Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 16:24
Behavioral task
behavioral1
Sample
95823524c56268909001597a81a398d5_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
95823524c56268909001597a81a398d5_JaffaCakes118.exe
-
Size
531KB
-
MD5
95823524c56268909001597a81a398d5
-
SHA1
f732527a57d11a9dd57b4b093144c60ffa38a173
-
SHA256
b42d3f4823819c1b7119774c52f89e62bfb6fec506e3530e681cf0ce0bc5557d
-
SHA512
75cf3848026d3d1589115471b3bacd96a378c36cc6991c51f292590998a2ed4df58fe0a0139cb34d1d9722a18c5f14af52f7412f57c67275f73062da1747449f
-
SSDEEP
6144:stlrXYao3Rvn9dYQ0kQiwwVoab4UYJI+OWjE:OpXvQ0kQF96Y6+xg
Malware Config
Extracted
quasar
1.3.0.0
USR
pv8stresser.xyz:45201
yzyrfG0e0ojtGuJLLm
-
encryption_key
0PxbjHekumnMpxMDOLOWYxcgvcGzNRtp
-
install_name
Client.exe
-
log_directory
Mozilla
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2748-1-0x00000000008D0000-0x000000000095C000-memory.dmp family_quasar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2784 2748 WerFault.exe 95823524c56268909001597a81a398d5_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
95823524c56268909001597a81a398d5_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2748 95823524c56268909001597a81a398d5_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
95823524c56268909001597a81a398d5_JaffaCakes118.exepid process 2748 95823524c56268909001597a81a398d5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
95823524c56268909001597a81a398d5_JaffaCakes118.execmd.exedescription pid process target process PID 2748 wrote to memory of 2744 2748 95823524c56268909001597a81a398d5_JaffaCakes118.exe cmd.exe PID 2748 wrote to memory of 2744 2748 95823524c56268909001597a81a398d5_JaffaCakes118.exe cmd.exe PID 2748 wrote to memory of 2744 2748 95823524c56268909001597a81a398d5_JaffaCakes118.exe cmd.exe PID 2748 wrote to memory of 2744 2748 95823524c56268909001597a81a398d5_JaffaCakes118.exe cmd.exe PID 2748 wrote to memory of 2784 2748 95823524c56268909001597a81a398d5_JaffaCakes118.exe WerFault.exe PID 2748 wrote to memory of 2784 2748 95823524c56268909001597a81a398d5_JaffaCakes118.exe WerFault.exe PID 2748 wrote to memory of 2784 2748 95823524c56268909001597a81a398d5_JaffaCakes118.exe WerFault.exe PID 2748 wrote to memory of 2784 2748 95823524c56268909001597a81a398d5_JaffaCakes118.exe WerFault.exe PID 2744 wrote to memory of 2704 2744 cmd.exe chcp.com PID 2744 wrote to memory of 2704 2744 cmd.exe chcp.com PID 2744 wrote to memory of 2704 2744 cmd.exe chcp.com PID 2744 wrote to memory of 2704 2744 cmd.exe chcp.com PID 2744 wrote to memory of 2644 2744 cmd.exe PING.EXE PID 2744 wrote to memory of 2644 2744 cmd.exe PING.EXE PID 2744 wrote to memory of 2644 2744 cmd.exe PING.EXE PID 2744 wrote to memory of 2644 2744 cmd.exe PING.EXE PID 2744 wrote to memory of 1880 2744 cmd.exe 95823524c56268909001597a81a398d5_JaffaCakes118.exe PID 2744 wrote to memory of 1880 2744 cmd.exe 95823524c56268909001597a81a398d5_JaffaCakes118.exe PID 2744 wrote to memory of 1880 2744 cmd.exe 95823524c56268909001597a81a398d5_JaffaCakes118.exe PID 2744 wrote to memory of 1880 2744 cmd.exe 95823524c56268909001597a81a398d5_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Fx0vqMPz7b82.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 14322⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Fx0vqMPz7b82.batFilesize
243B
MD5778195c17b5ba6ca4fdd3ad6baf958f0
SHA14ff964559b1129a59b1635ec75b21a07d452aec5
SHA25608dd4349a325a7a156809173b0284a2b3ea85e2331c0fa00d5d47b027bc679ec
SHA512562cb368731998b302273cbbb9c3ce5e1dcabc12f978356e3a1bc71a1064198b05377afcf3b3533a50c3f668c271d5b71ac88489cbee207b9d516b5e05243c41
-
memory/2748-0-0x000000007403E000-0x000000007403F000-memory.dmpFilesize
4KB
-
memory/2748-1-0x00000000008D0000-0x000000000095C000-memory.dmpFilesize
560KB
-
memory/2748-2-0x0000000074030000-0x000000007471E000-memory.dmpFilesize
6.9MB
-
memory/2748-13-0x000000007403E000-0x000000007403F000-memory.dmpFilesize
4KB
-
memory/2748-14-0x0000000074030000-0x000000007471E000-memory.dmpFilesize
6.9MB