Overview

overview

10

Static

static

3

5bdbbf93a2...18.exe

windows7-x64

7

5bdbbf93a2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 22:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5bdbbf93a251e673d68d66cb50bf2d72_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    5bdbbf93a251e673d68d66cb50bf2d72

  • SHA1

    e38d499d9f4d9694d6bb7027e5f103729416aac4

  • SHA256

    a66d95aff5675c60665249145aeabd82d6391212064787b1e9842fc9af1138e3

  • SHA512

    bff46116d2e675b557cf48fd0ae21a04e65e60d202e73614d11fa0d74179be2dfa899df2dd995f2a524ae41f7cb2613b7a4f245f355276f78246cc8107963254

  • SSDEEP

    24576:D2uZd7yv0Aj3GICxc0XFByaZkLM38BqfNaE0Dy8FTSn0X8nhk0npgb:Dtf7yvpj21xc0XreQ3JwTS0XxGpg

Score
10/10
quasarspywaretrojan

Malware Config

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5bdbbf93a251e673d68d66cb50bf2d72_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5bdbbf93a251e673d68d66cb50bf2d72_JaffaCakes118.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\5bdbbf93a251e673d68d66cb50bf2d72_JaffaCakes118.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:1804
    • C:\Users\Admin\AppData\Roaming\driver\driver.exe
      "C:\Users\Admin\AppData\Roaming\driver\driver.exe" -d2
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\driver\driver.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:4752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\driver\driver.exe
    Filesize

    1.2MB

    MD5

    5bdbbf93a251e673d68d66cb50bf2d72

    SHA1

    e38d499d9f4d9694d6bb7027e5f103729416aac4

    SHA256

    a66d95aff5675c60665249145aeabd82d6391212064787b1e9842fc9af1138e3

    SHA512

    bff46116d2e675b557cf48fd0ae21a04e65e60d202e73614d11fa0d74179be2dfa899df2dd995f2a524ae41f7cb2613b7a4f245f355276f78246cc8107963254

    Download Submit
  • memory/1184-15-0x0000000074850000-0x0000000075000000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1184-2-0x0000000000E60000-0x000000000121E000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/1184-3-0x0000000074850000-0x0000000075000000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1184-4-0x0000000006190000-0x00000000061F6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1184-5-0x0000000006D70000-0x0000000007314000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1184-1-0x000000007485E000-0x000000007485F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1184-9-0x00000000069C0000-0x0000000006A52000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1184-14-0x0000000000E60000-0x000000000121E000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/1184-0-0x0000000000E60000-0x000000000121E000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/1756-26-0x0000000074850000-0x0000000075000000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1756-10-0x00000000004C0000-0x000000000087E000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/1756-18-0x0000000074850000-0x0000000075000000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1756-17-0x00000000004C0000-0x000000000087E000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/1756-19-0x0000000074850000-0x0000000075000000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1756-20-0x0000000005D10000-0x0000000005D22000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1756-21-0x0000000006390000-0x00000000063CC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1756-23-0x0000000006850000-0x000000000685A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1756-28-0x0000000074850000-0x0000000075000000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1756-27-0x00000000004C0000-0x000000000087E000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/1756-16-0x00000000004C0000-0x000000000087E000-memory.dmp
    Filesize

    3.7MB

    Download