Analysis
-
max time kernel
128s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 13:45
Static task
static1
Behavioral task
behavioral1
Sample
8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
8aa12cb7cad072737aa9541b636a68bb
-
SHA1
45b5e9bfda12f5de1338ca330b08132317684737
-
SHA256
12415ec74ab9a1facbbda22b5618d4aaed954a880f7db45406060f2f252a015f
-
SHA512
fca92073ee608b8233fa26079a5f55b5b4b118a48029b943987037cea7302806eb2bb601f8ff5e3715e3d46ca5f27941667c241148314b194eedfc2dd7bb96c8
-
SSDEEP
49152:gz9oY5v/t14EmN0v8X4NbyhXers4a5ppHdKoCgzSZp6UzsGre245snxNX99AeP:KB5Hf4EmN0UXvia5vHcDgzSfB7iT0x
Malware Config
Extracted
quasar
1.3.0.0
Office04
31.200.226.140:4782
QSR_MUTEX_2PSnv6ikiCGVKIYz02
-
encryption_key
YGysf4cKdIIApRvwDlWm
-
install_name
svchot.exe
-
log_directory
Logss
-
reconnect_delay
3000
-
startup_key
Microsoft Update
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\@0B.exe family_quasar behavioral1/memory/2976-17-0x00000000011A0000-0x00000000011FE000-memory.dmp family_quasar behavioral1/memory/2468-41-0x0000000000AB0000-0x0000000000B0E000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
Processes:
jesuscry.exe@0B.exesvchot.exepid process 1524 jesuscry.exe 2976 @0B.exe 2468 svchot.exe -
Loads dropped DLL 3 IoCs
Processes:
8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe@0B.exepid process 2240 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe 2240 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe 2976 @0B.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\jesuscry.exe vmprotect behavioral1/memory/1524-33-0x0000000000010000-0x00000000003F3000-memory.dmp vmprotect behavioral1/memory/1524-30-0x0000000000010000-0x00000000003F3000-memory.dmp vmprotect behavioral1/memory/1524-44-0x0000000000010000-0x00000000003F3000-memory.dmp vmprotect -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
jesuscry.exepid process 1524 jesuscry.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2676 schtasks.exe 1892 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
jesuscry.exepid process 1524 jesuscry.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
@0B.exesvchot.exedescription pid process Token: SeDebugPrivilege 2976 @0B.exe Token: SeDebugPrivilege 2468 svchot.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchot.exepid process 2468 svchot.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe@0B.exesvchot.exedescription pid process target process PID 2240 wrote to memory of 1524 2240 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe jesuscry.exe PID 2240 wrote to memory of 1524 2240 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe jesuscry.exe PID 2240 wrote to memory of 1524 2240 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe jesuscry.exe PID 2240 wrote to memory of 1524 2240 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe jesuscry.exe PID 2240 wrote to memory of 2976 2240 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe @0B.exe PID 2240 wrote to memory of 2976 2240 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe @0B.exe PID 2240 wrote to memory of 2976 2240 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe @0B.exe PID 2240 wrote to memory of 2976 2240 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe @0B.exe PID 2976 wrote to memory of 2676 2976 @0B.exe schtasks.exe PID 2976 wrote to memory of 2676 2976 @0B.exe schtasks.exe PID 2976 wrote to memory of 2676 2976 @0B.exe schtasks.exe PID 2976 wrote to memory of 2676 2976 @0B.exe schtasks.exe PID 2976 wrote to memory of 2468 2976 @0B.exe svchot.exe PID 2976 wrote to memory of 2468 2976 @0B.exe svchot.exe PID 2976 wrote to memory of 2468 2976 @0B.exe svchot.exe PID 2976 wrote to memory of 2468 2976 @0B.exe svchot.exe PID 2468 wrote to memory of 1892 2468 svchot.exe schtasks.exe PID 2468 wrote to memory of 1892 2468 svchot.exe schtasks.exe PID 2468 wrote to memory of 1892 2468 svchot.exe schtasks.exe PID 2468 wrote to memory of 1892 2468 svchot.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jesuscry.exe"C:\Users\Admin\AppData\Local\Temp\jesuscry.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\@0B.exe"C:\Users\Admin\AppData\Local\Temp\@0B.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\@0B.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\svchot.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchot.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchot.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\@0B.exeFilesize
348KB
MD55ffeb1548caabe3c3bbf57449f160c08
SHA1a42dd71c1b15eab4e0057ce7a46cbd1a8497a842
SHA2561df5a83f7e23bf5302497d0486d71f2f401dcebb8e82a1e576677568bf3742a2
SHA5127715cf5662e85ef4de108eae18b08bc96a14a3208567ed805691f34ccf0702a14bd41ded171c41098b4ac2d10d8f9808ee25651f0f728a9a4be4232a600ac268
-
\Users\Admin\AppData\Local\Temp\jesuscry.exeFilesize
2.0MB
MD5a1335432e7cd02e45ba2915849515736
SHA16d8fc3dd2509d0d5949e9459632a6692a11f44bf
SHA256234c179d48175a46ed8985db10c4fed719c5c1f038ce60085b08869dcb393c66
SHA5120f4f568e78d1476786b9382fac47c86b1f3eba463b86caa8fdac6da9a326e010f133044480309d61763e137bf21f87809ccd65aa820cf2b55935904641ae7daa
-
memory/1524-27-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/1524-25-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/1524-19-0x0000000000011000-0x0000000000032000-memory.dmpFilesize
132KB
-
memory/1524-33-0x0000000000010000-0x00000000003F3000-memory.dmpFilesize
3.9MB
-
memory/1524-30-0x0000000000010000-0x00000000003F3000-memory.dmpFilesize
3.9MB
-
memory/1524-29-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/1524-44-0x0000000000010000-0x00000000003F3000-memory.dmpFilesize
3.9MB
-
memory/1524-20-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/1524-24-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/1524-22-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/2468-41-0x0000000000AB0000-0x0000000000B0E000-memory.dmpFilesize
376KB
-
memory/2976-17-0x00000000011A0000-0x00000000011FE000-memory.dmpFilesize
376KB
-
memory/2976-18-0x0000000073E60000-0x000000007454E000-memory.dmpFilesize
6.9MB
-
memory/2976-42-0x0000000073E60000-0x000000007454E000-memory.dmpFilesize
6.9MB
-
memory/2976-16-0x0000000073E6E000-0x0000000073E6F000-memory.dmpFilesize
4KB