quasar | ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982

General

Target

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
Size

618KB
MD5

813f353b1285bcaea41f868746ab9fdd
SHA1

301209445bdfd758b1f647bdbcf1609ee07296e7
SHA256

ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982
SHA512

1ef96e09c43a7c71395112c2a867e60259483585deeb60c122482d4e943b7eef7f432196eb62387655d819d29e8c64c98cf49b04623ff185924135b8aa128d38
SSDEEP

12288:LlZyWuK5AwBaCPY5OtC36PdbidyQPdF58SxXnkXnmHuYYOm:WZlwBaCPtC3+e4S1k0D

Score

10^/10

quasar venomrat windows defender security evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Defender Security

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_XoAJ77Kcpkuyjz4MJK

Attributes

encryption_key
5nIMwmTRG5wyVhouaxGb
install_name
Windows Defender Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Security
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2868-7-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2868-14-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2868-12-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2868-10-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2868-6-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2868-7-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2868-14-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2868-12-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2868-10-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2868-6-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 9 IoCs

Processes:

Windows Defender Security.exeWindows Defender Security.exeWindows Defender Security.exeWindows Defender Security.exeWindows Defender Security.exeWindows Defender Security.exeWindows Defender Security.exeWindows Defender Security.exeWindows Defender Security.exe

pid	process
2728	Windows Defender Security.exe
2204	Windows Defender Security.exe
2548	Windows Defender Security.exe
2512	Windows Defender Security.exe
2564	Windows Defender Security.exe
1292	Windows Defender Security.exe
2064	Windows Defender Security.exe
1224	Windows Defender Security.exe
2308	Windows Defender Security.exe

Loads dropped DLL 10 IoCs

Processes:

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exeWindows Defender Security.exeWerFault.exe

pid	process
2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
2728	Windows Defender Security.exe
2728	Windows Defender Security.exe
2728	Windows Defender Security.exe
2728	Windows Defender Security.exe
2460	WerFault.exe
2460	WerFault.exe
2460	WerFault.exe
2460	WerFault.exe
2460	WerFault.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\YmExSBNzQt = "C:\\Users\\Admin\\AppData\\Roaming\\fPKDAorSBW\\aTTSPgNpLj.exe"	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exeWindows Defender Security.exeWindows Defender Security.exe813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

description	pid	process	target process
PID 1916 set thread context of 2868	1916	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 2728 set thread context of 2564	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 1292 set thread context of 2308	1292	Windows Defender Security.exe	Windows Defender Security.exe
PID 752 set thread context of 2212	752	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2460 2564 WerFault.exe Windows Defender Security.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2788 schtasks.exe
2940 schtasks.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2396 PING.EXE
1356 PING.EXE

pid	pid_target	process	target process
2460	2564	WerFault.exe	Windows Defender Security.exe

pid	process
2788	schtasks.exe
2940	schtasks.exe

pid	process
2396	PING.EXE
1356	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Windows Defender Security.exepowershell.exeWindows Defender Security.exeWindows Defender Security.exe813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

pid	process
2728	Windows Defender Security.exe
2728	Windows Defender Security.exe
2728	Windows Defender Security.exe
2728	Windows Defender Security.exe
2728	Windows Defender Security.exe
2728	Windows Defender Security.exe
2524	powershell.exe
1292	Windows Defender Security.exe
1292	Windows Defender Security.exe
1292	Windows Defender Security.exe
1292	Windows Defender Security.exe
2308	Windows Defender Security.exe
2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
2212	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exeWindows Defender Security.exeWindows Defender Security.exepowershell.exeWindows Defender Security.exeWindows Defender Security.exe813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
Token: SeDebugPrivilege	2728	Windows Defender Security.exe
Token: SeDebugPrivilege	2564	Windows Defender Security.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2564	Windows Defender Security.exe
Token: SeDebugPrivilege	1292	Windows Defender Security.exe
Token: SeDebugPrivilege	2308	Windows Defender Security.exe
Token: SeDebugPrivilege	2212	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Defender Security.exe

pid process

2564 Windows Defender Security.exe

pid	process
2564	Windows Defender Security.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exeWindows Defender Security.exeWindows Defender Security.execmd.exe

