Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 02:23
Behavioral task
behavioral1
Sample
5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe
-
Size
349KB
-
MD5
5cb393129c64579c40c710393d5cf0b3
-
SHA1
ed055afba02e96d01846aea13dd33fa356c457e6
-
SHA256
b53ae247bae6ac6ee53bf0c2a53ab4a98f3e0f26234e7a886a7e5db1d7ff2685
-
SHA512
e306a5ddc0b60dc24853d888f1bacee7c359ac043cd3d8e36eb5a8e5caa457549585cf16050084689cb2018a420a082f9f68f4c1f8ddf894eaf1b6339152a826
-
SSDEEP
6144:uK2J10qdSlEc39HGWQfSdwl/CKidLDLNbFTUIhO9Ivbi0Z:uKFD3wl6KidLDHQIQ9IDi0Z
Malware Config
Extracted
quasar
1.3.0.0
DESKTOP
192.168.0.4:4782
127.0.0.1:4782
78.236.157.250:25565
QSR_MUTEX_1ghurBw7SYWm4hcoxp
-
encryption_key
q0AJ45H6UJPXERK0E6ML
-
install_name
System Auto Update.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System Auto Update
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1512-1-0x0000000000A60000-0x0000000000ABE000-memory.dmp family_quasar \Users\Admin\AppData\Roaming\SubDir\System Auto Update.exe family_quasar behavioral1/memory/2104-10-0x0000000000050000-0x00000000000AE000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
System Auto Update.exepid process 2104 System Auto Update.exe -
Loads dropped DLL 1 IoCs
Processes:
5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exepid process 1512 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2172 schtasks.exe 2168 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exeSystem Auto Update.exedescription pid process Token: SeDebugPrivilege 1512 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe Token: SeDebugPrivilege 2104 System Auto Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
System Auto Update.exepid process 2104 System Auto Update.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exeSystem Auto Update.exedescription pid process target process PID 1512 wrote to memory of 2172 1512 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe schtasks.exe PID 1512 wrote to memory of 2172 1512 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe schtasks.exe PID 1512 wrote to memory of 2172 1512 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe schtasks.exe PID 1512 wrote to memory of 2172 1512 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe schtasks.exe PID 1512 wrote to memory of 2104 1512 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe System Auto Update.exe PID 1512 wrote to memory of 2104 1512 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe System Auto Update.exe PID 1512 wrote to memory of 2104 1512 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe System Auto Update.exe PID 1512 wrote to memory of 2104 1512 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe System Auto Update.exe PID 1512 wrote to memory of 2104 1512 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe System Auto Update.exe PID 1512 wrote to memory of 2104 1512 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe System Auto Update.exe PID 1512 wrote to memory of 2104 1512 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe System Auto Update.exe PID 2104 wrote to memory of 2168 2104 System Auto Update.exe schtasks.exe PID 2104 wrote to memory of 2168 2104 System Auto Update.exe schtasks.exe PID 2104 wrote to memory of 2168 2104 System Auto Update.exe schtasks.exe PID 2104 wrote to memory of 2168 2104 System Auto Update.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "System Auto Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2172 -
C:\Users\Admin\AppData\Roaming\SubDir\System Auto Update.exe"C:\Users\Admin\AppData\Roaming\SubDir\System Auto Update.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "System Auto Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\System Auto Update.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\SubDir\System Auto Update.exeFilesize
349KB
MD55cb393129c64579c40c710393d5cf0b3
SHA1ed055afba02e96d01846aea13dd33fa356c457e6
SHA256b53ae247bae6ac6ee53bf0c2a53ab4a98f3e0f26234e7a886a7e5db1d7ff2685
SHA512e306a5ddc0b60dc24853d888f1bacee7c359ac043cd3d8e36eb5a8e5caa457549585cf16050084689cb2018a420a082f9f68f4c1f8ddf894eaf1b6339152a826
-
memory/1512-0-0x00000000749DE000-0x00000000749DF000-memory.dmpFilesize
4KB
-
memory/1512-1-0x0000000000A60000-0x0000000000ABE000-memory.dmpFilesize
376KB
-
memory/1512-2-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/1512-13-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/2104-11-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/2104-12-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/2104-10-0x0000000000050000-0x00000000000AE000-memory.dmpFilesize
376KB
-
memory/2104-15-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/2104-16-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB