Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 13:45
Static task
static1
Behavioral task
behavioral1
Sample
8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
8aa12cb7cad072737aa9541b636a68bb
-
SHA1
45b5e9bfda12f5de1338ca330b08132317684737
-
SHA256
12415ec74ab9a1facbbda22b5618d4aaed954a880f7db45406060f2f252a015f
-
SHA512
fca92073ee608b8233fa26079a5f55b5b4b118a48029b943987037cea7302806eb2bb601f8ff5e3715e3d46ca5f27941667c241148314b194eedfc2dd7bb96c8
-
SSDEEP
49152:gz9oY5v/t14EmN0v8X4NbyhXers4a5ppHdKoCgzSZp6UzsGre245snxNX99AeP:KB5Hf4EmN0UXvia5vHcDgzSfB7iT0x
Malware Config
Extracted
quasar
1.3.0.0
Office04
31.200.226.140:4782
QSR_MUTEX_2PSnv6ikiCGVKIYz02
-
encryption_key
YGysf4cKdIIApRvwDlWm
-
install_name
svchot.exe
-
log_directory
Logss
-
reconnect_delay
3000
-
startup_key
Microsoft Update
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\@0B.exe family_quasar behavioral2/memory/764-22-0x0000000000810000-0x000000000086E000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
Processes:
jesuscry.exe@0B.exesvchot.exepid process 4880 jesuscry.exe 764 @0B.exe 3932 svchot.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jesuscry.exe vmprotect behavioral2/memory/4880-27-0x00000000009A0000-0x0000000000D83000-memory.dmp vmprotect behavioral2/memory/4880-30-0x00000000009A0000-0x0000000000D83000-memory.dmp vmprotect behavioral2/memory/4880-33-0x00000000009A0000-0x0000000000D83000-memory.dmp vmprotect -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
jesuscry.exepid process 4880 jesuscry.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3012 schtasks.exe 1376 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jesuscry.exepid process 4880 jesuscry.exe 4880 jesuscry.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
@0B.exesvchot.exedescription pid process Token: SeDebugPrivilege 764 @0B.exe Token: SeDebugPrivilege 3932 svchot.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchot.exepid process 3932 svchot.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe@0B.exesvchot.exedescription pid process target process PID 3408 wrote to memory of 4880 3408 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe jesuscry.exe PID 3408 wrote to memory of 4880 3408 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe jesuscry.exe PID 3408 wrote to memory of 4880 3408 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe jesuscry.exe PID 3408 wrote to memory of 764 3408 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe @0B.exe PID 3408 wrote to memory of 764 3408 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe @0B.exe PID 3408 wrote to memory of 764 3408 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe @0B.exe PID 764 wrote to memory of 3012 764 @0B.exe schtasks.exe PID 764 wrote to memory of 3012 764 @0B.exe schtasks.exe PID 764 wrote to memory of 3012 764 @0B.exe schtasks.exe PID 764 wrote to memory of 3932 764 @0B.exe svchot.exe PID 764 wrote to memory of 3932 764 @0B.exe svchot.exe PID 764 wrote to memory of 3932 764 @0B.exe svchot.exe PID 3932 wrote to memory of 1376 3932 svchot.exe schtasks.exe PID 3932 wrote to memory of 1376 3932 svchot.exe schtasks.exe PID 3932 wrote to memory of 1376 3932 svchot.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jesuscry.exe"C:\Users\Admin\AppData\Local\Temp\jesuscry.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\@0B.exe"C:\Users\Admin\AppData\Local\Temp\@0B.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\@0B.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\svchot.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchot.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchot.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\@0B.exeFilesize
348KB
MD55ffeb1548caabe3c3bbf57449f160c08
SHA1a42dd71c1b15eab4e0057ce7a46cbd1a8497a842
SHA2561df5a83f7e23bf5302497d0486d71f2f401dcebb8e82a1e576677568bf3742a2
SHA5127715cf5662e85ef4de108eae18b08bc96a14a3208567ed805691f34ccf0702a14bd41ded171c41098b4ac2d10d8f9808ee25651f0f728a9a4be4232a600ac268
-
C:\Users\Admin\AppData\Local\Temp\jesuscry.exeFilesize
2.0MB
MD5a1335432e7cd02e45ba2915849515736
SHA16d8fc3dd2509d0d5949e9459632a6692a11f44bf
SHA256234c179d48175a46ed8985db10c4fed719c5c1f038ce60085b08869dcb393c66
SHA5120f4f568e78d1476786b9382fac47c86b1f3eba463b86caa8fdac6da9a326e010f133044480309d61763e137bf21f87809ccd65aa820cf2b55935904641ae7daa
-
memory/764-34-0x0000000005360000-0x00000000053C6000-memory.dmpFilesize
408KB
-
memory/764-21-0x0000000074DDE000-0x0000000074DDF000-memory.dmpFilesize
4KB
-
memory/764-22-0x0000000000810000-0x000000000086E000-memory.dmpFilesize
376KB
-
memory/764-23-0x0000000005870000-0x0000000005E14000-memory.dmpFilesize
5.6MB
-
memory/764-24-0x00000000052C0000-0x0000000005352000-memory.dmpFilesize
584KB
-
memory/764-25-0x0000000074DD0000-0x0000000075580000-memory.dmpFilesize
7.7MB
-
memory/764-43-0x0000000074DD0000-0x0000000075580000-memory.dmpFilesize
7.7MB
-
memory/764-36-0x00000000064E0000-0x000000000651C000-memory.dmpFilesize
240KB
-
memory/764-35-0x00000000057E0000-0x00000000057F2000-memory.dmpFilesize
72KB
-
memory/3932-45-0x0000000006530000-0x000000000653A000-memory.dmpFilesize
40KB
-
memory/4880-26-0x00000000009D3000-0x0000000000B97000-memory.dmpFilesize
1.8MB
-
memory/4880-28-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB
-
memory/4880-33-0x00000000009A0000-0x0000000000D83000-memory.dmpFilesize
3.9MB
-
memory/4880-29-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/4880-30-0x00000000009A0000-0x0000000000D83000-memory.dmpFilesize
3.9MB
-
memory/4880-27-0x00000000009A0000-0x0000000000D83000-memory.dmpFilesize
3.9MB
-
memory/4880-46-0x00000000009D3000-0x0000000000B97000-memory.dmpFilesize
1.8MB