quasar | 995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824

General

Target

38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
Size

600KB
MD5

38842bfc2ef9e1a4734a3ac4d4fa0b0d
SHA1

d7702f8f8b6d8baa46c066948b8278bfe868cff5
SHA256

995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824
SHA512

067a32950f8800f2ab64d80c6910abf20e0204457abca4156a5a93624c230720b7904fe48ef26ab2ea15958abdb8a53306513c4db74ca69f02de679c5c360346
SSDEEP

12288:bBU27je2sGbV7LsAlhgLTj9BBnWobokcoyhUvqA2:bBUYje21R0b9BBnWooXhQqA

Score

10^/10

quasar venomrat windows security evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows security

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_XaCO2YtLAsadylDHBP

Attributes

encryption_key
eKgGUbCubcSIafuOAN5V
install_name
windows security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
windows security
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1676-11-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1676-15-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1676-13-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1676-8-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1676-7-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1676-11-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1676-15-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1676-13-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1676-8-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1676-7-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Executes dropped EXE 4 IoCs

Processes:

windows security.exewindows security.exewindows security.exewindows security.exe

pid process

2720 windows security.exe
2760 windows security.exe
2776 windows security.exe
2836 windows security.exe

Loads dropped DLL 9 IoCs

Processes:

38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exewindows security.exeWerFault.exe

pid	process
1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
2720	windows security.exe
2720	windows security.exe
2720	windows security.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exewindows security.exe38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe

description	pid	process	target process
PID 2068 set thread context of 1676	2068	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
PID 2720 set thread context of 2836	2720	windows security.exe	windows security.exe
PID 348 set thread context of 580	348	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2184 2836 WerFault.exe windows security.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2728 schtasks.exe
2320 schtasks.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2192 PING.EXE
2288 PING.EXE

pid	pid_target	process	target process
2184	2836	WerFault.exe	windows security.exe

pid	process
2728	schtasks.exe
2320	schtasks.exe

pid	process
2192	PING.EXE
2288	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

windows security.exepowershell.exe38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe

pid	process
2720	windows security.exe
2720	windows security.exe
2720	windows security.exe
2720	windows security.exe
2652	powershell.exe
1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
348	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
348	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
580	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exewindows security.exepowershell.exewindows security.exe38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
Token: SeDebugPrivilege	2720	windows security.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2836	windows security.exe
Token: SeDebugPrivilege	2836	windows security.exe
Token: SeDebugPrivilege	348	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
Token: SeDebugPrivilege	580	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

windows security.exe

pid process

2836 windows security.exe

pid	process
2836	windows security.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exewindows security.exewindows security.execmd.execmd.exe

