Analysis
-
max time kernel
143s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 06:13
Static task
static1
Behavioral task
behavioral1
Sample
90caf8c398e30a5307279c841435a470_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
90caf8c398e30a5307279c841435a470_JaffaCakes118.exe
-
Size
2.4MB
-
MD5
90caf8c398e30a5307279c841435a470
-
SHA1
2f70c084e8a48d54073065f6db1ce9aca42c9532
-
SHA256
459a5f0643c4e76c893adb6b357d735a0a2cce36025e55e57b04d48dd757aa12
-
SHA512
db2b377f2f33787614e29c96307deecfd80416e884e59be73f8d92b45c6120e8981e7b175730325b2208ed48343ab245927b7ab438c1ac5ceb2bd77834714eff
-
SSDEEP
49152:peonr/3u2uzDHV5PzrXz43/MSNwMnYchis8USTCKRGwgmw:pemr/PkDHbfkn7vYhLTw
Malware Config
Extracted
quasar
1.3.0.0
LOADER
etoneratnik.ddns.net:28015
localhost:28015
kurganec228.ddns.net:28015
FCK_RAT_ES2kkOJbHRbUDmM6Xu
-
encryption_key
J8X5HSfTVKzzwI5Fag6J
-
install_name
stеamwеbhеlper.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
Steam Client WebHelper
-
subdirectory
Steam
Signatures
-
Quasar payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/836-2-0x0000000000A60000-0x000000000103C000-memory.dmp family_quasar behavioral1/memory/836-3-0x0000000000A60000-0x000000000103C000-memory.dmp family_quasar behavioral1/memory/836-12-0x0000000000A60000-0x000000000103C000-memory.dmp family_quasar behavioral1/memory/2672-14-0x0000000000A60000-0x000000000103C000-memory.dmp family_quasar behavioral1/memory/2672-15-0x0000000000A60000-0x000000000103C000-memory.dmp family_quasar behavioral1/memory/1048-35-0x0000000000A60000-0x000000000103C000-memory.dmp family_quasar behavioral1/memory/1048-36-0x0000000000A60000-0x000000000103C000-memory.dmp family_quasar behavioral1/memory/1048-38-0x0000000000A60000-0x000000000103C000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exestеamwеbhеlper.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
stеamwеbhеlper.exe90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe -
Executes dropped EXE 2 IoCs
Processes:
stеamwеbhеlper.exestеamwеbhеlper.exepid process 2672 stеamwеbhеlper.exe 1048 stеamwеbhеlper.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exestеamwеbhеlper.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine stеamwеbhеlper.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine stеamwеbhеlper.exe -
Loads dropped DLL 6 IoCs
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exeWerFault.exepid process 836 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe -
Processes:
stеamwеbhеlper.exestеamwеbhеlper.exe90caf8c398e30a5307279c841435a470_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exestеamwеbhеlper.exedescription ioc process File opened for modification \??\PhysicalDrive0 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exestеamwеbhеlper.exepid process 836 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe 2672 stеamwеbhеlper.exe 1048 stеamwеbhеlper.exe -
Drops file in Program Files directory 4 IoCs
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exedescription ioc process File created C:\Program Files (x86)\Steam\st?amw?bh?lper.exe 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe File created C:\Program Files (x86)\Steam\stеamwеbhеlper.exe 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe stеamwеbhеlper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2176 2672 WerFault.exe stеamwеbhеlper.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2644 schtasks.exe 2500 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exestеamwеbhеlper.exepid process 836 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe 2672 stеamwеbhеlper.exe 1048 stеamwеbhеlper.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exedescription pid process Token: SeDebugPrivilege 836 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe Token: SeDebugPrivilege 2672 stеamwеbhеlper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
