Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
26-08-2024 03:46
General
-
Target
c23863e0d7186334ca69903c6653ae06_JaffaCakes118.exe
-
Size
606KB
-
MD5
c23863e0d7186334ca69903c6653ae06
-
SHA1
6040256f4dabd5ee5dee6560e04c56f699532db6
-
SHA256
4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72
-
SHA512
b9a7ffaa9a01a488efd29a9f9162c95a8c50f25d2183679f4783ce900319d81f4d375518667959b89bf8df002a869736a2c47bccae3b8ec5844f8f31c2fa7759
-
SSDEEP
12288:HDNN+IaAFB0OLrdd5xSx8G3cK6TsrId6dd4WCWd9nNxtSR9UcN+Pjv:HDr+FqVvL5x4RcKYd83CWd9+UPv
Malware Config
Extracted
quasar
2.1.0.0
hacked
23.105.131.178:7812
VNM_MUTEX_cFzA15c8rYLW8gVTCh
-
encryption_key
VGvtyILUmmcgl2gY0sSm
-
install_name
Windows Security Health Service.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c23863e0d7186334ca69903c6653ae06_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c23863e0d7186334ca69903c6653ae06_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c23863e0d7186334ca69903c6653ae06_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c23863e0d7186334ca69903c6653ae06_JaffaCakes118.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\c23863e0d7186334ca69903c6653ae06_JaffaCakes118.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k1Fy3is686ys.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\c23863e0d7186334ca69903c6653ae06_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c23863e0d7186334ca69903c6653ae06_JaffaCakes118.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c23863e0d7186334ca69903c6653ae06_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c23863e0d7186334ca69903c6653ae06_JaffaCakes118.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
507B
MD576ffb2f33cb32ade8fc862a67599e9d8
SHA1920cc4ab75b36d2f9f6e979b74db568973c49130
SHA256f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310
SHA512f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
243B
MD58e9089496b14bd44d7d47cc6770e19c0
SHA14d0348c00b5da6d359f52e1cf18c4309b483774a
SHA2567ff346a5015e7bcf39854676169c84cfeb79ccf0a33d724154654380658b8a29
SHA5123389618500e0242e45e15a97a9ae20c213bf0ae6e0fce53f1d84cbcae57a40bf634c77659f9bbe9b260ca68b8eaaa726d543bbe18d328166fe25deae17561ca9
-
Filesize
606KB
MD5c23863e0d7186334ca69903c6653ae06
SHA16040256f4dabd5ee5dee6560e04c56f699532db6
SHA2564e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72
SHA512b9a7ffaa9a01a488efd29a9f9162c95a8c50f25d2183679f4783ce900319d81f4d375518667959b89bf8df002a869736a2c47bccae3b8ec5844f8f31c2fa7759
-
Filesize
40KB
-
Filesize
6.5MB
-
Filesize
600KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
560KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
632KB