Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2024, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
3d7d4ced171a608319381205863c8789_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
3d7d4ced171a608319381205863c8789_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
3d7d4ced171a608319381205863c8789
-
SHA1
f4ec81158f766f5fed20b936637ae6db1bcca2c1
-
SHA256
3a0b3da99b6c5f838bd0efec535f635e2d19d16834981f727f12a4539b61766d
-
SHA512
a080cb52287e547379fd2f70f47e7c151ffcf1cebccb3a3a879da137fdec74ec0afd5a9aa89569a4a1a43e4eafde39c4e1c1cb56c4387b2d97cb314e3a164416
-
SSDEEP
24576:NKRW6x7LrxYcu2/Lth0U8a1dD0ut69+cbeIBvLURuvh//xYHegwEPs4RB+9:NKw61DzTdvdDN6tbfU+U9VB
Malware Config
Extracted
quasar
1.3.0.0
BROC
sommerishere.sytes.net:61537
mommerishere.sytes.net:61537
QSR_MUTEX_htKuXGSpSizsV4VV3h
-
encryption_key
upc0vIcniTlPRcfvkZHp
-
install_name
Updater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
Windows
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/memory/2080-2-0x0000000005AD0000-0x0000000005C30000-memory.dmp family_zgrat_v1 -
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/2624-10-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 3216 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2080 set thread context of 2624 2080 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3044 PING.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2080 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 2080 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 2080 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 3216 powershell.exe 3216 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2080 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe Token: SeDebugPrivilege 3216 powershell.exe Token: SeDebugPrivilege 2624 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2080 wrote to memory of 3216 2080 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 97 PID 2080 wrote to memory of 3216 2080 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 97 PID 2080 wrote to memory of 3216 2080 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 97 PID 2080 wrote to memory of 2624 2080 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 99 PID 2080 wrote to memory of 2624 2080 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 99 PID 2080 wrote to memory of 2624 2080 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 99 PID 2080 wrote to memory of 2624 2080 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 99 PID 2080 wrote to memory of 2624 2080 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 99 PID 2080 wrote to memory of 2624 2080 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 99 PID 2080 wrote to memory of 2624 2080 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 99 PID 2080 wrote to memory of 2624 2080 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 99 PID 2624 wrote to memory of 4368 2624 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 100 PID 2624 wrote to memory of 4368 2624 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 100 PID 2624 wrote to memory of 4368 2624 3d7d4ced171a608319381205863c8789_JaffaCakes118.exe 100 PID 4368 wrote to memory of 2076 4368 cmd.exe 102 PID 4368 wrote to memory of 2076 4368 cmd.exe 102 PID 4368 wrote to memory of 2076 4368 cmd.exe 102 PID 4368 wrote to memory of 3044 4368 cmd.exe 103 PID 4368 wrote to memory of 3044 4368 cmd.exe 103 PID 4368 wrote to memory of 3044 4368 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d7d4ced171a608319381205863c8789_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d7d4ced171a608319381205863c8789_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\3d7d4ced171a608319381205863c8789_JaffaCakes118.exe" -Force2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216
-
-
C:\Users\Admin\AppData\Local\Temp\3d7d4ced171a608319381205863c8789_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3d7d4ced171a608319381205863c8789_JaffaCakes118.exe2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8w5blQKiAtog.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2076
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:3044
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3d7d4ced171a608319381205863c8789_JaffaCakes118.exe.log
Filesize701B
MD552b221120edd185f21764edb9b5c291e
SHA1634ab8e2ca51714463bdd999f6802378239bd5e0
SHA2567e57d59bcd69cfc7263f036079453914adfbc6b44dad75f1206f1c60805f4ef1
SHA512f83ae9368ce2fce7b6df41fb96d8e6233591497c2522859a4caab8e079ae6d47d8195ffaf5d9d71c317d187be65300d55a0749eb2570058b7b04f63a8459fbd2
-
Filesize
243B
MD56c6b3dda4f61f33417711da8c10e134a
SHA1542c3ccfeb5f0e4f5de6f07447a3291b6e5d6bfa
SHA2568ed25e69db4464448cbba2e0c8f6e63db204e1280029560bed5e06001084aee7
SHA512c73dbca8f0c993dac1ac169ab9e68c622b6de9b03a3a06c6ad46e1f518626c350764f436b929be9cd3a44c2bdc167361e5f3c84d87ccc9a060ef34df252b70cf
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82