General
-
Target
90bced8d18a24d6d148eb5225c66760e_JaffaCakes118
-
Size
477KB
-
Sample
240603-gkwdtsdg81
-
MD5
90bced8d18a24d6d148eb5225c66760e
-
SHA1
4feba0e911d90cfc1467907c09a0f7ce89e184e2
-
SHA256
53e3ef743e60a3c4b56e9184d4262918e69ea64e9642aead36eab8b6771f0e4a
-
SHA512
8ff7b113eb6140906f0220c22930e70f6cd14e219bb3d8f5ff0e75d0f33b262e9ecd05316ece994561870aa7c140b83cd91146ef12c1dddfb6afd1f8d0230583
-
SSDEEP
12288:+VVVibrHQHGvLvB1eUmWAP7r9r/+ppppppppppppppppppppppppppppp0GO:+ZibrHxzO1qO
Static task
static1
Behavioral task
behavioral1
Sample
90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe
Resource
win7-20240508-en
Malware Config
Extracted
quasar
1.3.0.0
MAMAup
eyasdz.ddns.net:1052
QSR_MUTEX_FjemAK95X9OiydAcHT
-
encryption_key
l1K4RtgBHYiqfNoqq3QV
-
install_name
microcp.exe
-
log_directory
wincps
-
reconnect_delay
3000
-
startup_key
wincp
-
subdirectory
MicrosoftCP
Targets
-
-
Target
90bced8d18a24d6d148eb5225c66760e_JaffaCakes118
-
Size
477KB
-
MD5
90bced8d18a24d6d148eb5225c66760e
-
SHA1
4feba0e911d90cfc1467907c09a0f7ce89e184e2
-
SHA256
53e3ef743e60a3c4b56e9184d4262918e69ea64e9642aead36eab8b6771f0e4a
-
SHA512
8ff7b113eb6140906f0220c22930e70f6cd14e219bb3d8f5ff0e75d0f33b262e9ecd05316ece994561870aa7c140b83cd91146ef12c1dddfb6afd1f8d0230583
-
SSDEEP
12288:+VVVibrHQHGvLvB1eUmWAP7r9r/+ppppppppppppppppppppppppppppp0GO:+ZibrHxzO1qO
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-