Analysis
-
max time kernel
142s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 06:45
Static task
static1
Behavioral task
behavioral1
Sample
783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe
-
Size
610KB
-
MD5
783dde94a3c4fdad4663bc9e370e9de8
-
SHA1
262fa6fe51d779ae988d6b99ac8ee37d71c75064
-
SHA256
19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd
-
SHA512
a41f2f23272e55d9b275f868439758618f96c30fe47fd433431b07322f135fcbba3c43be199aba86160abe5e362e44ce9aa862bbf48cd0a33b716b278ec565b8
-
SSDEEP
12288:KU+xqEiGfCnAUfyg1Dv1wH/umXwyTWlxHsgL7A26:TETCnX5Dv+bhTWlxH1L
Malware Config
Extracted
quasar
2.1.0.0
svhost
myconect.ddns.net:6606
VNM_MUTEX_rHOHbrAQKctPD4d68w
-
encryption_key
rDFwhCyuKMqXO7llDpB2
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe disable_win_def behavioral2/memory/2892-19-0x00000000004C0000-0x000000000056A000-memory.dmp disable_win_def -
Processes:
Pnabmtbcti.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection Pnabmtbcti.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Pnabmtbcti.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Pnabmtbcti.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Pnabmtbcti.exe -
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe family_quasar behavioral2/memory/2892-19-0x00000000004C0000-0x000000000056A000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Pnabmtbcti.exe783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Pnabmtbcti.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
Processes:
Pnabmtbcti.exeClient.exePnabmtbcti.exepid process 2892 Pnabmtbcti.exe 4504 Client.exe 4652 Pnabmtbcti.exe -
Processes:
Pnabmtbcti.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" Pnabmtbcti.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features Pnabmtbcti.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4828 schtasks.exe 2948 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exePnabmtbcti.exePnabmtbcti.exepid process 3004 powershell.exe 3004 powershell.exe 2892 Pnabmtbcti.exe 2892 Pnabmtbcti.exe 2892 Pnabmtbcti.exe 2892 Pnabmtbcti.exe 2892 Pnabmtbcti.exe 2892 Pnabmtbcti.exe 2892 Pnabmtbcti.exe 2892 Pnabmtbcti.exe 4652 Pnabmtbcti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Pnabmtbcti.exepowershell.exeClient.exePnabmtbcti.exedescription pid process Token: SeDebugPrivilege 2892 Pnabmtbcti.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 4504 Client.exe Token: SeDebugPrivilege 4504 Client.exe Token: SeDebugPrivilege 4652 Pnabmtbcti.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 4504 Client.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exePnabmtbcti.exeClient.execmd.execmd.exedescription pid process target process PID 2776 wrote to memory of 2892 2776 783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe Pnabmtbcti.exe PID 2776 wrote to memory of 2892 2776 783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe Pnabmtbcti.exe PID 2776 wrote to memory of 2892 2776 783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe Pnabmtbcti.exe PID 2892 wrote to memory of 4828 2892 Pnabmtbcti.exe schtasks.exe PID 2892 wrote to memory of 4828 2892 Pnabmtbcti.exe schtasks.exe PID 2892 wrote to memory of 4828 2892 Pnabmtbcti.exe schtasks.exe PID 2892 wrote to memory of 4504 2892 Pnabmtbcti.exe Client.exe PID 2892 wrote to memory of 4504 2892 Pnabmtbcti.exe Client.exe PID 2892 wrote to memory of 4504 2892 Pnabmtbcti.exe Client.exe PID 2892 wrote to memory of 3004 2892 Pnabmtbcti.exe powershell.exe PID 2892 wrote to memory of 3004 2892 Pnabmtbcti.exe powershell.exe PID 2892 wrote to memory of 3004 2892 Pnabmtbcti.exe powershell.exe PID 4504 wrote to memory of 2948 4504 Client.exe schtasks.exe PID 4504 wrote to memory of 2948 4504 Client.exe schtasks.exe PID 4504 wrote to memory of 2948 4504 Client.exe schtasks.exe PID 2892 wrote to memory of 4908 2892 Pnabmtbcti.exe cmd.exe PID 2892 wrote to memory of 4908 2892 Pnabmtbcti.exe cmd.exe PID 2892 wrote to memory of 4908 2892 Pnabmtbcti.exe cmd.exe PID 4908 wrote to memory of 4736 4908 cmd.exe cmd.exe PID 4908 wrote to memory of 4736 4908 cmd.exe cmd.exe PID 4908 wrote to memory of 4736 4908 cmd.exe cmd.exe PID 2892 wrote to memory of 1388 2892 Pnabmtbcti.exe cmd.exe PID 2892 wrote to memory of 1388 2892 Pnabmtbcti.exe cmd.exe PID 2892 wrote to memory of 1388 2892 Pnabmtbcti.exe cmd.exe PID 1388 wrote to memory of 1668 1388 cmd.exe chcp.com PID 1388 wrote to memory of 1668 1388 cmd.exe chcp.com PID 1388 wrote to memory of 1668 1388 cmd.exe chcp.com PID 1388 wrote to memory of 1748 1388 cmd.exe PING.EXE PID 1388 wrote to memory of 1748 1388 cmd.exe PING.EXE PID 1388 wrote to memory of 1748 1388 cmd.exe PING.EXE PID 1388 wrote to memory of 4652 1388 cmd.exe Pnabmtbcti.exe PID 1388 wrote to memory of 4652 1388 cmd.exe Pnabmtbcti.exe PID 1388 wrote to memory of 4652 1388 cmd.exe Pnabmtbcti.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe"C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4828 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:2948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵PID:4736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NNgARlylElH1.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:1668
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe"C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
Filesize
72KB
MD5277f0e029298e0dffee3f8820726c6e3
SHA1df2cdaa12ccc9e0eb0de1871c9fa12cec9f575a2
SHA256f7ede3780d2e6789dfd5aaf99d8613040e6150f44ab547116817dc2f7ad442a8
SHA512b2fc83d2e4d682007109be8b33aff144af3ad8f6466b911c6f48516fde5530234ed964d12a82e1e10a4a79130ee59fdc2076106d4f7460e036cdd0454da90272
-
Filesize
207B
MD5b3d18533605e931d66418ff37f04cf58
SHA1aa39056ba8b2d6d62c8648dd72812432b290e5ea
SHA2569aee914bc1d1bb723107e4634e9c3008fa69162534f8087605ed9e96ec68b0a1
SHA512728b4ac8209e713ff82f885ffc9d7177b6ef1bd9b5a4dd76ff5b891568bfbbe08e2b8247991767a964700a81047f9a2dada6d0909e308519b4cbcb820129a537
-
Filesize
655KB
MD543e5556cab3ba9cd353b0c6cf1548d75
SHA164cf51c0d612cb6276e59639071406c1d2e86702
SHA256286ea33997e28cad2651bc27c091e45c3502c4c7f69e4f28965bf846cf9528b8
SHA512edde4a5af40e65afbe4e212e356879277f9641e4b8d46950fed33397754fe87ff81a337623e6c5202776e1636cefcd58f0ed94a212e8dd25ba427a017fcb2bdf
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82