General
-
Target
3a7117d0c950b44d5464cd6841dd95cd_JaffaCakes118
-
Size
472KB
-
Sample
240512-q6kznacd46
-
MD5
3a7117d0c950b44d5464cd6841dd95cd
-
SHA1
b0dd2745f822d1e43300fa1ccb11749fdfcf1260
-
SHA256
6a1e31b04adc8e779095fb61f7e3cafc8866f644865ee64ee1d02210f7db3766
-
SHA512
a8c3ce748eee0ef88ce737d853d26d3f9e49bb7cfbbf7c67dfebfa7451279010f67c552f3f49275788db21f423ebfa845f2726892bdc2596af36682b7791ab25
-
SSDEEP
6144:wYd3flbbsDpd0DHo5AqYOy8oE0B7mEuZe35o4LILBWflzgWErnrXnzmjdoBqZg:wYd901AqoES7mEuZmi4LILBelztqmi
Static task
static1
Behavioral task
behavioral1
Sample
3a7117d0c950b44d5464cd6841dd95cd_JaffaCakes118.exe
Resource
win7-20240215-en
Malware Config
Extracted
quasar
2.1.0.0
svhost
myconect.ddns.net:6606
VNM_MUTEX_ND6PULLW5ZVLwo1nwR
-
encryption_key
yaa63tXY4j55os5llHHd
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
3a7117d0c950b44d5464cd6841dd95cd_JaffaCakes118
-
Size
472KB
-
MD5
3a7117d0c950b44d5464cd6841dd95cd
-
SHA1
b0dd2745f822d1e43300fa1ccb11749fdfcf1260
-
SHA256
6a1e31b04adc8e779095fb61f7e3cafc8866f644865ee64ee1d02210f7db3766
-
SHA512
a8c3ce748eee0ef88ce737d853d26d3f9e49bb7cfbbf7c67dfebfa7451279010f67c552f3f49275788db21f423ebfa845f2726892bdc2596af36682b7791ab25
-
SSDEEP
6144:wYd3flbbsDpd0DHo5AqYOy8oE0B7mEuZe35o4LILBWflzgWErnrXnzmjdoBqZg:wYd901AqoES7mEuZmi4LILBelztqmi
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-