stеamwеbhеlper.exepid process 2672 stеamwеbhеlper.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.execmd.exedescription pid process target process PID 836 wrote to memory of 2644 836 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe schtasks.exe PID 836 wrote to memory of 2644 836 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe schtasks.exe PID 836 wrote to memory of 2644 836 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe schtasks.exe PID 836 wrote to memory of 2644 836 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe schtasks.exe PID 836 wrote to memory of 2672 836 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe stеamwеbhеlper.exe PID 836 wrote to memory of 2672 836 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe stеamwеbhеlper.exe PID 836 wrote to memory of 2672 836 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe stеamwеbhеlper.exe PID 836 wrote to memory of 2672 836 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe stеamwеbhеlper.exe PID 2672 wrote to memory of 2500 2672 stеamwеbhеlper.exe schtasks.exe PID 2672 wrote to memory of 2500 2672 stеamwеbhеlper.exe schtasks.exe PID 2672 wrote to memory of 2500 2672 stеamwеbhеlper.exe schtasks.exe PID 2672 wrote to memory of 2500 2672 stеamwеbhеlper.exe schtasks.exe PID 2672 wrote to memory of 2612 2672 stеamwеbhеlper.exe cmd.exe PID 2672 wrote to memory of 2612 2672 stеamwеbhеlper.exe cmd.exe PID 2672 wrote to memory of 2612 2672 stеamwеbhеlper.exe cmd.exe PID 2672 wrote to memory of 2612 2672 stеamwеbhеlper.exe cmd.exe PID 2672 wrote to memory of 2176 2672 stеamwеbhеlper.exe WerFault.exe PID 2672 wrote to memory of 2176 2672 stеamwеbhеlper.exe WerFault.exe PID 2672 wrote to memory of 2176 2672 stеamwеbhеlper.exe WerFault.exe PID 2672 wrote to memory of 2176 2672 stеamwеbhеlper.exe WerFault.exe PID 2612 wrote to memory of 1820 2612 cmd.exe chcp.com PID 2612 wrote to memory of 1820 2612 cmd.exe chcp.com PID 2612 wrote to memory of 1820 2612 cmd.exe chcp.com PID 2612 wrote to memory of 1820 2612 cmd.exe chcp.com PID 2612 wrote to memory of 2028 2612 cmd.exe PING.EXE PID 2612 wrote to memory of 2028 2612 cmd.exe PING.EXE PID 2612 wrote to memory of 2028 2612 cmd.exe PING.EXE PID 2612 wrote to memory of 2028 2612 cmd.exe PING.EXE PID 2612 wrote to memory of 1048 2612 cmd.exe stеamwеbhеlper.exe PID 2612 wrote to memory of 1048 2612 cmd.exe stеamwеbhеlper.exe PID 2612 wrote to memory of 1048 2612 cmd.exe stеamwеbhеlper.exe PID 2612 wrote to memory of 1048 2612 cmd.exe stеamwеbhеlper.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90caf8c398e30a5307279c841435a470_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\90caf8c398e30a5307279c841435a470_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\90caf8c398e30a5307279c841435a470_JaffaCakes118.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Z69XodJqzzPr.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 16403⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mntempFilesize
16B
MD5526c0ed6a018187be0c67790a1b43c8b
SHA15f7394713d477b765c8c9521939d0b4ae8b57efb
SHA256f2e5c463c3d4b4ec527bd6f809070211e12fdbc59a78662eeeb16c0b9c9775ad
SHA512d5293fa2c169344176dbc426aea72fce1228e8b85ef5332f18608b160ce833f7c7f08a653c6a45a9d89863a1543671290f05701b44b544a261c4b71af5fcc831
-
C:\Users\Admin\AppData\Local\Temp\Z69XodJqzzPr.batFilesize
209B
MD5a4b1a7840a7ff6bae04017a3cb80868d
SHA15f5b03fb0f669703ceda8cbd80dea09fdf6c311d
SHA256d586d02794d69639110f4d898055479014dd20e4259370384912e88f0f3577b1
SHA5125a614d5e3736f4a6f2838832cb4f08f74975e375ca7a386a1639fbf2379468dbae799b07ee7ef1b1ad59c66bbccdffb1447fa3317a2d330c839fdb68bf847316
-
\Program Files (x86)\Steam\stеamwеbhеlper.exeFilesize
2.4MB
MD590caf8c398e30a5307279c841435a470
SHA12f70c084e8a48d54073065f6db1ce9aca42c9532
SHA256459a5f0643c4e76c893adb6b357d735a0a2cce36025e55e57b04d48dd757aa12
SHA512db2b377f2f33787614e29c96307deecfd80416e884e59be73f8d92b45c6120e8981e7b175730325b2208ed48343ab245927b7ab438c1ac5ceb2bd77834714eff
-
memory/836-0-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB
-
memory/836-3-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB
-
memory/836-12-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB
-
memory/836-2-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB
-
memory/1048-35-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB
-
memory/1048-34-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB
-
memory/1048-36-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB
-
memory/1048-38-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB
-
memory/2672-15-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB
-
memory/2672-14-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB
-
memory/2672-10-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB
-
memory/2672-40-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB