Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 08:19
Behavioral task
behavioral1
Sample
fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe
-
Size
3.9MB
-
MD5
fc5416311f5e64294d3033abef2ae5d7
-
SHA1
d57361cdd2e1e5cd9c1ab64ba6fa20e977dc3efe
-
SHA256
defe3d66f022bc223894b56b30aa6075f1341b700d256ab795f95088bae1f7c1
-
SHA512
c0b41a9630ab63d802d2949fb8e0e2865da62d69bda880dbee3fd31368009f787ffac6b4d5edff5422d0ab66d0040221309447af1d87d4bff1bc0e6da70bb0ee
-
SSDEEP
98304:3CFNQ00DlHJb9fhTkmYpYNuSZTKA0t9FFPEC8HOolPsliHLhg3arcO8GkfhUcZtI:3CFNQ00DlHJb9fhTkmY6bk9fchHOolPv
Malware Config
Extracted
quasar
2.6.0.0
Venom Client
127.0.0.1:4782
192.168.1.154:4782
u1Cabu0SD85QXhFG45
-
encryption_key
PhBvMV17IAAI7PAlZTmm
-
install_name
Venom.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2064-0-0x0000000000E40000-0x0000000001234000-memory.dmp family_quasar behavioral1/memory/2492-14-0x0000000001160000-0x0000000001554000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Venom.exe family_quasar -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exefc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2064 fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe Token: SeDebugPrivilege 2492 fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.execmd.exedescription pid process target process PID 2064 wrote to memory of 2576 2064 fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe schtasks.exe PID 2064 wrote to memory of 2576 2064 fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe schtasks.exe PID 2064 wrote to memory of 2576 2064 fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe schtasks.exe PID 2064 wrote to memory of 2576 2064 fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe schtasks.exe PID 2064 wrote to memory of 2716 2064 fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe cmd.exe PID 2064 wrote to memory of 2716 2064 fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe cmd.exe PID 2064 wrote to memory of 2716 2064 fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe cmd.exe PID 2064 wrote to memory of 2716 2064 fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe cmd.exe PID 2716 wrote to memory of 2728 2716 cmd.exe chcp.com PID 2716 wrote to memory of 2728 2716 cmd.exe chcp.com PID 2716 wrote to memory of 2728 2716 cmd.exe chcp.com PID 2716 wrote to memory of 2728 2716 cmd.exe chcp.com PID 2716 wrote to memory of 2472 2716 cmd.exe PING.EXE PID 2716 wrote to memory of 2472 2716 cmd.exe PING.EXE PID 2716 wrote to memory of 2472 2716 cmd.exe PING.EXE PID 2716 wrote to memory of 2472 2716 cmd.exe PING.EXE PID 2716 wrote to memory of 2492 2716 cmd.exe fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe PID 2716 wrote to memory of 2492 2716 cmd.exe fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe PID 2716 wrote to memory of 2492 2716 cmd.exe fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe PID 2716 wrote to memory of 2492 2716 cmd.exe fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Venom.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\MYZWgCDokcQE.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MYZWgCDokcQE.batFilesize
243B
MD5f159364657d35b2da62e670d0061a932
SHA1d3526069590e6ceb7ce38ab7d04d2ca8f0d9fc06
SHA256f9688e28885bdd01e507882a27f5185c7ffa701e4f9334c2ed76a8e5c7ac24f5
SHA512242b7767615d4e38f1a5d381922fc1c81881e37fab829497a5100e14a4addda48c1ae67a9ec7c7b82e65592a49cf11ed05b77346f6c19fb6e3e34aa24ab1f430
-
C:\Users\Admin\AppData\Roaming\Venom.exeFilesize
3.9MB
MD5fc5416311f5e64294d3033abef2ae5d7
SHA1d57361cdd2e1e5cd9c1ab64ba6fa20e977dc3efe
SHA256defe3d66f022bc223894b56b30aa6075f1341b700d256ab795f95088bae1f7c1
SHA512c0b41a9630ab63d802d2949fb8e0e2865da62d69bda880dbee3fd31368009f787ffac6b4d5edff5422d0ab66d0040221309447af1d87d4bff1bc0e6da70bb0ee
-
memory/2064-1-0x00000000748A0000-0x0000000074F8E000-memory.dmpFilesize
6.9MB
-
memory/2064-0-0x0000000000E40000-0x0000000001234000-memory.dmpFilesize
4.0MB
-
memory/2064-2-0x0000000004D50000-0x0000000004D90000-memory.dmpFilesize
256KB
-
memory/2064-13-0x00000000748A0000-0x0000000074F8E000-memory.dmpFilesize
6.9MB
-
memory/2492-15-0x0000000074850000-0x0000000074F3E000-memory.dmpFilesize
6.9MB
-
memory/2492-14-0x0000000001160000-0x0000000001554000-memory.dmpFilesize
4.0MB
-
memory/2492-16-0x0000000000D00000-0x0000000000D40000-memory.dmpFilesize
256KB
-
memory/2492-18-0x0000000074850000-0x0000000074F3E000-memory.dmpFilesize
6.9MB