Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-11-2024 20:08
General
-
Target
ad7376353773464755502b50dea5fabd_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
ad7376353773464755502b50dea5fabd
-
SHA1
0d9d5e10885659ec3925db9cfb17cadf20e1293c
-
SHA256
6f3e7496171fc07feb0c1dfecf7d6bb367c15836acb5571b2f9fc4f980db2a32
-
SHA512
036e68309853dd2793bd95246243e85125c12bbb093a6572df8ff35b0ea189b81b44aa25f852432b40e393ede014bb6b7d25ef5df826fe30d642b609e7096afe
-
SSDEEP
49152:UWSaaeEQcNm036hvpmIXUXg2z1qRJKvYG8OlA82MNg9/Et:NSaaeExE0ERUwe1aJKQhuND
Malware Config
Extracted
quasar
1.3.0.0
PC
etoneratnik.ddns.net:28015
localhost:28015
FCK_RAT_1WsrmPyKlRpwcMNdsv
-
encryption_key
hUeALvSVdWkKP5gkYVqc
-
install_name
stеamwеbhеlper.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
Steam Client WebHelper (32 бита)
-
subdirectory
Steam
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 48 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs
-
Checks BIOS information in registry 2 TTPs 28 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Identifies Wine through registry keys 2 TTPs 14 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Checks whether UAC is enabled 1 TTPs 14 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 14 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
-
Drops file in Program Files directory 16 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 13 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 13 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad7376353773464755502b50dea5fabd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ad7376353773464755502b50dea5fabd_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ad7376353773464755502b50dea5fabd_JaffaCakes118.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t7s00mFltKkP.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fh85kjBKEWBV.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O8y2cOtYKP7p.bat" "7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f9⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a7hJ9SYdX8cd.bat" "9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 6500110⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost10⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f11⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4j4kDYsfm4XS.bat" "11⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500112⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost12⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f13⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zq66JCkwrqGG.bat" "13⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500114⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"14⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f15⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYwuA87pS0iC.bat" "15⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500116⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"16⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f17⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a8NF8Lt4IPSN.bat" "17⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost18⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"18⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f19⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9pIvsOiBT2jg.bat" "19⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500120⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost20⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"20⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f21⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nl6QJzComgFo.bat" "21⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500122⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost22⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"22⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f23⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2ZomMqwbB1e5.bat" "23⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500124⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost24⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"24⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f25⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAZQp1Zfuty8.bat" "25⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500126⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost26⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"26⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f27⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkJ4JBDiclIC.bat" "27⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500128⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost28⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 239627⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 238025⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 238823⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 240421⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 240419⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 240417⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 240415⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 240413⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 240411⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 24049⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 24047⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 24085⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 24083⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1432 -ip 14321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3656 -ip 36561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 208 -ip 2081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 960 -ip 9601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 748 -ip 7481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4252 -ip 42521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 208 -ip 2081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5036 -ip 50361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3740 -ip 37401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 548 -ip 5481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4788 -ip 47881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3204 -ip 32041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3340 -ip 33401⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ad7376353773464755502b50dea5fabd
SHA10d9d5e10885659ec3925db9cfb17cadf20e1293c
SHA2566f3e7496171fc07feb0c1dfecf7d6bb367c15836acb5571b2f9fc4f980db2a32
SHA512036e68309853dd2793bd95246243e85125c12bbb093a6572df8ff35b0ea189b81b44aa25f852432b40e393ede014bb6b7d25ef5df826fe30d642b609e7096afe
-
Filesize
16B
MD55e8f2c353e1dfd37b50552309f381dec
SHA1c5c8ac1ea59bd7fb9cd2b6fb3b99b79bc0269110
SHA256731b57d61b7b8068204682adcc13f019cbdcccd184be56a806c8094d732d937b
SHA51273edbdf23d7c07902709bd7d8a6181e12caa4675b0194c35f27be917226f8661a90e5e4ecc28b1917e8be8801aac9dba6f278e584a2b3b6e557cb86fd4063672
-
Filesize
209B
MD54e94fe9ba888ad1cf750371e841d70e7
SHA1fcd8ddeb5d0b2a5b4a3b8705a06e9c94018453be
SHA256f6b05deb0987008bbe78cf7ba8c6f11ebe27bf92a69f48a66af4f1df3b5c9937
SHA51298827e44488a58489ec60a8e3e6663ba6059c77bcf4c856306dc33435a5de3877216ea1d432beaffa3081f1293c70e847ec06614e6d088a1a06f024c7fb345c4
-
Filesize
209B
MD52f5da4530a384474c44dc19cee9aa29a
SHA13048c678897d02d3ca8760ff3e5e818ca628ebf4
SHA2567cb5b1e0d25ad92ad8835c3f055c5c2287b019e97e01f14b595df59eb5061332
SHA5120157254259ecc683c421a1db592149b79a321a1a305b84bd5621d05275d45d540bd7d4d61abce2527ddfd904494e6be376f3fde0e2f3f9e0edcb93e1c25ecd9f
-
Filesize
209B
MD52c30873688aa139230f9a0b4eacc6c48
SHA11682f3b1e26ea32078439a36d9004acad843d138
SHA256909ccacd7452736ef24ee1f29690cb293fef5e6376609386f06ac5e174a8a3e3
SHA512f2816afaf9a240d24981eb55fe0b64f2c76c6722c5eb4f92e041297578df3eb431109e33f5ff36ab27d1592926daabbbaec11f6b863120d1feaf49aecc10a7af
-
Filesize
209B
MD5770368c9daec042bd210700b0b4c6de0
SHA1959a0da6d300d9bae18edd8fe93ba185a90a3e19
SHA2568ec376a26903e02d1d3e951bf90ae48711befc9a0796006eb30d6fb9276c45e6
SHA512b38e0ea6b3b4f70e049c4ad39128a6c3bacf12d07731ac8c5f919bfde775003874e5727cdb54c02304f3b0e8730137a9506338c84ea72891ee09dd532f34f2e2
-
Filesize
209B
MD52af40a4dca7cb6368dcec5705704457e
SHA1c47e3c23a47c051847b001e26a4795b60a459009
SHA256302767066c770e9e0011d69bd0b52e23474b186e1dc6dec8123438cdc31d5d92
SHA512e36fa57f8687c2706aa15ef9ee8829bb5349a8bf008cee9dba3784d9672437ad1b834002309c46f803815d23913f6db7ee77ea5a56d08350dff5f834e591d2ae
-
Filesize
209B
MD5faf1815ff9558d7c7f2fe1ffd201785f
SHA1a0e33594707e577ef1720e77a667135543fa015d
SHA256a8d11bd5ec1ce2cc337be40d9670672982406da843fce189fbd6fdf0101f25b6
SHA512b39f3acfdc3caada452f4a67e57dc6c0830a29c4dd5145ba2f3a354aacccc78926c72803e69a9fb85cae8ca25a153b70d918ca152aff2492470461493e794816
-
Filesize
209B
MD5b5e454594ef2d603e19ab815a8fd65e7
SHA17e5f1415184b6ed7ce6abf1acedcd019312c077d
SHA2564646934906e066d66fa3e53a7f4850c92978d5bbc4c7d1d7f8bdd128aef73515
SHA512fbe3bd74538896c586a807e965c00ed97476e307b2c2f25c668c4937519edcd60f0558dd4baef7cb9d81a5196609db8484a5cecbdfe510dd0c1081ce94480f88
-
Filesize
209B
MD5f960c1b86f3a9f553701c865566ada0a
SHA1e495c970a9a9b8af848db0c079adbdc03b136d1b
SHA256d49968db28eb063c895406d69e375d1546f6952ac8c2db62b99e27490279db0f
SHA512723f4132e27c0484176bda778d8d30e63b0caf256c6c11963275d55b0c76c0bc8ab7a670ab817d30e84f0aa825a9b482a545d86c779948f09b57b780cb65ba1f
-
Filesize
209B
MD552ab47982209a9cd688ba2050eb9c503
SHA102e3f8c8af708fae799e9075f63c3b26805cbb00
SHA2563a3f8ca04420e0c2d92805ad20c9fcbc2ba2017147caddca8cbae7879bc8188c
SHA512ceafea5f98c2f355dbc8bfcfeaac89d7ba5b488f40e5156cfb000ee6687b4d89059639d4cec82acb3358cbc44d9646c9333a46998c5a5bda299fe18bb9702687
-
Filesize
209B
MD5d2c8cc818ccabe394a03ad0003da1b89
SHA1789bdafe7d3206188dacf8e6ca0fa6df6ad25102
SHA256e58a0302786b511a64c62474d9236b5bce1484b43baf7adb59931a7ace99a864
SHA5125ae322d46c2d0d22642d3397b0ef163b36bb62ab8a5b49ba412378dc9dcdce3cfad80035a1ea78c75c9554b3174863f6744112b881b80df2171fb4f95bdf44b2
-
Filesize
209B
MD52b189644f3a0badb5fc45e6a617644cf
SHA19e002c4c9d9e6668c48026065b7bd1a13ef435de
SHA256a32ef1ee4b6f6e84ecc64807cec966fbe26fb18f597c193d284f6a24baf3184d
SHA512aba09a2fe72826a2c2df00d199970392a5a1d317c2143a3c5c9637bd8f788a9f9c397b61abd90bd71286fac60f73bf613a855bf1a6940db67867e415960980fc
-
Filesize
209B
MD5fee04babe955655add374df413179d89
SHA1b0199d42770deb611c13a54332b80db999a5c2ab
SHA256237f69c750f506f89e61de9b7a856c21f2afbc13e20fd00ec08a882a64e2f1b4
SHA512c267988a2c1d7fc5fa8cd3fc33a4061b742f5b436573505cc3e4b36e3ced15bf2654c2954fd2325cbe29707403ee6195db85bf5006dbc312495f7d9778cac03f
-
Filesize
209B
MD5905a2e55917efcc78ca34f49482a3295
SHA16a76b5f60aa2790d4c07fbe854aede5f87bc119c
SHA256452b8c9b26a7fa6e80503b244c3f1bead3d2b8fbd2ec5739df186da475a270d1
SHA512d20f381d74dac9fe07b383a5173057e2c29dab72b7820aabc18e7a015920b642797372de8ea2b01094373829e74fbe04b95105a97f2ffdf4f9990fa8bdef9479
-
Filesize
224B
MD5ba43690544291bd373b8030fe6d48ee8
SHA11363c79eb20beb25989ca023cf890b08d8904e27
SHA256ae7559a221fa3df3d6daf039e4918263c49f8c9509e49bea91b598a743e3bb5e
