Overview

overview

10

Static

static

7

JaffaCakes...48.exe

windows7-x64

10

JaffaCakes...48.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448

  • Size

    6.7MB

  • Sample

    241231-neqpqazpdk

  • MD5

    178ea6b2fe4a5d53f40b4c4ef74f7448

  • SHA1

    27581d9ec136e2cc3de4b5f6ed91cbee3ee86108

  • SHA256

    27810441ae1cf22aff376877945394e6430f4e8a0ce907f809880e173a851d35

  • SHA512

    cfce210fb940b4fb4f58946925d81a14d905644a80113194cb75eed087109f9ebb21da3edfaffeee5ecc56105dfd6eef38bbb3dfb897ecbde85624a29ec4e4ed

  • SSDEEP

    196608:sHtgOOkds8GSt6cg53HRVu7vHDpS1IqBRU7kCs2q:sNa8GSQv53xVu7vHhqBa4Cs

Score
10/10
quasarchromeagilenetdiscoveryevasionspywarethemidatrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Chrome

C2

live.nodenet.ml:8863

Mutex

754ce6d6-f75b-4c6f-964c-3996e749369e

Attributes
  • encryption_key

    8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D

  • install_name

    chrome.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    System

  • subdirectory

    chrome

Targets

    • Target

      JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448

    • Size

      6.7MB

    • MD5

      178ea6b2fe4a5d53f40b4c4ef74f7448

    • SHA1

      27581d9ec136e2cc3de4b5f6ed91cbee3ee86108

    • SHA256

      27810441ae1cf22aff376877945394e6430f4e8a0ce907f809880e173a851d35

    • SHA512

      cfce210fb940b4fb4f58946925d81a14d905644a80113194cb75eed087109f9ebb21da3edfaffeee5ecc56105dfd6eef38bbb3dfb897ecbde85624a29ec4e4ed

    • SSDEEP

      196608:sHtgOOkds8GSt6cg53HRVu7vHDpS1IqBRU7kCs2q:sNa8GSQv53xVu7vHhqBa4Cs

    Score
    10/10
    quasarchromediscoveryevasionspywarethemidatrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks