwEPs4RB+9:NKw61DzTdvdDN6tbfU+U9VB
Malware Config
Extracted
quasar
1.3.0.0
BROC
sommerishere.sytes.net:61537
mommerishere.sytes.net:61537
QSR_MUTEX_htKuXGSpSizsV4VV3h
-
encryption_key
upc0vIcniTlPRcfvkZHp
-
install_name
Updater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
Windows
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/2008-2-0x0000000004A70000-0x0000000004BD0000-memory.dmp family_zgrat_v1 -
Quasar payload 5 IoCs
resource yara_rule behavioral1/memory/2504-11-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2504-12-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2504-15-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2504-18-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2504-22-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Deletes itself 1 IoCs
pid Process 2572 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2008 set thread context of 2504 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 404 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 2572 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 2504 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2572 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 29 PID 2008 wrote to memory of 2572 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 29 PID 2008 wrote to memory of 2572 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 29 PID 2008 wrote to memory of 2572 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 29 PID 2008 wrote to memory of 2504 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 31 PID 2008 wrote to memory of 2504 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 31 PID 2008 wrote to memory of 2504 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 31 PID 2008 wrote to memory of 2504 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 31 PID 2008 wrote to memory of 2504 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 31 PID 2008 wrote to memory of 2504 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 31 PID 2008 wrote to memory of 2504 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 31 PID 2008 wrote to memory of 2504 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 31 PID 2008 wrote to memory of 2504 2008 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 31 PID 2504 wrote to memory of 2044 2504 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 32 PID 2504 wrote to memory of 2044 2504 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 32 PID 2504 wrote to memory of 2044 2504 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 32 PID 2504 wrote to memory of 2044 2504 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 32 PID 2044 wrote to memory of 1988 2044 cmd.exe 34 PID 2044 wrote to memory of 1988 2044 cmd.exe 34 PID 2044 wrote to memory of 1988 2044 cmd.exe 34 PID 2044 wrote to memory of 1988 2044 cmd.exe 34 PID 2044 wrote to memory of 404 2044 cmd.exe 35 PID 2044 wrote to memory of 404 2044 cmd.exe 35 PID 2044 wrote to memory of 404 2044 cmd.exe 35 PID 2044 wrote to memory of 404 2044 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d7d4ced171a608319381205863c8789_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d7d4ced171a608319381205863c8789_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\3d7d4ced171a608319381205863c8789_JaffaCakes118.exe" -Force2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Users\Admin\AppData\Local\Temp\3d7d4ced171a608319381205863c8789_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3d7d4ced171a608319381205863c8789_JaffaCakes118.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\qyekNG8bBvli.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:1988
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:404
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
243B
MD5d675c910331bfd1bb1f0fb9edb9cd34b
SHA14fdc2356a353bac01713bf0336cc1fb561c715e3
SHA256f7a818e7ac274d8e644d9cf8209d3e9acd0de74577ba2452bd3686ae82cd7191
SHA51203fe917347d6b08e70da6210fac4709869258b1e90f3be964e9b538cc9b802a313f8a7a26ef0038e01afe014b3975b2d64963981656b4f67137f206fb56d1113