Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 07:13
Static task
static1
Behavioral task
behavioral1
Sample
666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
-
Size
604KB
-
MD5
666fbcded6f5f768d1c433710bdfb97a
-
SHA1
05f5c8ae533b83759c44563e4ec9bd5f352ba52b
-
SHA256
ab5ac2f957bb8b1f6a9091d6da58f1afb57a15553bad1434020f3ef26b1063af
-
SHA512
b2a7b1a6637fd974decb7c31362084c2ded234cec2301dfc5275b295802f98ac77c1e64c1eedaf9acce2168795b4f5cfc7da899734f57ef38bbcf688a295424b
-
SSDEEP
12288:nX7OBZwbZsAiaFyzppofiZu5+5urMBgkS9UOIK:mZw1B8zpYiw5wOMCkSuOIK
Malware Config
Extracted
quasar
1.3.0.0
Office04
192.168.0.35:6969
QSR_MUTEX_A682BosRnRdjNjsQHf
-
encryption_key
kmHPXJ9zDF9KCDBwlFlP
-
install_name
hello.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowStartup
-
subdirectory
SubDir
Signatures
-
Quasar payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2648-9-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2648-13-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2648-17-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2648-15-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2648-7-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
Processes:
hello.exehello.exehello.exepid process 2604 hello.exe 2984 hello.exe 2136 hello.exe -
Loads dropped DLL 1 IoCs
Processes:
666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exepid process 2648 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe" 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exehello.exedescription pid process target process PID 2908 set thread context of 2648 2908 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe PID 2604 set thread context of 2136 2604 hello.exe hello.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2496 schtasks.exe 1824 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
hello.exepid process 2604 hello.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exehello.exehello.exedescription pid process Token: SeDebugPrivilege 2648 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe Token: SeDebugPrivilege 2604 hello.exe Token: SeDebugPrivilege 2136 hello.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
hello.exepid process 2136 hello.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exehello.exehello.exedescription pid process target process PID 2908 wrote to memory of 2648 2908 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe PID 2908 wrote to memory of 2648 2908 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe PID 2908 wrote to memory of 2648 2908 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe PID 2908 wrote to memory of 2648 2908 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe PID 2908 wrote to memory of 2648 2908 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe PID 2908 wrote to memory of 2648 2908 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe PID 2908 wrote to memory of 2648 2908 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe PID 2908 wrote to memory of 2648 2908 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe PID 2908 wrote to memory of 2648 2908 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe PID 2648 wrote to memory of 2496 2648 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe schtasks.exe PID 2648 wrote to memory of 2496 2648 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe schtasks.exe PID 2648 wrote to memory of 2496 2648 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe schtasks.exe PID 2648 wrote to memory of 2496 2648 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe schtasks.exe PID 2648 wrote to memory of 2604 2648 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe hello.exe PID 2648 wrote to memory of 2604 2648 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe hello.exe PID 2648 wrote to memory of 2604 2648 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe hello.exe PID 2648 wrote to memory of 2604 2648 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe hello.exe PID 2604 wrote to memory of 2984 2604 hello.exe hello.exe PID 2604 wrote to memory of 2984 2604 hello.exe hello.exe PID 2604 wrote to memory of 2984 2604 hello.exe hello.exe PID 2604 wrote to memory of 2984 2604 hello.exe hello.exe PID 2604 wrote to memory of 2136 2604 hello.exe hello.exe PID 2604 wrote to memory of 2136 2604 hello.exe hello.exe PID 2604 wrote to memory of 2136 2604 hello.exe hello.exe PID 2604 wrote to memory of 2136 2604 hello.exe hello.exe PID 2604 wrote to memory of 2136 2604 hello.exe hello.exe PID 2604 wrote to memory of 2136 2604 hello.exe hello.exe PID 2604 wrote to memory of 2136 2604 hello.exe hello.exe PID 2604 wrote to memory of 2136 2604 hello.exe hello.exe PID 2604 wrote to memory of 2136 2604 hello.exe hello.exe PID 2136 wrote to memory of 1824 2136 hello.exe schtasks.exe PID 2136 wrote to memory of 1824 2136 hello.exe schtasks.exe PID 2136 wrote to memory of 1824 2136 hello.exe schtasks.exe PID 2136 wrote to memory of 1824 2136 hello.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\hello.exe"C:\Users\Admin\AppData\Roaming\SubDir\hello.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubDir\hello.exe"C:\Users\Admin\AppData\Roaming\SubDir\hello.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\SubDir\hello.exe"C:\Users\Admin\AppData\Roaming\SubDir\hello.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\hello.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\SubDir\hello.exeFilesize
604KB
MD5666fbcded6f5f768d1c433710bdfb97a
SHA105f5c8ae533b83759c44563e4ec9bd5f352ba52b
SHA256ab5ac2f957bb8b1f6a9091d6da58f1afb57a15553bad1434020f3ef26b1063af
SHA512b2a7b1a6637fd974decb7c31362084c2ded234cec2301dfc5275b295802f98ac77c1e64c1eedaf9acce2168795b4f5cfc7da899734f57ef38bbcf688a295424b
-
memory/2136-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2604-27-0x00000000000E0000-0x000000000017C000-memory.dmpFilesize
624KB
-
memory/2648-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2648-6-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2648-13-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2648-17-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2648-15-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2648-28-0x0000000074200000-0x00000000748EE000-memory.dmpFilesize
6.9MB
-
memory/2648-7-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2648-9-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2648-19-0x0000000074200000-0x00000000748EE000-memory.dmpFilesize
6.9MB
-
memory/2648-18-0x0000000074200000-0x00000000748EE000-memory.dmpFilesize
6.9MB
-
memory/2648-4-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2908-3-0x0000000000410000-0x000000000041A000-memory.dmpFilesize
40KB
-
memory/2908-0-0x000000007420E000-0x000000007420F000-memory.dmpFilesize
4KB
-
memory/2908-1-0x0000000000800000-0x000000000089C000-memory.dmpFilesize
624KB