Analysis
-
max time kernel
137s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 06:45
Static task
static1
Behavioral task
behavioral1
Sample
783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe
-
Size
610KB
-
MD5
783dde94a3c4fdad4663bc9e370e9de8
-
SHA1
262fa6fe51d779ae988d6b99ac8ee37d71c75064
-
SHA256
19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd
-
SHA512
a41f2f23272e55d9b275f868439758618f96c30fe47fd433431b07322f135fcbba3c43be199aba86160abe5e362e44ce9aa862bbf48cd0a33b716b278ec565b8
-
SSDEEP
12288:KU+xqEiGfCnAUfyg1Dv1wH/umXwyTWlxHsgL7A26:TETCnX5Dv+bhTWlxH1L
Malware Config
Extracted
quasar
2.1.0.0
svhost
myconect.ddns.net:6606
VNM_MUTEX_rHOHbrAQKctPD4d68w
-
encryption_key
rDFwhCyuKMqXO7llDpB2
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe disable_win_def behavioral1/memory/1124-11-0x0000000000C70000-0x0000000000D1A000-memory.dmp disable_win_def behavioral1/memory/2480-25-0x0000000001140000-0x00000000011EA000-memory.dmp disable_win_def behavioral1/memory/1140-102-0x00000000003C0000-0x000000000046A000-memory.dmp disable_win_def -
Processes:
Pnabmtbcti.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Pnabmtbcti.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Pnabmtbcti.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Pnabmtbcti.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Pnabmtbcti.exe -
Quasar payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe family_quasar behavioral1/memory/1124-11-0x0000000000C70000-0x0000000000D1A000-memory.dmp family_quasar behavioral1/memory/2480-25-0x0000000001140000-0x00000000011EA000-memory.dmp family_quasar behavioral1/memory/1140-102-0x00000000003C0000-0x000000000046A000-memory.dmp family_quasar -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2252 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
Pnabmtbcti.exeClient.exePnabmtbcti.exepid process 1124 Pnabmtbcti.exe 2480 Client.exe 1140 Pnabmtbcti.exe -
Loads dropped DLL 3 IoCs
Processes:
783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exePnabmtbcti.execmd.exepid process 836 783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe 1124 Pnabmtbcti.exe 1440 cmd.exe -
Processes:
Pnabmtbcti.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" Pnabmtbcti.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features Pnabmtbcti.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2024 schtasks.exe 1084 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exePnabmtbcti.exePnabmtbcti.exepid process 2580 powershell.exe 1124 Pnabmtbcti.exe 1124 Pnabmtbcti.exe 1124 Pnabmtbcti.exe 1124 Pnabmtbcti.exe 1124 Pnabmtbcti.exe 1124 Pnabmtbcti.exe 1124 Pnabmtbcti.exe 1140 Pnabmtbcti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Pnabmtbcti.exepowershell.exeClient.exePnabmtbcti.exedescription pid process Token: SeDebugPrivilege 1124 Pnabmtbcti.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 2480 Client.exe Token: SeDebugPrivilege 2480 Client.exe Token: SeDebugPrivilege 1140 Pnabmtbcti.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 2552 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2480 Client.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exePnabmtbcti.exeClient.execmd.execmd.exedescription pid process target process PID 836 wrote to memory of 1124 836 783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe Pnabmtbcti.exe PID 836 wrote to memory of 1124 836 783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe Pnabmtbcti.exe PID 836 wrote to memory of 1124 836 783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe Pnabmtbcti.exe PID 836 wrote to memory of 1124 836 783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe Pnabmtbcti.exe PID 1124 wrote to memory of 2024 1124 Pnabmtbcti.exe schtasks.exe PID 1124 wrote to memory of 2024 1124 Pnabmtbcti.exe schtasks.exe PID 1124 wrote to memory of 2024 1124 Pnabmtbcti.exe schtasks.exe PID 1124 wrote to memory of 2024 1124 