quasar | 6fd78082c430265edca50516be2e9f41f92e85d24293fc8ed03c8d07abedfd0f

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Size

415KB
MD5

09bc620f2d6e7c816de1aed1ac50f6b2
SHA1

699ec5e8aa0723f6d359ff94c04d15014752ef77
SHA256

6fd78082c430265edca50516be2e9f41f92e85d24293fc8ed03c8d07abedfd0f
SHA512

319706712c7fcc214ed550e2b0467b39fb82e8a7542693c003cea4baa6b93aa8d519e49f425ce7ee9fd266cd52413b39b1e3fc87753b5162eecbd6e37c28d788
SSDEEP

12288:94aL1A0eRy9FSsNSwJKoHt7FdRfil/f2Ru:2aSHm8WRFnfju

Score

10^/10

quasar gang persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

GANG

pedobusters.online:8008

Mutex

QSR_MUTEX_8Ol06rF6g8zh7k7Rhz

Attributes

encryption_key
ZDTfmzLsYsHj3TpPae8U
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/2456-7-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GpLYFeaWKN = "C:\\Users\\Admin\\AppData\\Roaming\\sDTRwPLWdP\\TkHrLGGXmL.exe"	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com
19	ip-api.com
21	ip-api.com
23	ip-api.com
3	ip-api.com
10	api.ipify.org
15	ip-api.com

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 2456	1984	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	86
PID 3588 set thread context of 4708	3588	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	97
PID 1728 set thread context of 4568	1728	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	106
PID 1800 set thread context of 1228	1800	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	114
PID 4476 set thread context of 1980	4476	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	124
PID 4888 set thread context of 1816	4888	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	130
PID 2736 set thread context of 4392	2736	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	136
PID 4540 set thread context of 5100	4540	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	143
PID 5036 set thread context of 2296	5036	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	150

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
4560	PING.EXE
1840	PING.EXE
3232	PING.EXE
2564	PING.EXE
4548	PING.EXE
1928	PING.EXE
3296	PING.EXE
2084	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1984	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
1984	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
4476	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
4476	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
4476	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
4476	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
4540	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
4540	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
5036	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
5036	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	2456	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	4708	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	4568	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	1228	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	4476	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	1980	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	1816	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	4392	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	4540	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	5100	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	5036	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	2296	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1452	1984	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	85
PID 1984 wrote to memory of 1452	1984	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	85
PID 1984 wrote to memory of 1452	1984	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	85
PID 1984 wrote to memory of 2456	1984	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	86
PID 1984 wrote to memory of 2456	1984	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	86
PID 1984 wrote to memory of 2456	1984	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	86
PID 1984 wrote to memory of 2456	1984	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	86
PID 1984 wrote to memory of 2456	1984	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	86
PID 1984 wrote to memory of 2456	1984	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	86
PID 1984 wrote to memory of 2456	1984	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	86
PID 1984 wrote to memory of 2456	1984	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	86
PID 2456 wrote to memory of 1732	2456	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	91
PID 2456 wrote to memory of 1732	2456	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	91
PID 2456 wrote to memory of 1732	2456	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	91
PID 1732 wrote to memory of 2256	1732	cmd.exe	93
PID 1732 wrote to memory of 2256	1732	cmd.exe	93
PID 1732 wrote to memory of 2256	1732	cmd.exe	93
PID 1732 wrote to memory of 1928	1732	cmd.exe	94
PID 1732 wrote to memory of 1928	1732	cmd.exe	94
PID 1732 wrote to memory of 1928	1732	cmd.exe	94
PID 1732 wrote to memory of 3588	1732	cmd.exe	96
PID 1732 wrote to memory of 3588	1732	cmd.exe	96
PID 1732 wrote to memory of 3588	1732	cmd.exe	96
PID 3588 wrote to memory of 4708	3588	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	97
PID 3588 wrote to memory of 4708	3588	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	97
PID 3588 wrote to memory of 4708	3588	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	97
PID 3588 wrote to memory of 4708	3588	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	97
PID 3588 wrote to memory of 4708	3588	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	97
PID 3588 wrote to memory of 4708	3588	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	97
PID 3588 wrote to memory of 4708	3588	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	97
PID 3588 wrote to memory of 4708	3588	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	97
PID 4708 wrote to memory of 4840	4708	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	98
PID 4708 wrote to memory of 4840	4708	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	98
PID 4708 wrote to memory of 4840	4708	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	98
PID 4840 wrote to memory of 1996	4840	cmd.exe	100
PID 4840 wrote to memory of 1996	4840	cmd.exe	100
PID 4840 wrote to memory of 1996	4840	cmd.exe	100
PID 4840 wrote to memory of 3296	4840	cmd.exe	101
PID 4840 wrote to memory of 3296	4840	cmd.exe	101
PID 4840 wrote to memory of 3296	4840	cmd.exe	101
PID 4840 wrote to memory of 1728	4840	cmd.exe	105
PID 4840 wrote to memory of 1728	4840	cmd.exe	105
PID 4840 wrote to memory of 1728	4840	cmd.exe	105
PID 1728 wrote to memory of 4568	1728	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	106
PID 1728 wrote to memory of 4568	1728	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	106
PID 1728 wrote to memory of 4568	1728	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	106
PID 1728 wrote to memory of 4568	1728	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	106
PID 1728 wrote to memory of 4568	1728	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	106
PID 1728 wrote to memory of 4568	1728	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	106
PID 1728 wrote to memory of 4568	1728	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	106
PID 1728 wrote to memory of 4568	1728	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	106
PID 4568 wrote to memory of 4880	4568	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	107
PID 4568 wrote to memory of 4880	4568	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	107
PID 4568 wrote to memory of 4880	4568	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	107
PID 4880 wrote to memory of 4364	4880	cmd.exe	109
PID 4880 wrote to memory of 4364	4880	cmd.exe	109
PID 4880 wrote to memory of 4364	4880	cmd.exe	109
PID 4880 wrote to memory of 2084	4880	cmd.exe	110
PID 4880 wrote to memory of 2084	4880	cmd.exe	110
PID 4880 wrote to memory of 2084	4880	cmd.exe	110
PID 4880 wrote to memory of 1800	4880	cmd.exe	113
PID 4880 wrote to memory of 1800	4880	cmd.exe	113
PID 4880 wrote to memory of 1800	4880	cmd.exe	113
PID 1800 wrote to memory of 1228	1800	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	114

