Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 06:13
Static task
static1
Behavioral task
behavioral1
Sample
90caf8c398e30a5307279c841435a470_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
90caf8c398e30a5307279c841435a470_JaffaCakes118.exe
-
Size
2.4MB
-
MD5
90caf8c398e30a5307279c841435a470
-
SHA1
2f70c084e8a48d54073065f6db1ce9aca42c9532
-
SHA256
459a5f0643c4e76c893adb6b357d735a0a2cce36025e55e57b04d48dd757aa12
-
SHA512
db2b377f2f33787614e29c96307deecfd80416e884e59be73f8d92b45c6120e8981e7b175730325b2208ed48343ab245927b7ab438c1ac5ceb2bd77834714eff
-
SSDEEP
49152:peonr/3u2uzDHV5PzrXz43/MSNwMnYchis8USTCKRGwgmw:pemr/PkDHbfkn7vYhLTw
Malware Config
Extracted
quasar
1.3.0.0
LOADER
etoneratnik.ddns.net:28015
localhost:28015
kurganec228.ddns.net:28015
FCK_RAT_ES2kkOJbHRbUDmM6Xu
-
encryption_key
J8X5HSfTVKzzwI5Fag6J
-
install_name
stеamwеbhеlper.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
Steam Client WebHelper
-
subdirectory
Steam
Signatures
-
Quasar payload 9 IoCs
Processes:
resource yara_rule behavioral2/memory/1800-3-0x0000000000A60000-0x000000000103C000-memory.dmp family_quasar behavioral2/memory/1800-4-0x0000000000A60000-0x000000000103C000-memory.dmp family_quasar behavioral2/memory/3556-22-0x0000000000080000-0x000000000065C000-memory.dmp family_quasar behavioral2/memory/1800-23-0x0000000000A60000-0x000000000103C000-memory.dmp family_quasar behavioral2/memory/3556-24-0x0000000000080000-0x000000000065C000-memory.dmp family_quasar behavioral2/memory/2344-38-0x0000000000080000-0x000000000065C000-memory.dmp family_quasar behavioral2/memory/2344-39-0x0000000000080000-0x000000000065C000-memory.dmp family_quasar behavioral2/memory/2344-42-0x0000000000080000-0x000000000065C000-memory.dmp family_quasar behavioral2/memory/3556-44-0x0000000000080000-0x000000000065C000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exestеamwеbhеlper.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
stеamwеbhеlper.exe90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
stеamwеbhеlper.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation stеamwеbhеlper.exe -
Executes dropped EXE 2 IoCs
Processes:
stеamwеbhеlper.exestеamwеbhеlper.exepid process 3556 stеamwеbhеlper.exe 2344 stеamwеbhеlper.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
stеamwеbhеlper.exe90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine stеamwеbhеlper.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine stеamwеbhеlper.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam Client WebHelper = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\90caf8c398e30a5307279c841435a470_JaffaCakes118.exe\"" 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe -
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exestеamwеbhеlper.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exestеamwеbhеlper.exedescription ioc process File opened for modification \??\PhysicalDrive0 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exestеamwеbhеlper.exepid process 1800 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe 3556 stеamwеbhеlper.exe 2344 stеamwеbhеlper.exe -
Drops file in Program Files directory 4 IoCs
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exedescription ioc process File created C:\Program Files (x86)\Steam\st?amw?bh?lper.exe 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe File created C:\Program Files (x86)\Steam\stеamwеbhеlper.exe 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe stеamwеbhеlper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3852 3556 WerFault.exe stеamwеbhеlper.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1456 schtasks.exe 3100 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exestеamwеbhеlper.exepid process 1800 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe 1800 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe 3556 stеamwеbhеlper.exe 3556 stеamwеbhеlper.exe 2344 stеamwеbhеlper.exe 2344 stеamwеbhеlper.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.exedescription pid process Token: SeDebugPrivilege 1800 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe Token: SeDebugPrivilege 3556 stеamwеbhеlper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
stеamwеbhеlper.exepid process 3556 stеamwеbhеlper.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
90caf8c398e30a5307279c841435a470_JaffaCakes118.exestеamwеbhеlper.execmd.exedescription pid process target process PID 1800 wrote to memory of 1456 1800 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe schtasks.exe PID 1800 wrote to memory of 1456 1800 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe schtasks.exe PID 1800 wrote to memory of 1456 1800 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe schtasks.exe PID 1800 wrote to memory of 3556 1800 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe stеamwеbhеlper.exe PID 1800 wrote to memory of 3556 1800 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe stеamwеbhеlper.exe PID 1800 wrote to memory of 3556 1800 90caf8c398e30a5307279c841435a470_JaffaCakes118.exe stеamwеbhеlper.exe PID 3556 wrote to memory of 3100 3556 stеamwеbhеlper.exe schtasks.exe PID 3556 wrote to memory of 3100 3556 stеamwеbhеlper.exe schtasks.exe PID 3556 wrote to memory of 3100 3556 stеamwеbhеlper.exe schtasks.exe PID 3556 wrote to memory of 4604 3556 stеamwеbhеlper.exe cmd.exe PID 3556 wrote to memory of 4604 3556 stеamwеbhеlper.exe cmd.exe PID 3556 wrote to memory of 4604 3556 stеamwеbhеlper.exe cmd.exe PID 4604 wrote to memory of 2728 4604 cmd.exe chcp.com PID 4604 wrote to memory of 2728 4604 cmd.exe chcp.com PID 4604 wrote to memory of 2728 4604 cmd.exe chcp.com PID 4604 wrote to memory of 3920 4604 cmd.exe PING.EXE PID 4604 wrote to memory of 3920 4604 cmd.exe PING.EXE PID 4604 wrote to memory of 3920 4604 cmd.exe PING.EXE PID 4604 wrote to memory of 2344 4604 cmd.exe stеamwеbhеlper.exe PID 4604 wrote to memory of 2344 4604 cmd.exe stеamwеbhеlper.exe PID 4604 wrote to memory of 2344 4604 cmd.exe stеamwеbhеlper.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90caf8c398e30a5307279c841435a470_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\90caf8c398e30a5307279c841435a470_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\90caf8c398e30a5307279c841435a470_JaffaCakes118.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ENZuawrUvpW5.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 22283⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3556 -ip 35561⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exeFilesize
2.4MB
MD590caf8c398e30a5307279c841435a470
SHA12f70c084e8a48d54073065f6db1ce9aca42c9532
SHA256459a5f0643c4e76c893adb6b357d735a0a2cce36025e55e57b04d48dd757aa12
SHA512db2b377f2f33787614e29c96307deecfd80416e884e59be73f8d92b45c6120e8981e7b175730325b2208ed48343ab245927b7ab438c1ac5ceb2bd77834714eff
-
C:\ProgramData\mntempFilesize
16B
MD58376f07a0f540ab06e155e6b01d4b80d
SHA1eea663cb4392cc3251a46e1d4bbb9e853233403b
SHA2562ff5105f8351f4b9993415ace1c01cf54b9757905a2f4c49c46c29b9a9d45d20
SHA51202a8dd597b87485df2e1dd3f7acc73aa4c2da54cfe7ffdb098cddb1340e0b250f99eb3c9b841f102846b60d6f3e88e97bcbca75fdd2a0909befd0da445ec2fb1
-
C:\Users\Admin\AppData\Local\Temp\ENZuawrUvpW5.batFilesize
209B
MD55e8576d7663a3e02c6c14693233c362b
SHA1cff866a060060e1983383620f6a076ad836040a4
SHA2568ff98616dcf7f13278ebbebebc47403079ff3d271740f112bb690cdeb103fb4c
SHA512ef5404b6311964f2cdf79c8ee61a8212480896b071f91cde4caa3462389c2675bf37b6f84237845635b649bd59fee732b644638f94ba40fa86961a8d4a9feae6
-
memory/1800-13-0x0000000008F70000-0x0000000008FAC000-memory.dmpFilesize
240KB
-
memory/1800-0-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB
-
memory/1800-8-0x0000000007F40000-0x0000000007FA6000-memory.dmpFilesize
408KB
-
memory/1800-9-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB
-
memory/1800-11-0x0000000008B50000-0x0000000008B62000-memory.dmpFilesize
72KB
-
memory/1800-3-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB
-
memory/1800-5-0x00000000081F0000-0x0000000008794000-memory.dmpFilesize
5.6MB
-
memory/1800-6-0x0000000007B80000-0x0000000007C12000-memory.dmpFilesize
584KB
-
memory/1800-4-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB
-
memory/1800-23-0x0000000000A60000-0x000000000103C000-memory.dmpFilesize
5.9MB
-
memory/2344-42-0x0000000000080000-0x000000000065C000-memory.dmpFilesize
5.9MB
-
memory/2344-39-0x0000000000080000-0x000000000065C000-memory.dmpFilesize
5.9MB
-
memory/2344-38-0x0000000000080000-0x000000000065C000-memory.dmpFilesize
5.9MB
-
memory/2344-37-0x0000000000080000-0x000000000065C000-memory.dmpFilesize
5.9MB
-
memory/3556-18-0x0000000000080000-0x000000000065C000-memory.dmpFilesize
5.9MB
-
memory/3556-34-0x0000000000080000-0x000000000065C000-memory.dmpFilesize
5.9MB
-
memory/3556-27-0x0000000008830000-0x000000000883A000-memory.dmpFilesize
40KB
-
memory/3556-24-0x0000000000080000-0x000000000065C000-memory.dmpFilesize
5.9MB
-
memory/3556-22-0x0000000000080000-0x000000000065C000-memory.dmpFilesize
5.9MB
-
memory/3556-44-0x0000000000080000-0x000000000065C000-memory.dmpFilesize
5.9MB