General
-
Target
8bd3bff5e679f6b14e42d7b66aa8497f_JaffaCakes118
-
Size
11.7MB
-
Sample
240811-y5afjazhmg
-
MD5
8bd3bff5e679f6b14e42d7b66aa8497f
-
SHA1
76891d257c1a9ba36426b3e834b8eda6c5254ffc
-
SHA256
7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7
-
SHA512
05deb4c1c8fa09c07600dbb79b2ad35c1532f773b7ab28d18c833c8b63d7e076ce2e232bd13a2eb9abd1a2f3d1668d7802d0fa205f619222358d4368fb06a0df
-
SSDEEP
384:rMgQoufci5qP6TseVkeHD9xu+FyVQVhwfPl5SCuZacZ/LsytKY1Q39cYAYAwj7aW:6ro
Static task
static1
Behavioral task
behavioral1
Sample
8bd3bff5e679f6b14e42d7b66aa8497f_JaffaCakes118.exe
Resource
win7-20240704-en
Malware Config
Extracted
asyncrat
0.5.7B
Katayumi
normal-knife.auto.playit.gg:54950
normal-knife.auto.playit.gg:7707
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
ZxKKE4oK8.exe
-
install_folder
%Temp%
Extracted
quasar
2.1.0.0
Skidy
roasted-flag.auto.playit.gg:51952
VNM_MUTEX_bsVy5mHRmaFZMQOLbI
-
encryption_key
ux20jjbixeS7PecgmZeq
-
install_name
windows.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
windows
-
subdirectory
$windows
Targets
-
-
Target
8bd3bff5e679f6b14e42d7b66aa8497f_JaffaCakes118
-
Size
11.7MB
-
MD5
8bd3bff5e679f6b14e42d7b66aa8497f
-
SHA1
76891d257c1a9ba36426b3e834b8eda6c5254ffc
-
SHA256
7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7
-
SHA512
05deb4c1c8fa09c07600dbb79b2ad35c1532f773b7ab28d18c833c8b63d7e076ce2e232bd13a2eb9abd1a2f3d1668d7802d0fa205f619222358d4368fb06a0df
-
SSDEEP
384:rMgQoufci5qP6TseVkeHD9xu+FyVQVhwfPl5SCuZacZ/LsytKY1Q39cYAYAwj7aW:6ro
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar payload
-
Turns off Windows Defender SpyNet reporting
-
Looks for VirtualBox Guest Additions in registry
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify Tools
4Modify Registry
4Virtualization/Sandbox Evasion
2