C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
  2⤵
  PID:1452
- C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T4Pta5takFN4.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3588
    - - C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4708
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQC13aNFXl4x.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        8⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xw05zInB7erN.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        Runs ping.exe
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEk42Bjv6L7r.bat" "
        12⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        13⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        14⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        14⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        14⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEne5DFpCXBX.bat" "
        15⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        Runs ping.exe
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        16⤵
        Suspicious use of SetThreadContext
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\52Ylj4TrTC5V.bat" "
        18⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        19⤵
        Suspicious use of SetThreadContext
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        20⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwyUM1aRaIpf.bat" "
        21⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        Runs ping.exe
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        22⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        23⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O1b5g16eSWlW.bat" "
        24⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        25⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        26⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe.log

Filesize
507B

MD5
76ffb2f33cb32ade8fc862a67599e9d8

SHA1
920cc4ab75b36d2f9f6e979b74db568973c49130

SHA256
f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

SHA512
f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\52Ylj4TrTC5V.bat

Filesize
243B

MD5
90b8845053450afdb72a49b1064d8481

SHA1
54a3f48aeb232d4cc40ebe2e7362d9d18e3194d3

SHA256
f0306177e735d8e2145f6c46c47f4d2ef887b5b893409c36a796f233fcf0cef2

SHA512
e073459469171d10c9b659fad382d33824c889c386f171cb0f994be795740b45fca2eca74c9c63c3579b0482d724ba97f8cb771649cbc424c17f55bb2a8460a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\O1b5g16eSWlW.bat

Filesize
243B

MD5
446bcd3d8e65cd75197a5555e286a14d

SHA1
3c2b27fb9696234ba11033a2f549dd8af734a451

SHA256
9a4e06f5c918c1dc48fba5aa7ee38651c976ecd6829f55a7fc0b4151a9abe467

SHA512
497a36b1e62d6815f16d3245bad52a2c80933b93b645cc3b6b50a11fafa0f92347c3752042530855775be3fe4d36248e4b993cdfc775ea43947985251672cb5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\T4Pta5takFN4.bat

