Analysis
-
max time kernel
127s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 19:23
Behavioral task
behavioral1
Sample
1423a4be112f647fe95730150a842627_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
1423a4be112f647fe95730150a842627_JaffaCakes118.exe
-
Size
348KB
-
MD5
1423a4be112f647fe95730150a842627
-
SHA1
ad705962c70d6d74afc7f69051c809240c1dc7d3
-
SHA256
7655e16003aa8856e7585f5d4b76d39f9e56b784442c9523d9f0b7b9c85b714b
-
SHA512
0df8a840711259c5026d20c069e45a996aa92e821ac870d0ae66760617e31ce5feecbdf3b03a16f3945b13df1279c1902c9a46c498b0b235217e127e49157cb0
-
SSDEEP
6144:b+NHXf500MwDjCTHYr1b8i4YunbL/zMoXDme:6d50sjGoP4YunHAoXDme
Malware Config
Extracted
quasar
1.3.0.0
Slave
134.209.192.40:4782
QSR_MUTEX_k8JOK9yrF6X0eZEc1V
-
encryption_key
Mx5vn03LCy6ul2fLffQw
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2740-1-0x0000000001120000-0x000000000117E000-memory.dmp family_quasar \Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar behavioral1/memory/2648-9-0x0000000000F70000-0x0000000000FCE000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2648 Client.exe -
Loads dropped DLL 1 IoCs
Processes:
1423a4be112f647fe95730150a842627_JaffaCakes118.exepid process 2740 1423a4be112f647fe95730150a842627_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1423a4be112f647fe95730150a842627_JaffaCakes118.exeClient.exedescription pid process Token: SeDebugPrivilege 2740 1423a4be112f647fe95730150a842627_JaffaCakes118.exe Token: SeDebugPrivilege 2648 Client.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1423a4be112f647fe95730150a842627_JaffaCakes118.exedescription pid process target process PID 2740 wrote to memory of 2648 2740 1423a4be112f647fe95730150a842627_JaffaCakes118.exe Client.exe PID 2740 wrote to memory of 2648 2740 1423a4be112f647fe95730150a842627_JaffaCakes118.exe Client.exe PID 2740 wrote to memory of 2648 2740 1423a4be112f647fe95730150a842627_JaffaCakes118.exe Client.exe PID 2740 wrote to memory of 2648 2740 1423a4be112f647fe95730150a842627_JaffaCakes118.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1423a4be112f647fe95730150a842627_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1423a4be112f647fe95730150a842627_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2648
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
348KB
MD51423a4be112f647fe95730150a842627
SHA1ad705962c70d6d74afc7f69051c809240c1dc7d3
SHA2567655e16003aa8856e7585f5d4b76d39f9e56b784442c9523d9f0b7b9c85b714b
SHA5120df8a840711259c5026d20c069e45a996aa92e821ac870d0ae66760617e31ce5feecbdf3b03a16f3945b13df1279c1902c9a46c498b0b235217e127e49157cb0
-
memory/2648-9-0x0000000000F70000-0x0000000000FCE000-memory.dmpFilesize
376KB
-
memory/2648-11-0x0000000074140000-0x000000007482E000-memory.dmpFilesize
6.9MB
-
memory/2648-10-0x0000000074140000-0x000000007482E000-memory.dmpFilesize
6.9MB
-
memory/2648-13-0x0000000074140000-0x000000007482E000-memory.dmpFilesize
6.9MB
-
memory/2740-0-0x000000007414E000-0x000000007414F000-memory.dmpFilesize
4KB
-
memory/2740-1-0x0000000001120000-0x000000000117E000-memory.dmpFilesize
376KB
-
memory/2740-2-0x0000000074140000-0x000000007482E000-memory.dmpFilesize
6.9MB
-
memory/2740-12-0x0000000074140000-0x000000007482E000-memory.dmpFilesize
6.9MB