Pnabmtbcti.exe schtasks.exe PID 1124 wrote to memory of 2480 1124 Pnabmtbcti.exe Client.exe PID 1124 wrote to memory of 2480 1124 Pnabmtbcti.exe Client.exe PID 1124 wrote to memory of 2480 1124 Pnabmtbcti.exe Client.exe PID 1124 wrote to memory of 2480 1124 Pnabmtbcti.exe Client.exe PID 1124 wrote to memory of 2580 1124 Pnabmtbcti.exe powershell.exe PID 1124 wrote to memory of 2580 1124 Pnabmtbcti.exe powershell.exe PID 1124 wrote to memory of 2580 1124 Pnabmtbcti.exe powershell.exe PID 1124 wrote to memory of 2580 1124 Pnabmtbcti.exe powershell.exe PID 2480 wrote to memory of 1084 2480 Client.exe schtasks.exe PID 2480 wrote to memory of 1084 2480 Client.exe schtasks.exe PID 2480 wrote to memory of 1084 2480 Client.exe schtasks.exe PID 2480 wrote to memory of 1084 2480 Client.exe schtasks.exe PID 1124 wrote to memory of 2292 1124 Pnabmtbcti.exe cmd.exe PID 1124 wrote to memory of 2292 1124 Pnabmtbcti.exe cmd.exe PID 1124 wrote to memory of 2292 1124 Pnabmtbcti.exe cmd.exe PID 1124 wrote to memory of 2292 1124 Pnabmtbcti.exe cmd.exe PID 2292 wrote to memory of 2252 2292 cmd.exe cmd.exe PID 2292 wrote to memory of 2252 2292 cmd.exe cmd.exe PID 2292 wrote to memory of 2252 2292 cmd.exe cmd.exe PID 2292 wrote to memory of 2252 2292 cmd.exe cmd.exe PID 1124 wrote to memory of 1440 1124 Pnabmtbcti.exe cmd.exe PID 1124 wrote to memory of 1440 1124 Pnabmtbcti.exe cmd.exe PID 1124 wrote to memory of 1440 1124 Pnabmtbcti.exe cmd.exe PID 1124 wrote to memory of 1440 1124 Pnabmtbcti.exe cmd.exe PID 1440 wrote to memory of 812 1440 cmd.exe chcp.com PID 1440 wrote to memory of 812 1440 cmd.exe chcp.com PID 1440 wrote to memory of 812 1440 cmd.exe chcp.com PID 1440 wrote to memory of 812 1440 cmd.exe chcp.com PID 1440 wrote to memory of 1832 1440 cmd.exe PING.EXE PID 1440 wrote to memory of 1832 1440 cmd.exe PING.EXE PID 1440 wrote to memory of 1832 1440 cmd.exe PING.EXE PID 1440 wrote to memory of 1832 1440 cmd.exe PING.EXE PID 1440 wrote to memory of 1140 1440 cmd.exe Pnabmtbcti.exe PID 1440 wrote to memory of 1140 1440 cmd.exe Pnabmtbcti.exe PID 1440 wrote to memory of 1140 1440 cmd.exe Pnabmtbcti.exe PID 1440 wrote to memory of 1140 1440 cmd.exe Pnabmtbcti.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe"C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2024 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:1084 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
- Deletes itself
PID:2252 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ufKxY65rfzTC.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:812
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe"C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5d951d65f4cd9a4ee7880d32f7f042e8d
SHA1a9d364f468fd0b6ed203fc30cacfd63f13456329
SHA256a5520b617a58b088f75726d056927ea4409c5801df9d7f5896b0542d7f45bdf8
SHA512ed9e616056e0a0d80075742abed8d0cda8a49bd368e0d61ed036d945d42b41c3778cbf34ee73678139e6afb24b06a030cd5f8dae71625c5fe606210222df39dc
-
Filesize
72KB
MD5277f0e029298e0dffee3f8820726c6e3
SHA1df2cdaa12ccc9e0eb0de1871c9fa12cec9f575a2
SHA256f7ede3780d2e6789dfd5aaf99d8613040e6150f44ab547116817dc2f7ad442a8
SHA512b2fc83d2e4d682007109be8b33aff144af3ad8f6466b911c6f48516fde5530234ed964d12a82e1e10a4a79130ee59fdc2076106d4f7460e036cdd0454da90272
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
207B
MD523a35e6bfb1b1ac43f76894128d3ea91
SHA135adddbf217fd25775bcc8b6d7b730c0c699f9af
SHA2562a5ea155390899e2fdbab485a96abe31fa828bc72a85acf1a560ca85b9a28ddd
SHA51244f2dce195f6af25d3a898b00d1f50be8baec74bdc21cc6b3a771e4cd1c0e9c0f8b02034df0fb333d7596d8f32748a9ff191743728fc9b0581c32820365a47e2
-
Filesize
655KB
MD543e5556cab3ba9cd353b0c6cf1548d75
SHA164cf51c0d612cb6276e59639071406c1d2e86702
SHA256286ea33997e28cad2651bc27c091e45c3502c4c7f69e4f28965bf846cf9528b8
SHA512edde4a5af40e65afbe4e212e356879277f9641e4b8d46950fed33397754fe87ff81a337623e6c5202776e1636cefcd58f0ed94a212e8dd25ba427a017fcb2bdf