Filesize
243B

MD5
3d1df22a483fb0d67cf0adce7d100db0

SHA1
d8eaba303efa2e47dbec00a3c677dfe9f143a435

SHA256
0e228676aa190dabb1330fd955fd9dab324cf7e0fd8bbc0c90960993e109dd7c

SHA512
2072f550ba4e5e87cb01a08cd20bc939e74cf1e009f0f9f2d5d2691c31224530ef3540335fcf88bee55bd9ed085f751060042f6776f95aedd02bf8accd754152

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xw05zInB7erN.bat

Filesize
243B

MD5
d92ee7c6e9d02ef09fd9ab0fad109ce6

SHA1
c68efa6e8394fd29e21129060019560d5cd1de68

SHA256
58b94016f2d175c2b7bc84a0b34a5a7a20d52cfdb1f1d68f23224dda87ff3c3f

SHA512
e08cc8706dabb689e2f1b7b77ef8f4d203655c29d87cce9a929265db48ddbd30448484d54e8c9e5e9bce651cb9a3e8a078e5fee2e91a04635700d065b2d57f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwyUM1aRaIpf.bat

Filesize
243B

MD5
252f685db4246a7fba0f2305e4e7a0f6

SHA1
e9cd6fc1de085e6194c6a55a56ff318e4d59da34

SHA256
9cd208d5b0141b661ae31386ac4bfe5825a3e5ea27d28e2432e78b55d9acd8eb

SHA512
5ed4f3cdb0192b42f62bed069569c6dd57e32dce99ae25cb407e3c3062bdbcfe1a11fe886533a3c68c80ad46e28916534b8b92185762671fb812137928c3e848

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEk42Bjv6L7r.bat

Filesize
243B

MD5
9082d1ad030c20043202fd2469d9f88a

SHA1
81f6a125b3abfc92d46427b680c68ed1a0182261

SHA256
739340c3b1ceae251dc01186093c2326310cfb24ccb3b73bedcfa4a2de85588c

SHA512
16ca56385898bf854a5d79221410767fde2b29249c343c41f2a34a51a682df39e830e02d184894369548ccb556b524686330539f5ba9a9c175ff5276daf61ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQC13aNFXl4x.bat

Filesize
243B

MD5
92be11dce5bdf86cb2813ec2e984625f

SHA1
c94eed87327d24e678d1189aede9062ead9ebbf7

SHA256
dd91dba1c3f2ce6b1b3a862bb2d68bd20ea5d51fd3f8192dc484a42e51024d6e

SHA512
06a1340d7c14b3ab6d972ba0d1ffddcf2c78db415040a038154b1ae3341461d49a9e514623f9f61bd085dce995256b964ce7102f4b84ecb7e8ac36bf378326b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEne5DFpCXBX.bat

Filesize
243B

MD5
27e3b00a4dd10980ec87157a502e7b27

SHA1
528e6da4c7d5e3bc2343d8141f903649de461d39

SHA256
0a424d9621eb1ba1107d35d57968a23773f555cb73e30c3a56b868d4af9bf93b

SHA512
bb173eca2cd012042e6548c63e3f71a6345a57754b8bb0a5b961a2243e815a8c3f73d2e98dda61bf8906d1ae1dc1e9853a7b8c755e536cfde8a01b77a637bc92

Download Submit
memory/1984-6-0x0000000004D00000-0x0000000004D0A000-memory.dmp

Filesize
40KB

Download
memory/1984-1-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/1984-11-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/1984-2-0x0000000005430000-0x00000000059D4000-memory.dmp

Filesize
5.6MB

Download
memory/1984-0-0x0000000000350000-0x00000000003BE000-memory.dmp

Filesize
440KB

Download
memory/1984-10-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/1984-4-0x0000000004F60000-0x0000000004FFC000-memory.dmp

Filesize
624KB

Download
memory/1984-3-0x0000000004D70000-0x0000000004E02000-memory.dmp

Filesize
584KB

Download
memory/2456-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2456-21-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/2456-17-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2456-16-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/2456-15-0x0000000005C70000-0x0000000005C82000-memory.dmp

Filesize
72KB

Download
memory/2456-14-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/2456-13-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2456-12-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download