Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 02:23
Behavioral task
behavioral1
Sample
5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe
-
Size
349KB
-
MD5
5cb393129c64579c40c710393d5cf0b3
-
SHA1
ed055afba02e96d01846aea13dd33fa356c457e6
-
SHA256
b53ae247bae6ac6ee53bf0c2a53ab4a98f3e0f26234e7a886a7e5db1d7ff2685
-
SHA512
e306a5ddc0b60dc24853d888f1bacee7c359ac043cd3d8e36eb5a8e5caa457549585cf16050084689cb2018a420a082f9f68f4c1f8ddf894eaf1b6339152a826
-
SSDEEP
6144:uK2J10qdSlEc39HGWQfSdwl/CKidLDLNbFTUIhO9Ivbi0Z:uKFD3wl6KidLDHQIQ9IDi0Z
Malware Config
Extracted
quasar
1.3.0.0
DESKTOP
192.168.0.4:4782
127.0.0.1:4782
78.236.157.250:25565
QSR_MUTEX_1ghurBw7SYWm4hcoxp
-
encryption_key
q0AJ45H6UJPXERK0E6ML
-
install_name
System Auto Update.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System Auto Update
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3300-1-0x00000000009B0000-0x0000000000A0E000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\System Auto Update.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
System Auto Update.exepid process 4228 System Auto Update.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 ip-api.com -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2408 schtasks.exe 4596 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exeSystem Auto Update.exedescription pid process Token: SeDebugPrivilege 3300 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe Token: SeDebugPrivilege 4228 System Auto Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
System Auto Update.exepid process 4228 System Auto Update.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exeSystem Auto Update.exedescription pid process target process PID 3300 wrote to memory of 2408 3300 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe schtasks.exe PID 3300 wrote to memory of 2408 3300 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe schtasks.exe PID 3300 wrote to memory of 2408 3300 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe schtasks.exe PID 3300 wrote to memory of 4228 3300 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe System Auto Update.exe PID 3300 wrote to memory of 4228 3300 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe System Auto Update.exe PID 3300 wrote to memory of 4228 3300 5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe System Auto Update.exe PID 4228 wrote to memory of 4596 4228 System Auto Update.exe schtasks.exe PID 4228 wrote to memory of 4596 4228 System Auto Update.exe schtasks.exe PID 4228 wrote to memory of 4596 4228 System Auto Update.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "System Auto Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\5cb393129c64579c40c710393d5cf0b3_JaffaCakes118.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\System Auto Update.exe"C:\Users\Admin\AppData\Roaming\SubDir\System Auto Update.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "System Auto Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\System Auto Update.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\System Auto Update.exeFilesize
349KB
MD55cb393129c64579c40c710393d5cf0b3
SHA1ed055afba02e96d01846aea13dd33fa356c457e6
SHA256b53ae247bae6ac6ee53bf0c2a53ab4a98f3e0f26234e7a886a7e5db1d7ff2685
SHA512e306a5ddc0b60dc24853d888f1bacee7c359ac043cd3d8e36eb5a8e5caa457549585cf16050084689cb2018a420a082f9f68f4c1f8ddf894eaf1b6339152a826
-
memory/3300-6-0x00000000060E0000-0x00000000060F2000-memory.dmpFilesize
72KB
-
memory/3300-2-0x00000000058C0000-0x0000000005E64000-memory.dmpFilesize
5.6MB
-
memory/3300-3-0x0000000005490000-0x0000000005522000-memory.dmpFilesize
584KB
-
memory/3300-4-0x00000000745E0000-0x0000000074D90000-memory.dmpFilesize
7.7MB
-
memory/3300-5-0x00000000053D0000-0x0000000005436000-memory.dmpFilesize
408KB
-
memory/3300-0-0x00000000745EE000-0x00000000745EF000-memory.dmpFilesize
4KB
-
memory/3300-7-0x0000000006620000-0x000000000665C000-memory.dmpFilesize
240KB
-
memory/3300-1-0x00000000009B0000-0x0000000000A0E000-memory.dmpFilesize
376KB
-
memory/3300-15-0x00000000745E0000-0x0000000074D90000-memory.dmpFilesize
7.7MB
-
memory/4228-14-0x00000000745E0000-0x0000000074D90000-memory.dmpFilesize
7.7MB
-
memory/4228-16-0x00000000745E0000-0x0000000074D90000-memory.dmpFilesize
7.7MB
-
memory/4228-18-0x0000000006010000-0x000000000601A000-memory.dmpFilesize
40KB
-
memory/4228-19-0x00000000745E0000-0x0000000074D90000-memory.dmpFilesize
7.7MB