Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-04-2024 09:46
Behavioral task
behavioral1
Sample
d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe
-
Size
6.0MB
-
MD5
d04352c69e8d56db5f9eb8f0b6573365
-
SHA1
21d7ec8a608f26756eb8531f3d51f7e0a63f7d8d
-
SHA256
40f9ef6921839b83373e8d981655b24f2b9c6d9b5b342d2bf621c8d6ea5528f8
-
SHA512
b341b0e0eeb9031ed17dcc490b6bbb74fb3f6b563a09c66ce59acc002967a86719d7ac1e31b30068277be0448672a35a330271ac74b032f6216e8fc93160ce41
-
SSDEEP
98304:blFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:bWJuMg53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\chrome.exe family_quasar behavioral1/memory/2688-29-0x0000000000C90000-0x0000000000D14000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
chrome.exeS^X.exepid process 2688 chrome.exe 2848 S^X.exe -
Loads dropped DLL 3 IoCs
Processes:
d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exepid process 1724 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe 1724 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe 1724 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll themida behavioral1/memory/1724-9-0x00000000729E0000-0x0000000072FE8000-memory.dmp themida behavioral1/memory/1724-10-0x00000000729E0000-0x0000000072FE8000-memory.dmp themida behavioral1/memory/1724-12-0x00000000729E0000-0x0000000072FE8000-memory.dmp themida behavioral1/memory/1724-27-0x00000000729E0000-0x0000000072FE8000-memory.dmp themida -
Processes:
d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exepid process 1724 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
chrome.exeS^X.exedescription pid process Token: SeDebugPrivilege 2688 chrome.exe Token: SeDebugPrivilege 2848 S^X.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exechrome.exedescription pid process target process PID 1724 wrote to memory of 2688 1724 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe chrome.exe PID 1724 wrote to memory of 2688 1724 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe chrome.exe PID 1724 wrote to memory of 2688 1724 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe chrome.exe PID 1724 wrote to memory of 2688 1724 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe chrome.exe PID 1724 wrote to memory of 2848 1724 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe S^X.exe PID 1724 wrote to memory of 2848 1724 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe S^X.exe PID 1724 wrote to memory of 2848 1724 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe S^X.exe PID 1724 wrote to memory of 2848 1724 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe S^X.exe PID 2688 wrote to memory of 2456 2688 chrome.exe schtasks.exe PID 2688 wrote to memory of 2456 2688 chrome.exe schtasks.exe PID 2688 wrote to memory of 2456 2688 chrome.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2456
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c