Analysis
-
max time kernel
39s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 05:35
Static task
static1
Behavioral task
behavioral1
Sample
38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
-
Size
600KB
-
MD5
38842bfc2ef9e1a4734a3ac4d4fa0b0d
-
SHA1
d7702f8f8b6d8baa46c066948b8278bfe868cff5
-
SHA256
995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824
-
SHA512
067a32950f8800f2ab64d80c6910abf20e0204457abca4156a5a93624c230720b7904fe48ef26ab2ea15958abdb8a53306513c4db74ca69f02de679c5c360346
-
SSDEEP
12288:bBU27je2sGbV7LsAlhgLTj9BBnWobokcoyhUvqA2:bBUYje21R0b9BBnWooXhQqA
Malware Config
Extracted
quasar
2.1.0.0
windows security
vilvaraj-32652.portmap.io:32652
VNM_MUTEX_XaCO2YtLAsadylDHBP
-
encryption_key
eKgGUbCubcSIafuOAN5V
-
install_name
windows security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
windows security
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/1768-8-0x0000000000400000-0x000000000048C000-memory.dmp disable_win_def -
Processes:
38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe -
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1768-8-0x0000000000400000-0x000000000048C000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
windows security.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation windows security.exe -
Executes dropped EXE 5 IoCs
Processes:
windows security.exewindows security.exewindows security.exewindows security.exewindows security.exepid process 4764 windows security.exe 2172 windows security.exe 1576 windows security.exe 3076 windows security.exe 3720 windows security.exe -
Processes:
38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe" 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exewindows security.exedescription pid process target process PID 3264 set thread context of 1768 3264 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe PID 4764 set thread context of 3720 4764 windows security.exe windows security.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 64 3720 WerFault.exe windows security.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4832 schtasks.exe 3848 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
windows security.exepowershell.exepid process 4764 windows security.exe 4764 windows security.exe 4764 windows security.exe 4764 windows security.exe 4764 windows security.exe 4764 windows security.exe 3280 powershell.exe 3280 powershell.exe 3280 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exewindows security.exepowershell.exewindows security.exedescription pid process Token: SeDebugPrivilege 1768 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe Token: SeDebugPrivilege 4764 windows security.exe Token: SeDebugPrivilege 3280 powershell.exe Token: SeDebugPrivilege 3720 windows security.exe Token: SeDebugPrivilege 3720 windows security.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
windows security.exepid process 3720 windows security.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exewindows security.exewindows security.execmd.exedescription pid process target process PID 3264 wrote to memory of 1768 3264 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe PID 3264 wrote to memory of 1768 3264 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe PID 3264 wrote to memory of 1768 3264 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe PID 3264 wrote to memory of 1768 3264 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe PID 3264 wrote to memory of 1768 3264 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe PID 3264 wrote to memory of 1768 3264 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe PID 3264 wrote to memory of 1768 3264 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe PID 3264 wrote to memory of 1768 3264 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe PID 1768 wrote to memory of 4832 1768 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe schtasks.exe PID 1768 wrote to memory of 4832 1768 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe schtasks.exe PID 1768 wrote to memory of 4832 1768 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe schtasks.exe PID 1768 wrote to memory of 4764 1768 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe windows security.exe PID 1768 wrote to memory of 4764 1768 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe windows security.exe PID 1768 wrote to memory of 4764 1768 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe windows security.exe PID 4764 wrote to memory of 2172 4764 windows security.exe windows security.exe PID 4764 wrote to memory of 2172 4764 windows security.exe windows security.exe PID 4764 wrote to memory of 2172 4764 windows security.exe windows security.exe PID 4764 wrote to memory of 1576 4764 windows security.exe windows security.exe PID 4764 wrote to memory of 1576 4764 windows security.exe windows security.exe PID 4764 wrote to memory of 1576 4764 windows security.exe windows security.exe PID 4764 wrote to memory of 3076 4764 windows security.exe windows security.exe PID 4764 wrote to memory of 3076 4764 windows security.exe windows security.exe PID 4764 wrote to memory of 3076 4764 windows security.exe windows security.exe PID 4764 wrote to memory of 3720 4764 windows security.exe windows security.exe PID 4764 wrote to memory of 3720 4764 windows security.exe windows security.exe PID 4764 wrote to memory of 3720 4764 windows security.exe windows security.exe PID 4764 wrote to memory of 3720 4764 windows security.exe windows security.exe PID 4764 wrote to memory of 3720 4764 windows security.exe windows security.exe PID 4764 wrote to memory of 3720 4764 windows security.exe windows security.exe PID 4764 wrote to memory of 3720 4764 windows security.exe windows security.exe PID 4764 wrote to memory of 3720 4764 windows security.exe windows security.exe PID 1768 wrote to memory of 3280 1768 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe powershell.exe PID 1768 wrote to memory of 3280 1768 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe powershell.exe PID 1768 wrote to memory of 3280 1768 38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe powershell.exe PID 3720 wrote to memory of 3848 3720 windows security.exe schtasks.exe PID 3720 wrote to memory of 3848 3720 windows security.exe schtasks.exe PID 3720 wrote to memory of 3848 3720 windows security.exe schtasks.exe PID 3720 wrote to memory of 3016 3720 windows security.exe cmd.exe PID 3720 wrote to memory of 3016 3720 windows security.exe cmd.exe PID 3720 wrote to memory of 3016 3720 windows security.exe cmd.exe PID 3016 wrote to memory of 2744 3016 cmd.exe chcp.com PID 3016 wrote to memory of 2744 3016 cmd.exe chcp.com PID 3016 wrote to memory of 2744 3016 cmd.exe chcp.com PID 3016 wrote to memory of 1876 3016 cmd.exe PING.EXE PID 3016 wrote to memory of 1876 3016 cmd.exe PING.EXE PID 3016 wrote to memory of 1876 3016 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "windows security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4832
-
-
C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"4⤵
- Executes dropped EXE
PID:2172
-
-
C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"4⤵
- Executes dropped EXE
PID:1576
-
-
C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"4⤵
- Executes dropped EXE
PID:3076
-
-
C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "windows security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:3848
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmgAHbB05VB3.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\chcp.comchcp 650016⤵PID:2744
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:1876
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 19805⤵
- Program crash
PID:64
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3720 -ip 37201⤵PID:1464
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
217B
MD5a44ecbb95153177b436605332b98824c
SHA1397bc8f6a410c980d5b0ca5c7b3bb981b1a64fe6
SHA25699ea6f75e5ae45382bbfef7fbbfa59656d1382c7d8cfd41abf1b632dbf862617
SHA5121c914718bd72208afe307b62008199f3e4f484811911aab15aa67e7736a31c4b3763fff1d979e906905b52b5b218c843dc6beb3aedba9d4caeb8e5680ebc9aae
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
600KB
MD538842bfc2ef9e1a4734a3ac4d4fa0b0d
SHA1d7702f8f8b6d8baa46c066948b8278bfe868cff5
SHA256995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824
SHA512067a32950f8800f2ab64d80c6910abf20e0204457abca4156a5a93624c230720b7904fe48ef26ab2ea15958abdb8a53306513c4db74ca69f02de679c5c360346