Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 04:13
Behavioral task
behavioral1
Sample
70d30b23348309c31e6428730d77012f_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
70d30b23348309c31e6428730d77012f_JaffaCakes118.exe
-
Size
349KB
-
MD5
70d30b23348309c31e6428730d77012f
-
SHA1
2d3e3669099989d1bcbbf59170eaf0e66d82aef7
-
SHA256
5304204c73f6a5ff58c1a9e784139111a477b274b29f93666ba9e0d5fd4f36f5
-
SHA512
9cff8845e74094fa2daf19666b6817de04d9b96ae85b5a35f2313a4cc520b87f7fb30d88801d3a740877a89a46de4542ad124779148b5ef6ba9917a261effaa1
-
SSDEEP
6144:yKMJx4pweP7kJS3i37EOv2l3e6NfAwfBMyb0ezPcLf/9t:yKoS8wOvEe6lzfBEmQ9t
Malware Config
Extracted
quasar
1.3.0.0
rat2020
rat25565.ddns.net:25565
QSR_MUTEX_N4xtXyWxcnI1berfYb
-
encryption_key
OtebFaj10j3Qk2642HWk
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
EpicGames Client
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1860-1-0x0000000001300000-0x000000000135E000-memory.dmp family_quasar \Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar behavioral1/memory/2652-10-0x0000000000C70000-0x0000000000CCE000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
Client.exeClient.exepid process 2652 Client.exe 2772 Client.exe -
Loads dropped DLL 7 IoCs
Processes:
70d30b23348309c31e6428730d77012f_JaffaCakes118.exeWerFault.execmd.exepid process 1860 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2484 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2132 2652 WerFault.exe Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2492 schtasks.exe 2720 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
70d30b23348309c31e6428730d77012f_JaffaCakes118.exeClient.exedescription pid process Token: SeDebugPrivilege 1860 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe Token: SeDebugPrivilege 2652 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2652 Client.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
70d30b23348309c31e6428730d77012f_JaffaCakes118.exeClient.execmd.exedescription pid process target process PID 1860 wrote to memory of 2720 1860 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe schtasks.exe PID 1860 wrote to memory of 2720 1860 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe schtasks.exe PID 1860 wrote to memory of 2720 1860 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe schtasks.exe PID 1860 wrote to memory of 2720 1860 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe schtasks.exe PID 1860 wrote to memory of 2652 1860 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe Client.exe PID 1860 wrote to memory of 2652 1860 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe Client.exe PID 1860 wrote to memory of 2652 1860 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe Client.exe PID 1860 wrote to memory of 2652 1860 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe Client.exe PID 2652 wrote to memory of 2492 2652 Client.exe schtasks.exe PID 2652 wrote to memory of 2492 2652 Client.exe schtasks.exe PID 2652 wrote to memory of 2492 2652 Client.exe schtasks.exe PID 2652 wrote to memory of 2492 2652 Client.exe schtasks.exe PID 2652 wrote to memory of 2484 2652 Client.exe cmd.exe PID 2652 wrote to memory of 2484 2652 Client.exe cmd.exe PID 2652 wrote to memory of 2484 2652 Client.exe cmd.exe PID 2652 wrote to memory of 2484 2652 Client.exe cmd.exe PID 2652 wrote to memory of 2132 2652 Client.exe WerFault.exe PID 2652 wrote to memory of 2132 2652 Client.exe WerFault.exe PID 2652 wrote to memory of 2132 2652 Client.exe WerFault.exe PID 2652 wrote to memory of 2132 2652 Client.exe WerFault.exe PID 2484 wrote to memory of 3000 2484 cmd.exe chcp.com PID 2484 wrote to memory of 3000 2484 cmd.exe chcp.com PID 2484 wrote to memory of 3000 2484 cmd.exe chcp.com PID 2484 wrote to memory of 3000 2484 cmd.exe chcp.com PID 2484 wrote to memory of 2972 2484 cmd.exe PING.EXE PID 2484 wrote to memory of 2972 2484 cmd.exe PING.EXE PID 2484 wrote to memory of 2972 2484 cmd.exe PING.EXE PID 2484 wrote to memory of 2972 2484 cmd.exe PING.EXE PID 2484 wrote to memory of 2772 2484 cmd.exe Client.exe PID 2484 wrote to memory of 2772 2484 cmd.exe Client.exe PID 2484 wrote to memory of 2772 2484 cmd.exe Client.exe PID 2484 wrote to memory of 2772 2484 cmd.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70d30b23348309c31e6428730d77012f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\70d30b23348309c31e6428730d77012f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\70d30b23348309c31e6428730d77012f_JaffaCakes118.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7HWu6u3vO0Pv.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 14443⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7HWu6u3vO0Pv.batFilesize
207B
MD536bee66c6c9652c4d4418a73181fdddd
SHA18dbecc4fe48cdf0902e26e844c7b78961a3ceac5
SHA25627a64579bb2c01df2a77d2fc6edb5f5f3eeee9e95034db65c39760175b230d93
SHA512f412910125d37b87247234fd051be9a12e8f7992e91922f15d9712f1cbb930002a6185d836a1d1dcf4072152950229710cb98ff07d1318d0a86fe2ef5bdaf2ef
-
\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
349KB
MD570d30b23348309c31e6428730d77012f
SHA12d3e3669099989d1bcbbf59170eaf0e66d82aef7
SHA2565304204c73f6a5ff58c1a9e784139111a477b274b29f93666ba9e0d5fd4f36f5
SHA5129cff8845e74094fa2daf19666b6817de04d9b96ae85b5a35f2313a4cc520b87f7fb30d88801d3a740877a89a46de4542ad124779148b5ef6ba9917a261effaa1
-
memory/1860-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmpFilesize
4KB
-
memory/1860-1-0x0000000001300000-0x000000000135E000-memory.dmpFilesize
376KB
-
memory/1860-2-0x0000000074B80000-0x000000007526E000-memory.dmpFilesize
6.9MB
-
memory/1860-11-0x0000000074B80000-0x000000007526E000-memory.dmpFilesize
6.9MB
-
memory/2652-10-0x0000000000C70000-0x0000000000CCE000-memory.dmpFilesize
376KB
-
memory/2652-12-0x0000000074B80000-0x000000007526E000-memory.dmpFilesize
6.9MB
-
memory/2652-9-0x0000000074B80000-0x000000007526E000-memory.dmpFilesize
6.9MB
-
memory/2652-30-0x0000000074B80000-0x000000007526E000-memory.dmpFilesize
6.9MB