General
-
Target
783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118
-
Size
610KB
-
Sample
240527-hja7yacc73
-
MD5
783dde94a3c4fdad4663bc9e370e9de8
-
SHA1
262fa6fe51d779ae988d6b99ac8ee37d71c75064
-
SHA256
19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd
-
SHA512
a41f2f23272e55d9b275f868439758618f96c30fe47fd433431b07322f135fcbba3c43be199aba86160abe5e362e44ce9aa862bbf48cd0a33b716b278ec565b8
-
SSDEEP
12288:KU+xqEiGfCnAUfyg1Dv1wH/umXwyTWlxHsgL7A26:TETCnX5Dv+bhTWlxH1L
Static task
static1
Behavioral task
behavioral1
Sample
783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe
Resource
win7-20231129-en
Malware Config
Extracted
quasar
2.1.0.0
svhost
myconect.ddns.net:6606
VNM_MUTEX_rHOHbrAQKctPD4d68w
-
encryption_key
rDFwhCyuKMqXO7llDpB2
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118
-
Size
610KB
-
MD5
783dde94a3c4fdad4663bc9e370e9de8
-
SHA1
262fa6fe51d779ae988d6b99ac8ee37d71c75064
-
SHA256
19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd
-
SHA512
a41f2f23272e55d9b275f868439758618f96c30fe47fd433431b07322f135fcbba3c43be199aba86160abe5e362e44ce9aa862bbf48cd0a33b716b278ec565b8
-
SSDEEP
12288:KU+xqEiGfCnAUfyg1Dv1wH/umXwyTWlxHsgL7A26:TETCnX5Dv+bhTWlxH1L
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-