description	pid	process	target process
PID 1916 wrote to memory of 2868	1916	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 1916 wrote to memory of 2868	1916	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 1916 wrote to memory of 2868	1916	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 1916 wrote to memory of 2868	1916	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 1916 wrote to memory of 2868	1916	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 1916 wrote to memory of 2868	1916	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 1916 wrote to memory of 2868	1916	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 1916 wrote to memory of 2868	1916	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 1916 wrote to memory of 2868	1916	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 2868 wrote to memory of 2788	2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	schtasks.exe
PID 2868 wrote to memory of 2788	2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	schtasks.exe
PID 2868 wrote to memory of 2788	2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	schtasks.exe
PID 2868 wrote to memory of 2788	2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	schtasks.exe
PID 2868 wrote to memory of 2728	2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	Windows Defender Security.exe
PID 2868 wrote to memory of 2728	2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	Windows Defender Security.exe
PID 2868 wrote to memory of 2728	2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	Windows Defender Security.exe
PID 2868 wrote to memory of 2728	2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	Windows Defender Security.exe
PID 2868 wrote to memory of 2524	2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	powershell.exe
PID 2868 wrote to memory of 2524	2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	powershell.exe
PID 2868 wrote to memory of 2524	2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	powershell.exe
PID 2868 wrote to memory of 2524	2868	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	powershell.exe
PID 2728 wrote to memory of 2548	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2548	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2548	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2548	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2204	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2204	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2204	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2204	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2512	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2512	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2512	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2512	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2564	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2564	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2564	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2564	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2564	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2564	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2564	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2564	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2728 wrote to memory of 2564	2728	Windows Defender Security.exe	Windows Defender Security.exe
PID 2564 wrote to memory of 2940	2564	Windows Defender Security.exe	schtasks.exe
PID 2564 wrote to memory of 2940	2564	Windows Defender Security.exe	schtasks.exe
PID 2564 wrote to memory of 2940	2564	Windows Defender Security.exe	schtasks.exe
PID 2564 wrote to memory of 2940	2564	Windows Defender Security.exe	schtasks.exe
PID 2564 wrote to memory of 1612	2564	Windows Defender Security.exe	cmd.exe
PID 2564 wrote to memory of 1612	2564	Windows Defender Security.exe	cmd.exe
PID 2564 wrote to memory of 1612	2564	Windows Defender Security.exe	cmd.exe
PID 2564 wrote to memory of 1612	2564	Windows Defender Security.exe	cmd.exe
PID 2564 wrote to memory of 2460	2564	Windows Defender Security.exe	WerFault.exe
PID 2564 wrote to memory of 2460	2564	Windows Defender Security.exe	WerFault.exe
PID 2564 wrote to memory of 2460	2564	Windows Defender Security.exe	WerFault.exe
PID 2564 wrote to memory of 2460	2564	Windows Defender Security.exe	WerFault.exe
PID 1612 wrote to memory of 1540	1612	cmd.exe	chcp.com
PID 1612 wrote to memory of 1540	1612	cmd.exe	chcp.com
PID 1612 wrote to memory of 1540	1612	cmd.exe	chcp.com
PID 1612 wrote to memory of 1540	1612	cmd.exe	chcp.com
PID 1612 wrote to memory of 2396	1612	cmd.exe	PING.EXE
PID 1612 wrote to memory of 2396	1612	cmd.exe	PING.EXE
PID 1612 wrote to memory of 2396	1612	cmd.exe	PING.EXE
PID 1612 wrote to memory of 2396	1612	cmd.exe	PING.EXE
PID 1612 wrote to memory of 1292	1612	cmd.exe	Windows Defender Security.exe
PID 1612 wrote to memory of 1292	1612	cmd.exe	Windows Defender Security.exe

C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2788

C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
4⤵
- Executes dropped EXE
PID:2548

C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
4⤵
- Executes dropped EXE
PID:2204

C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
4⤵
- Executes dropped EXE
PID:2512

C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BVPHdEHRPMhT.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:1540

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2396

C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
7⤵
- Executes dropped EXE
PID:1224

C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
7⤵
- Executes dropped EXE
PID:2064

C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1468
5⤵
- Loads dropped DLL
- Program crash
PID:2460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
3⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
4⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XD7tDiXpWjxx.bat" "
3⤵
PID:2384

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1764

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1356

C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"
4⤵
- Suspicious use of SetThreadContext
PID:752

C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BVPHdEHRPMhT.bat

Filesize
226B

MD5
76226eeb4eb0b9d7aa482eeef3d049fa

SHA1
d9e8c59757018d85e1932831b23a28186222507f

SHA256
7f6efa931854c0f5400e8cc4a828af4fe26cc4b10bb5f4da1883b0abffc56efc

SHA512
9a11d4cfe3d290a1508532dd5cdbf18ed1240fac0377f84bd2835bde04a00112268a60bab6c274406cd773a1c402d408462c33b9d25d288af50b0a2c9dc9e787

Download Submit
C:\Users\Admin\AppData\Local\Temp\XD7tDiXpWjxx.bat

Filesize
243B

MD5
304176c8d670b08df6c6f5344e5fdee7

SHA1
0c4f618cc813cd66c05d0b8a4e31121bfd4b5cd3

SHA256
78cae96ffb8032f1d4ec5e1a70de697baa508d0eb0c660f39a4fd08b3847171d

SHA512
e8be96d5f1197c865651517db8886c6e50b0a665620a2159c017007cc4e2b5a1f3bf6fb28f34f786d34d64325bc4572f01962ee4aafd96b889da86d82da07b5d

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe

Filesize
618KB

MD5
813f353b1285bcaea41f868746ab9fdd

SHA1
301209445bdfd758b1f647bdbcf1609ee07296e7

SHA256
ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982

SHA512
1ef96e09c43a7c71395112c2a867e60259483585deeb60c122482d4e943b7eef7f432196eb62387655d819d29e8c64c98cf49b04623ff185924135b8aa128d38

Download Submit
memory/752-89-0x00000000010D0000-0x0000000001172000-memory.dmp

Filesize
648KB

Download
memory/1916-1-0x0000000000340000-0x00000000003E2000-memory.dmp

Filesize
648KB

Download
memory/1916-3-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/1916-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

Filesize
4KB

Download
memory/2212-98-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2564-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-24-0x00000000001C0000-0x0000000000262000-memory.dmp

Filesize
648KB

Download
memory/2868-12-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2868-16-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2868-15-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2868-6-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2868-5-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2868-4-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2868-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2868-78-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2868-10-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2868-87-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2868-14-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2868-7-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads