General
-
Target
e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118
-
Size
2.6MB
-
Sample
240408-hp7hbsbc9t
-
MD5
e6e2378b5d5ef85b039d0b261db4fa9e
-
SHA1
2ab9b906aff4722d91b824b4ac887c5f9fc769c8
-
SHA256
f06f42f55d97811886559c435e20fa273b088c08552ed47a70b715c21e74308d
-
SHA512
24fbc820af4d86186f5cd76408add26cdd54e15573e0fce1b89b8167e5f736a06b45096bc99ef601ed4b01b4f3a9446051e678caea36f1188d9136c156856ce0
-
SSDEEP
12288:tKhh8Op3AVN1B2bPHzdThCblOA1RIV84xR12UcHa2dCaGT576f+j1lc1SWZIBpLQ:tKhh8Op3AVN10bPHzdTg6
Static task
static1
Behavioral task
behavioral1
Sample
e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
Resource
win7-20240221-en
Malware Config
Extracted
quasar
1.4.0
Office04
rat34.ddns.net:25565
7bf81572-f7bb-4bdf-9c79-2c3a4754a152
-
encryption_key
C3DCCCB06A6A0C21F917BABB61CE259EB0570761
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118
-
Size
2.6MB
-
MD5
e6e2378b5d5ef85b039d0b261db4fa9e
-
SHA1
2ab9b906aff4722d91b824b4ac887c5f9fc769c8
-
SHA256
f06f42f55d97811886559c435e20fa273b088c08552ed47a70b715c21e74308d
-
SHA512
24fbc820af4d86186f5cd76408add26cdd54e15573e0fce1b89b8167e5f736a06b45096bc99ef601ed4b01b4f3a9446051e678caea36f1188d9136c156856ce0
-
SSDEEP
12288:tKhh8Op3AVN1B2bPHzdThCblOA1RIV84xR12UcHa2dCaGT576f+j1lc1SWZIBpLQ:tKhh8Op3AVN10bPHzdTg6
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-