SHA5122170b22688fc0781ca9da9d48f8982879fbeffe848a34ef8f3f2617d616f6215aaf0da3cfdd78c785db01fd1f30547e6a8d3d3ae55154dea757eee1982685e3f
-
Filesize
224B
MD56f0cb75d4989f19b50ec784352a5cf54
SHA189ac0bec40db0eebbbc1db6177b46d7453bed767
SHA25684edce1cd691fdf87e2e3d0ed67cc2a3f3a67471fb94d514bd80bc0536ea032d
SHA512e43c9bbf91d5551eb5239acb9f4e205ab7fe8e5ab74bd0945900a87c6ced5e36aab43f35a55669239dd542802f90520ab60cf0d943f18ad847e08a35172a71fc
-
Filesize
224B
MD5925a83c518e56c2663db6c6b6dd65aae
SHA1cfe0a2254c98ebfaf23890d6c93413efc376ba17
SHA256215e0374d2fc0b6cac48a52a5797db61b7d64e356cf5b4531722f98d471dff13
SHA5121086368eae7adfbdd31654ba36da419cc665eb65e5af823cf069805f0a0eab38e913c78f61061a8f0954ee4b37db84641afc5b64cd657d51cc4a55ed086e352e
-
Filesize
224B
MD5fd3f9db0194e3d522b163bc48c9040bf
SHA1313cbdd3aa97fcbf9ac30ee9dd93e57e8b2ad0cb
SHA25644eae2773826276993e3a3b241aeee932a4d110a3a676b354acdc1fdf53df13d
SHA5129517fcab6b1acd8b6aa094bf70057e1c4b492955aac4c089609312a00e69484c0d23a08a2713f8c221e465761d4c288be03db09099ddd6dff6c7d0e8b6f02e3b
-
Filesize
224B
MD54c3e37f4c67ce7c5972da539765c466b
SHA1b9fb46c540bca26359a02e2db09ef4155b7ea627
SHA256fbdbdc74126ae0c40510d5f325c765a336c92e4121a355c0549d10275833b6fc
SHA5120413babe4c69e4daf5a969943d0e9a808adacb3a7622a6fa8ce98ee7b4c8a0d3cdeacf8db53d09be786a6faefd2cb34f8a332043c754c435ec1d40e1ac25cc6c
-
Filesize
224B
MD5da208f65086713ff1939319bb1392b28
SHA1ad4f6c12605b3d475dc09f90b0d3db1bdf451ad7
SHA2565b77dbb9ecde47fd3dc6e90bdee1e22e87a14043cadf360db518e34a4e1e3915
SHA512b70bceb9163f52f02f5f3305a8e3012accbcaa57c8061c4a10c2087ff07129616d425a43291f22b429a1cc51386c36c0e0ce7c65829ca8aff15434555118ae47
-
Filesize
224B
MD5ca2438847ec2396dad336e9d317233fa
SHA185a5153e995e4ea6fd65721dbbd6b2952e2799e6
SHA256f92e5f0e65a55cbe6c1c8c335e88a22d27ff242e57e3dac5df3e8cfa0403a80e
SHA512499affbed91d654c7262c8eda2caec9614172e76fb10e805a9cb5fbddbd1e222553fad331a0068f2778baa5f4769a116a179283d9b75dab4b90ef8ee0eeef965
-
Filesize
224B
MD5b7a9d2066e7eb011af9ab450ae95c98b
SHA18a77e00dcc2d657cb202bf4858d3aee2f7bc2554
SHA256772a30aab1e32a88d0115ad39ad4bed3fb4f7bceabc4aff817933607e5dfba4b
SHA5125efb54f0c56ffd54e219c859af13399df1dc05c37a08ec1e02b6774c29a9c7c6c24b2393a11a039388280564a8bd7de4860dbe058e30dc2d0b0a0f5634be5dfd
-
Filesize
224B
MD5333e6ac8e487d921dd8438e489c26ada
SHA1b054ce2c5dcb763f215ba951a159c578589ec4de
SHA256d5863b84626d4a50de030374ed9d089467b0677cfc83909783abd7f9c7e0a32a
SHA5121c9268d3e97bac1cb077bbcbaa803d4c177b25729fcb4738270150400ab9e4e31f3ae1c59b175cf2e0183c4704ac6ef6fceff51496cd00cea5f1627e06e37413
-
Filesize
224B
MD59fcf1d5253f75de28c5a0c00ee2a3b3a
SHA194ac2210eb39dfbb9ea074d2be30d0a782bb9564
SHA2561e02762176407264641a953cc795ba5f21249eb2c9ba22689167acbf9b0005a8
SHA512c7ae03069f129d61c25d3da146f1b271f493e58ac2404af2c99406c735438e94abafc4b3866622f0cdc724b3b4c5faee6ccddb4d764fb12913669331c299b874
-
Filesize
224B
MD5907f6069f115c98f2a1769b3862a4252
SHA13fd8b314713485d39f837c05960af26b6617ca3e
SHA25613998d5655de929a6c7d39ecd17f2dc653c57ca30505a87d106fbcf9c6b0fe85
SHA512c9e7beb7126366ddab69e0ac3cd31d6ef2e2b4fe60b85eea2e200267956f629440408d34b2ab39d57b0e27e8e0a4ff82cb4e4947c88a135a45d0b705dae302ce
-
Filesize
224B
MD5875de109ff8f33380868ccb5a6a4faba
SHA1434a9e507650ef4712ff429bb5bbb1905ce3a817
SHA2564d28d5c97c6603a9537f81f37bdd596dcf56bc0c06b355624c062b221dbc18db
SHA512f5b643e5beacc25fdfca9b9573b9445eb38afedccfcc7105bd856e0cf4a342f592470a5ab8201be9e8c6a85ee75ceaebf27bad1a4e4243ebcd74fe31372d1cc3
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
40KB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
72KB
-
Filesize
5.8MB
-
Filesize
240KB
-
Filesize
408KB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB