General
-
Target
90caf8c398e30a5307279c841435a470_JaffaCakes118
-
Size
2.4MB
-
Sample
240603-gy5vesed2x
-
MD5
90caf8c398e30a5307279c841435a470
-
SHA1
2f70c084e8a48d54073065f6db1ce9aca42c9532
-
SHA256
459a5f0643c4e76c893adb6b357d735a0a2cce36025e55e57b04d48dd757aa12
-
SHA512
db2b377f2f33787614e29c96307deecfd80416e884e59be73f8d92b45c6120e8981e7b175730325b2208ed48343ab245927b7ab438c1ac5ceb2bd77834714eff
-
SSDEEP
49152:peonr/3u2uzDHV5PzrXz43/MSNwMnYchis8USTCKRGwgmw:pemr/PkDHbfkn7vYhLTw
Static task
static1
Behavioral task
behavioral1
Sample
90caf8c398e30a5307279c841435a470_JaffaCakes118.exe
Resource
win7-20240508-en
Malware Config
Extracted
quasar
1.3.0.0
LOADER
etoneratnik.ddns.net:28015
localhost:28015
kurganec228.ddns.net:28015
FCK_RAT_ES2kkOJbHRbUDmM6Xu
-
encryption_key
J8X5HSfTVKzzwI5Fag6J
-
install_name
stеamwеbhеlper.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
Steam Client WebHelper
-
subdirectory
Steam
Targets
-
-
Target
90caf8c398e30a5307279c841435a470_JaffaCakes118
-
Size
2.4MB
-
MD5
90caf8c398e30a5307279c841435a470
-
SHA1
2f70c084e8a48d54073065f6db1ce9aca42c9532
-
SHA256
459a5f0643c4e76c893adb6b357d735a0a2cce36025e55e57b04d48dd757aa12
-
SHA512
db2b377f2f33787614e29c96307deecfd80416e884e59be73f8d92b45c6120e8981e7b175730325b2208ed48343ab245927b7ab438c1ac5ceb2bd77834714eff
-
SSDEEP
49152:peonr/3u2uzDHV5PzrXz43/MSNwMnYchis8USTCKRGwgmw:pemr/PkDHbfkn7vYhLTw
-
Quasar payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2Modify Registry
1Pre-OS Boot
1Bootkit
1