quasar | ef907fd66d7532ecf1127f0a6c0b67282ff684aa5a20a563d475b146c3e8a064

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Size

1.2MB
MD5

7638784288ea865f0301c5aa5c55f660
SHA1

66a030a6a3e64d425b522bb03f07dfba61e62734
SHA256

ef907fd66d7532ecf1127f0a6c0b67282ff684aa5a20a563d475b146c3e8a064
SHA512

9701ec935dc8b08662d72aed92c355751fbf0fcf0484819675d5d8471ed10dcf6bddc40f6d702b4bba5212cfb2849abd808ab8944815bad3d829935360e676ed
SSDEEP

12288:o69mvoUS5tL67Iq7tQFPaDwQTIdcEimYryWReOTu4u5Z1OEkwM0u0LVmZm/OO56W:wChI8aT0

Score

10^/10

quasar discovery spyware trojan

Malware Config

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	57	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
	13	ip-api.com	Process not Found
	46	ip-api.com	Process not Found

Quasar family
quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
46	ip-api.com
57	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1108	PING.EXE
4556	PING.EXE
224	PING.EXE
2780	PING.EXE
4972	PING.EXE
4936	PING.EXE
1512	PING.EXE
1084	PING.EXE
4352	PING.EXE
4464	PING.EXE
1176	PING.EXE
1704	PING.EXE
968	PING.EXE
2008	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
1108	PING.EXE
4556	PING.EXE
1176	PING.EXE
1704	PING.EXE
2008	PING.EXE
1084	PING.EXE
4972	PING.EXE
4464	PING.EXE
968	PING.EXE
4352	PING.EXE
4936	PING.EXE
1512	PING.EXE
2780	PING.EXE
224	PING.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3092	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	2064	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	3660	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	412	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	4880	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	2736	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	3280	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	3488	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	4640	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	852	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	4004	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	4084	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	1424	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	1560	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 1964	3092	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	83
PID 3092 wrote to memory of 1964	3092	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	83
PID 3092 wrote to memory of 1964	3092	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	83
PID 1964 wrote to memory of 3884	1964	cmd.exe	85
PID 1964 wrote to memory of 3884	1964	cmd.exe	85
PID 1964 wrote to memory of 3884	1964	cmd.exe	85
PID 1964 wrote to memory of 1108	1964	cmd.exe	86
PID 1964 wrote to memory of 1108	1964	cmd.exe	86
PID 1964 wrote to memory of 1108	1964	cmd.exe	86
PID 1964 wrote to memory of 2064	1964	cmd.exe	89
PID 1964 wrote to memory of 2064	1964	cmd.exe	89
PID 1964 wrote to memory of 2064	1964	cmd.exe	89
PID 2064 wrote to memory of 2812	2064	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	91
PID 2064 wrote to memory of 2812	2064	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	91
PID 2064 wrote to memory of 2812	2064	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	91
PID 2812 wrote to memory of 2204	2812	cmd.exe	93
PID 2812 wrote to memory of 2204	2812	cmd.exe	93
PID 2812 wrote to memory of 2204	2812	cmd.exe	93
PID 2812 wrote to memory of 1084	2812	cmd.exe	94
PID 2812 wrote to memory of 1084	2812	cmd.exe	94
PID 2812 wrote to memory of 1084	2812	cmd.exe	94
PID 2812 wrote to memory of 3660	2812	cmd.exe	98
PID 2812 wrote to memory of 3660	2812	cmd.exe	98
PID 2812 wrote to memory of 3660	2812	cmd.exe	98
PID 3660 wrote to memory of 2852	3660	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	99
PID 3660 wrote to memory of 2852	3660	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	99
PID 3660 wrote to memory of 2852	3660	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	99
PID 2852 wrote to memory of 4872	2852	cmd.exe	101
PID 2852 wrote to memory of 4872	2852	cmd.exe	101
PID 2852 wrote to memory of 4872	2852	cmd.exe	101
PID 2852 wrote to memory of 2780	2852	cmd.exe	102
PID 2852 wrote to memory of 2780	2852	cmd.exe	102
PID 2852 wrote to memory of 2780	2852	cmd.exe	102
PID 2852 wrote to memory of 412	2852	cmd.exe	105
PID 2852 wrote to memory of 412	2852	cmd.exe	105
PID 2852 wrote to memory of 412	2852	cmd.exe	105
PID 412 wrote to memory of 3396	412	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	106
PID 412 wrote to memory of 3396	412	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	106
PID 412 wrote to memory of 3396	412	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	106
PID 3396 wrote to memory of 1848	3396	cmd.exe	108
PID 3396 wrote to memory of 1848	3396	cmd.exe	108
PID 3396 wrote to memory of 1848	3396	cmd.exe	108
PID 3396 wrote to memory of 4972	3396	cmd.exe	109
PID 3396 wrote to memory of 4972	3396	cmd.exe	109
PID 3396 wrote to memory of 4972	3396	cmd.exe	109
PID 3396 wrote to memory of 4880	3396	cmd.exe	110
PID 3396 wrote to memory of 4880	3396	cmd.exe	110
PID 3396 wrote to memory of 4880	3396	cmd.exe	110
PID 4880 wrote to memory of 2880	4880	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	111
PID 4880 wrote to memory of 2880	4880	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	111
PID 4880 wrote to memory of 2880	4880	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	111
PID 2880 wrote to memory of 1352	2880	cmd.exe	113
PID 2880 wrote to memory of 1352	2880	cmd.exe	113
PID 2880 wrote to memory of 1352	2880	cmd.exe	113
PID 2880 wrote to memory of 4352	2880	cmd.exe	114
PID 2880 wrote to memory of 4352	2880	cmd.exe	114
PID 2880 wrote to memory of 4352	2880	cmd.exe	114
PID 2880 wrote to memory of 2736	2880	cmd.exe	115
PID 2880 wrote to memory of 2736	2880	cmd.exe	115
PID 2880 wrote to memory of 2736	2880	cmd.exe	115
PID 2736 wrote to memory of 3256	2736	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	116
PID 2736 wrote to memory of 3256	2736	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	116
PID 2736 wrote to memory of 3256	2736	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	116
PID 3256 wrote to memory of 3376	3256	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
1⤵
- Quasar RAT
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lJHtodVRdN4w.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3884
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1108
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uC2FpePA8C8g.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1084
    - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WE1nW74qubc3.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w7aCKIVDPgbe.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UnVt4LLKbJsx.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        11⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4zZPaamVTu2A.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        13⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NY0jYnYkJJnM.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        15⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiSd16HJQxop.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        17⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kxa9VVsPO1eV.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        19⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQrckqRwWltV.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        21⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r65oZq5CMzBh.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        23⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W67ZArZREIgO.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        25⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOyvXtte6iPb.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        27⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ps38axbVlGKV.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe.log

Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\4zZPaamVTu2A.bat

Filesize
243B

MD5
c27d62fb2761a5f908fd62eafa2f49ae

SHA1
f2d5b79b85d15e0c496d88903231c782ed3f34c1

SHA256
9c00417af999d6896e1a62513431aa225ebab19bf4fc67721d53e018c0f14d03

SHA512
c2bdbdd3fb01c761e8548b23a5046978b5f3d45d13ae4cbd1f018e9e3d681b2f6dbcc0db59506cab24fb883a6565beb6062ccb38a3325b48676cfc0a0387225a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FiSd16HJQxop.bat

Filesize
243B

MD5
a2eb705b4583b843fc819b06e8134302

SHA1
8f55faca521f275a8b9ac3da3a571d95f36faa10

SHA256
2357e6b169d8d8e86c602a6d74c64425a65ec75344ff37d66075159117f29ed9

SHA512
76f5fe6a92472fc6bb61759ba31782b118b67edc9847764c273aa292027bdcc4be31abc561f2160aa5eb023070d3e84fdea7231eb931a5d03ef3c229bf6a28e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kxa9VVsPO1eV.bat

Filesize
243B

MD5
0e1a84469884c0e210a3b3e64de62755

SHA1
016add19a09f7ff3a943d2909a053d5dd0b20820

SHA256
11ccaadec4da2c09197a36f07279088966d0a2e62383391a2cac3fdf71d590f7

SHA512
6859d0e58490342ec83ae2eb8fb8a9b77ac1496b869aab4ea45c5e4c4ac436daead0a1d2bcd1ddbdb58890a40251793107e83617c852b7629dca55fc7e40b3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\NY0jYnYkJJnM.bat

Filesize
243B

MD5
f2ba9c5e0c31d1d59412fc44019e3929

SHA1
c5941200adea4e8eed52e407cc4b9da65599b436

SHA256
fc43417517f4d35cd35c036693b33c4c11cf3f28941e0a8f4c8efad4f3181a86

SHA512
e85d794e61c61803556d167501a3b315d3bf71b7f58032c463b15fdd770d9075dfc91fca2ec55e5aa51f7a9777ff04c03c4f0153e06d9112032367626c657063

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ps38axbVlGKV.bat

Filesize
243B

MD5
16060f9537d7bb17499bdf6a10b6adc5

SHA1
d1780a280f2a968814d36275be2007e3aa476356

SHA256
7539f027486d90b29ffc4493fc3bce60c25c19a3eb8d1a6e993d2b43313d4126

SHA512
c95421fd02a1f374ff5127f2e06e7311b87ac6a49e91a445bbff33eb1c53598d9150b4013317a331300cfab37934434d3d5e57e6afff461de505eec594ee0027

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnVt4LLKbJsx.bat

Filesize
243B

MD5
7a4cb2588890503a533ecd98a103b06a

SHA1
03f9429b9c9ec878e607e738da1074eb47ff3ac1

SHA256
8bb8617cad8fce7529e98aa99aab75a349fedaf7d4ab9ee23b058249fca44dc0

SHA512
0ba417767d10f18de6483be408b4d3dd052a6a60c6a98f7e2121845a89d61b706e6ae9125127f3cc44fcd35c970586c9c963d1268390a5b37584c1f9ec9faffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\W67ZArZREIgO.bat

Filesize
243B

MD5
8bd6179cf2383404b3b7289b04394ca3

SHA1
76b85a6984b4149d24d427552c731e8249eb4149

SHA256
713017970231b12f62c03f16c8c32cadf4437b903fce3333f7c86a54b819d1a5

SHA512
27c55ce1d3a10506724eb49997a35e721e6ea8be8587984f8de404de01f816a71533654f4c6876c76556c938a1b6fb7e1414c4af74d7a5637db853d4159e3bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WE1nW74qubc3.bat

Filesize
243B

MD5
99f1b5099a3c367b8bb3a3911537f72f

SHA1
67b04c4a50731a53e721ebf3cbb8e9ee1dc15352

SHA256
d828ef0518d4efc23f4fa4798b40effe454cd02a67012c8c6f4a8afe2033e64c

SHA512
f81e9a43c331f6b32222b75a620cf5dce1d3606dfbb077c425fef83ad1fc40806f3a564265032c292ce9c217e82f3dca3f9c99dda50e68eb0788c9d856f58f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lJHtodVRdN4w.bat

Filesize
243B

MD5
49fb15bd1c0f749b55fd36f5f69762e6

SHA1
7d78a0335c83db7602fabead11764c357bd062db

SHA256
2dce71431adbe48602b03d4664fff55d8ccc2f2ee8347e6f26e700b1f23a4047

SHA512
45bc790141330421d4210ffbde5c85f3a450a3fa7aee85f5bfa159d55075346d7ed8c5ee5fce12b1aee2e0efc5dff855197c7a3961df1b43e5609940a3192721

Download Submit
C:\Users\Admin\AppData\Local\Temp\pOyvXtte6iPb.bat

Filesize
243B

MD5
cd22fb4e80022ee5b58d89fa9070079d

SHA1
8bd25de47c72b9b087530691e3eb64809a24f6eb

SHA256
e7d522bb00bb5e07016f8b5938cd8ce10dd6672d4abfae285ef4fd4109965b26

SHA512
d162fac73c34d98af0f6316f1fecde4d7474731aa04cefebae5e7e533c670be00f2058cc195109c80eba870845b0fd8b34a85dc1944c1767639ac4aadfbe19bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQrckqRwWltV.bat

Filesize
243B

MD5
a74f4d799369b0c0f0efcea545fa71aa

SHA1
94b54c0bcda56b5ef731b7571d1d2e1adb5189d7

SHA256
fdaa51b83f7e68ef49908964c6cdad63db4f68c1ac32164dd61c5fdd2dfa80c0

SHA512
8731f12a9ab2eb1c818de329cd6040959497dec1858ac6ca81fd4700f93b1babe52b0681a043bafbc36775c00990d462f4a3e2a423b8ce7c2d0a6fea3ff577f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\r65oZq5CMzBh.bat

Filesize
243B

MD5
b6aed8e1b82b0b486842b1be9b6d903c

SHA1
2ac704195982d94dde7e99efb033ccd1c1f09403

SHA256
9f5cc6fcbf4b8bdfa204df08a1959b5b98586425c67818b4764e5246bc93a6c6

SHA512
884758fb536016a1edbe2dea46bad8cef1d45ea7736a745e7a94442b611c09f859e260f502b1bf865ed9d58b63179393fdc8c0cfbb6c4e3701fb6b9c3e3dc260

Download Submit
C:\Users\Admin\AppData\Local\Temp\uC2FpePA8C8g.bat

Filesize
243B

MD5
c039219dfabbf25b2432af8e61b73c8b

SHA1
e0dec32bc075bcab2f359382941f9a70e1fb1e2c

SHA256
7737db795c2433797236780c9b6114d5b8383249244cd41222949eba0fa725cb

SHA512
0764aba84330a52c89a7ffa4f06a4d2c111392f7e62867da2201596789ef55f6b4b5cf060cb76bc05479167fda9912d1a9b02c9433ebf2116c6c42808b17c16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\w7aCKIVDPgbe.bat

Filesize
243B

MD5
29acbc756b7a872b73a39168b4f0651d

SHA1
346de72b00fec4890d1c5295df4b12d555f7ea4c

SHA256
d80a754c925b4d4f9b978fc1501b8ef61dad633805fb1edbd1bae47362950309

SHA512
149b20c3c8300e5c4b8e24eb775919cc4a6f806ebda0bf2306c8b41b9893626941dc044188cfa548f66934106e7dedae2aa9bcc22e286418e6ebb0507b84ca81

Download Submit
memory/2064-21-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/2064-17-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/2064-16-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/3092-0-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/3092-14-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/3092-8-0x000000000B6A0000-0x000000000B6DC000-memory.dmp

Filesize
240KB

Download
memory/3092-7-0x000000000B160000-0x000000000B172000-memory.dmp

Filesize
72KB

Download
memory/3092-6-0x000000000A480000-0x000000000A4E6000-memory.dmp

Filesize
408KB

Download
memory/3092-5-0x000000000A520000-0x000000000A5B2000-memory.dmp

Filesize
584KB

Download
memory/3092-4-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/3092-3-0x000000000A8B0000-0x000000000AE54000-memory.dmp

Filesize
5.6MB

Download
memory/3092-2-0x0000000000EC0000-0x0000000000EC6000-memory.dmp

Filesize
24KB

Download
memory/3092-1-0x00000000002A0000-0x00000000003E0000-memory.dmp

Filesize
1.2MB

Download