Analysis
-
max time kernel
10s -
max time network
28s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
11-08-2024 20:21
Errors
General
-
Target
8bd3bff5e679f6b14e42d7b66aa8497f_JaffaCakes118.exe
-
Size
11.7MB
-
MD5
8bd3bff5e679f6b14e42d7b66aa8497f
-
SHA1
76891d257c1a9ba36426b3e834b8eda6c5254ffc
-
SHA256
7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7
-
SHA512
05deb4c1c8fa09c07600dbb79b2ad35c1532f773b7ab28d18c833c8b63d7e076ce2e232bd13a2eb9abd1a2f3d1668d7802d0fa205f619222358d4368fb06a0df
-
SSDEEP
384:rMgQoufci5qP6TseVkeHD9xu+FyVQVhwfPl5SCuZacZ/LsytKY1Q39cYAYAwj7aW:6ro
Malware Config
Extracted
asyncrat
0.5.7B
Katayumi
normal-knife.auto.playit.gg:54950
normal-knife.auto.playit.gg:7707
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
ZxKKE4oK8.exe
-
install_folder
%Temp%
Extracted
quasar
2.1.0.0
Skidy
roasted-flag.auto.playit.gg:51952
VNM_MUTEX_bsVy5mHRmaFZMQOLbI
-
encryption_key
ux20jjbixeS7PecgmZeq
-
install_name
windows.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
windows
-
subdirectory
$windows
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Windows security bypass 2 TTPs 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Windows security modification 2 TTPs 11 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 48 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bd3bff5e679f6b14e42d7b66aa8497f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8bd3bff5e679f6b14e42d7b66aa8497f_JaffaCakes118.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8bd3bff5e679f6b14e42d7b66aa8497f_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\8bd3bff5e679f6b14e42d7b66aa8497f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8bd3bff5e679f6b14e42d7b66aa8497f_JaffaCakes118.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 14564⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ZxKKE4oK8" /tr '"C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe"' & exit5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "ZxKKE4oK8" /tr '"C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe"'6⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC469.tmp.bat""5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 14444⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\LunaInjector.exe"C:\Users\Admin\AppData\Roaming\LunaInjector.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AE80.tmp\AE81.tmp\AE82.bat C:\Users\Admin\AppData\Roaming\LunaInjector.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\mode.commode 82,245⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe"C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe"C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe"C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\$windows\windows.exe"C:\Users\Admin\AppData\Roaming\$windows\windows.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 16⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 17⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Roaming\$windows\windows.exe"C:\Users\Admin\AppData\Roaming\$windows\windows.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$windows\windows.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J0CaZgKYp0LF.bat" "7⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 11846⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*6⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 7802⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4912 -ip 49121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2840 -ip 28401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2500 -ip 25001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1752 -ip 17521⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify Tools
4Modify Registry
4Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55e0481f7489586ad6ae78d35e8458859
SHA1626e76ef7c85ea8ac9a73cfb13fbf450a4dfd26d
SHA256d2ebbffea1f8401bcbe56591b9e566fd40a55463464ebf30f24c4be8fd2716ec
SHA512b15301044d3862c07cbe72114c7b9792a2d345312236bac51831a6a6bf4a77acbc047b3dff030cff706d5de194679ee33e283b9c9c38c4e7785a653cc4674b36
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD554fdd32c88e9f0e92ae4d2d2153bdfce
SHA145d6da722ccbdfe1f57b89691ac568fd41b19f21
SHA256339767e9c036a77deb96e697d2e208080692d04eae5c2fc7fb8d425d059e178b
SHA51212b767a4dcd61f76ac7fed7f890cd3f889d67be0df7a2c2508865d88ef0d988023c504113c32206a3ff81924a3ecb3b3861253d67a745d7a7b8c71398b226ab5
-
Filesize
438B
MD5ad81fd823266aabb73a229b8d842720e
SHA109c851304e0626bbf5fd15aa4212e14c9a8294a2
SHA256ad3ce6e067e2210681ffca11d32d91c6be6cc13fca5f9fb7ab7a73e4daa31f00
SHA512201bc9e51c00bbb38e949c06b59adcb32f9a07caeba38fc92db7ec8f9c54e43932fed045982cd4fa56d605f082f44828de7f9ad732777fc7ca86a4ff7f91989e
-
Filesize
545KB
MD59c8b5486b38230c7c1f934c01a895d95
SHA185626e89ca6a0a3838786698ec670d909c5eec5b
SHA256fd8eb30f8c98d4e97459b051f6e14a52e6194e4b431ae1243c8638f08701f5a5
SHA5125555b9c7ccef651f03787f7531eea69023fc7c4aaa2315aba878d490f1a655afbd6347da0721d5e88cad3a956e399d21dfda2f2d2a83afc1c7277f1468a17450
-
Filesize
660KB
MD5cc62fe37de863f616d672eaf6b22b0c3
SHA12aca0fd587e4a998e749162a2a12f40bc49d50e7
SHA256edefa1d69e62fd464ffd2599c369b147edcff115e1f7a0454d9d9b567ce15d1b
SHA5127923d36d4651062684058c817cf2dd19295864e7bc82d33b8120ca3695390d5610cf37731f92f8acbb936df6f72e13c9cb1d64d4b3b13aafd82374bce1a0ac4d
-
Filesize
4.2MB
MD50ca81a3bec58298a318d19bdf208cb99
SHA1cec944263887c4e3ac2956f2a27cbc9be86591d6
SHA256ffe3d6f61150e4a25a4e9549252dc1a505bfd2247f7d3aacec825e1787f089ea
SHA512eda9f6e37ea306e38fa5cdaf5c036782dab19a8dca628af63adb959d75579d014fd17bce5f4e9b5c7c6b24cea2cbaf95fbe849fe93b3e5faa87dbf69bdea1940
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
156B
MD528f6e727622eaa62ec08e3fccc49f69d
SHA1bad3f7ac7f29ed16bf8d56903dafddc7d6071d17
SHA256153ac14d7548f08cfdfdb238c2fbd1fe591262e56ae194f1ed53197aa364f4ec
SHA51285296789155bcb148a72d4b7948a7f97fa49a1f225d63c6bae638f080a6e443685e479a14f3dfdac32487406849c075efa6e669fd97d88c6e43da8e46a9a1de4
-
Filesize
89KB
MD538bece8d537dea0d0bf7603c073aa90c
SHA1fc70b8b4d22b323fe9e886f36620269d6c791eac
SHA256261b67c10cca406ce934032f7e6da36b8408db3fce6df7d7a37dca69703c59cb
SHA512224d70c8f2b8c98456177cd087faa77436c86fbcd4fe36ae410c6d184181b30cbd50718fbfa347b85a0d2d303f273197fd9fea5addb28538eab43d84f527185d
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
560KB
-
Filesize
4.2MB
-
Filesize
632KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
48KB
-
Filesize
104KB
-
Filesize
568KB
-
Filesize
72KB
-
Filesize
120KB
-
Filesize
680KB
-
Filesize
1.6MB
-
Filesize
32KB
-
Filesize
3.3MB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
68KB
-
Filesize
304KB
-
Filesize
80KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
68KB
-
Filesize
216KB
-
Filesize
56KB
-
Filesize
120KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
6.2MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
1.7MB
-
Filesize
624KB
-
Filesize
11.8MB