description	pid	process	target process
PID 2068 wrote to memory of 1676	2068	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
PID 2068 wrote to memory of 1676	2068	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
PID 2068 wrote to memory of 1676	2068	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
PID 2068 wrote to memory of 1676	2068	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
PID 2068 wrote to memory of 1676	2068	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
PID 2068 wrote to memory of 1676	2068	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
PID 2068 wrote to memory of 1676	2068	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
PID 2068 wrote to memory of 1676	2068	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
PID 2068 wrote to memory of 1676	2068	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
PID 1676 wrote to memory of 2728	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	schtasks.exe
PID 1676 wrote to memory of 2728	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	schtasks.exe
PID 1676 wrote to memory of 2728	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	schtasks.exe
PID 1676 wrote to memory of 2728	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	schtasks.exe
PID 1676 wrote to memory of 2720	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	windows security.exe
PID 1676 wrote to memory of 2720	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	windows security.exe
PID 1676 wrote to memory of 2720	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	windows security.exe
PID 1676 wrote to memory of 2720	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	windows security.exe
PID 1676 wrote to memory of 2652	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	powershell.exe
PID 1676 wrote to memory of 2652	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	powershell.exe
PID 1676 wrote to memory of 2652	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	powershell.exe
PID 1676 wrote to memory of 2652	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	powershell.exe
PID 2720 wrote to memory of 2776	2720	windows security.exe	windows security.exe
PID 2720 wrote to memory of 2776	2720	windows security.exe	windows security.exe
PID 2720 wrote to memory of 2776	2720	windows security.exe	windows security.exe
PID 2720 wrote to memory of 2776	2720	windows security.exe	windows security.exe
PID 2720 wrote to memory of 2760	2720	windows security.exe	windows security.exe
PID 2720 wrote to memory of 2760	2720	windows security.exe	windows security.exe
PID 2720 wrote to memory of 2760	2720	windows security.exe	windows security.exe
PID 2720 wrote to memory of 2760	2720	windows security.exe	windows security.exe
PID 2720 wrote to memory of 2836	2720	windows security.exe	windows security.exe
PID 2720 wrote to memory of 2836	2720	windows security.exe	windows security.exe
PID 2720 wrote to memory of 2836	2720	windows security.exe	windows security.exe
PID 2720 wrote to memory of 2836	2720	windows security.exe	windows security.exe
PID 2720 wrote to memory of 2836	2720	windows security.exe	windows security.exe
PID 2720 wrote to memory of 2836	2720	windows security.exe	windows security.exe
PID 2720 wrote to memory of 2836	2720	windows security.exe	windows security.exe
PID 2720 wrote to memory of 2836	2720	windows security.exe	windows security.exe
PID 2720 wrote to memory of 2836	2720	windows security.exe	windows security.exe
PID 2836 wrote to memory of 2320	2836	windows security.exe	schtasks.exe
PID 2836 wrote to memory of 2320	2836	windows security.exe	schtasks.exe
PID 2836 wrote to memory of 2320	2836	windows security.exe	schtasks.exe
PID 2836 wrote to memory of 2320	2836	windows security.exe	schtasks.exe
PID 2836 wrote to memory of 1500	2836	windows security.exe	cmd.exe
PID 2836 wrote to memory of 1500	2836	windows security.exe	cmd.exe
PID 2836 wrote to memory of 1500	2836	windows security.exe	cmd.exe
PID 2836 wrote to memory of 1500	2836	windows security.exe	cmd.exe
PID 2836 wrote to memory of 2184	2836	windows security.exe	WerFault.exe
PID 2836 wrote to memory of 2184	2836	windows security.exe	WerFault.exe
PID 2836 wrote to memory of 2184	2836	windows security.exe	WerFault.exe
PID 2836 wrote to memory of 2184	2836	windows security.exe	WerFault.exe
PID 1500 wrote to memory of 1988	1500	cmd.exe	chcp.com
PID 1500 wrote to memory of 1988	1500	cmd.exe	chcp.com
PID 1500 wrote to memory of 1988	1500	cmd.exe	chcp.com
PID 1500 wrote to memory of 1988	1500	cmd.exe	chcp.com
PID 1500 wrote to memory of 2192	1500	cmd.exe	PING.EXE
PID 1500 wrote to memory of 2192	1500	cmd.exe	PING.EXE
PID 1500 wrote to memory of 2192	1500	cmd.exe	PING.EXE
PID 1500 wrote to memory of 2192	1500	cmd.exe	PING.EXE
PID 1676 wrote to memory of 1852	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	cmd.exe
PID 1676 wrote to memory of 1852	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	cmd.exe
PID 1676 wrote to memory of 1852	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	cmd.exe
PID 1676 wrote to memory of 1852	1676	38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe	cmd.exe
PID 1852 wrote to memory of 1820	1852	cmd.exe	cmd.exe
PID 1852 wrote to memory of 1820	1852	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Loads dropped DLL
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "windows security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2728
- - C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
      4⤵
      Executes dropped EXE
      PID:2776
  - - C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
      4⤵
      Executes dropped EXE
      PID:2760
  - - C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "windows security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2320
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1Sy5G0nUrwbl.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1500
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1988
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:2192
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1456
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\e6vCdvpWvnng.bat" "
    3⤵
    PID:2464
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:348
    - - C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe"
        5⤵
        
        PID:1620
    - - C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1Sy5G0nUrwbl.bat

Filesize
217B

MD5
78e59a324751fcb3cbdadae0f3b5e06a

SHA1
fda3ae5c0eea93d04be04f15124edacb59f938b3

SHA256
64b7c79622ae304e9dc7b208bfb1382d31f56c84991c3ba0a910a1d2f3ac859a

SHA512
3b3a0fb06af6bb186e168bc0f0b700ee826f3327b36ca19d5fd06db56654cf2cf8a4dc7bce31ad345a80bfc2f11d92d6c3def58071a162e86baa4d43e2b17bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6vCdvpWvnng.bat

Filesize
243B

MD5
751cd8c7f7d716853bcd649e1ebccaee

SHA1
a83dbca599c54ccfcad378ce1856ad928a17e56c

SHA256
1b58e66eedb02f198a08ed6e60cc75591475269950256610e1dccb47e9b4cd48

SHA512
cdd06e92485012e2c8b49eac4b6eaa4c140907ec822e207c7541b4dc2571d99c89f29f4ac77c601272c145d553e9a2978dbba9ec6ff0d2488165070f21b9ea82

Download Submit
\Users\Admin\AppData\Roaming\SubDir\windows security.exe

Filesize
600KB

MD5
38842bfc2ef9e1a4734a3ac4d4fa0b0d

SHA1
d7702f8f8b6d8baa46c066948b8278bfe868cff5

SHA256
995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824

SHA512
067a32950f8800f2ab64d80c6910abf20e0204457abca4156a5a93624c230720b7904fe48ef26ab2ea15958abdb8a53306513c4db74ca69f02de679c5c360346

Download Submit
memory/348-73-0x00000000008F0000-0x000000000098C000-memory.dmp

Filesize
624KB

Download
memory/580-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1676-15-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1676-18-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1676-16-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1676-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1676-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1676-8-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1676-7-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1676-6-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1676-71-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1676-62-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1676-11-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1676-5-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2068-0-0x000000007459E000-0x000000007459F000-memory.dmp

Filesize
4KB

Download
memory/2068-4-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/2068-17-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2068-2-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2068-1-0x0000000000350000-0x00000000003EC000-memory.dmp

Filesize
624KB

Download
memory/2720-26-0x0000000000E70000-0x0000000000F0C000-memory.dmp

Filesize
624KB

Download
memory/2836-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

pid	process
2720	windows security.exe
2760	windows security.exe
2776	windows security.exe
2836	windows security.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads