Overview

overview

10

Static

static

3

JaffaCakes...41.exe

windows7-x64

10

JaffaCakes...41.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-01-2025 13:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_65682f641bbadc15ac3eec442feb4f41.exe

  • Size

    399KB

  • MD5

    65682f641bbadc15ac3eec442feb4f41

  • SHA1

    5115cdffb6cdae8f475c901514d67556a1c5b797

  • SHA256

    2c7a657dfbea9c247ca711eb7e6e15387e0f4d502342f586689b8de8de3aad5d

  • SHA512

    d63e86b9099f4c43c8b24ba25773d57501318211b0209f2ca9ddda9e3e0803885bfd641314707c1f2ee1d876b15090c1535a7766f2526690aff046f50ff088b4

  • SSDEEP

    12288:hG9b2kkxA7FdnVS/pe9kfM9IWRTB1B/00:h3RAJJM/pRsIWRT9/00

Score
10/10
latentbotquasarcriokdefense_evasiondiscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Criok

C2

ildriendfrirotoi.zapto.org:61790

fruitingsuccess.ignorelist.com:61789
Mutex

QSR_MUTEX_JS7TIscSksvJKrLXxw

Attributes
  • encryption_key

    7RWfQmQNDJPIz1c1QtI1

  • install_name

    Updater.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    Windows

Extracted

Family

latentbot

C2

ildriendfrirotoi.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Latentbot family
    latentbot
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • System Binary Proxy Execution: InstallUtil 1 TTPs 2 IoCs

    Abuse InstallUtil to proxy execution of malicious code.

    defense_evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_65682f641bbadc15ac3eec442feb4f41.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_65682f641bbadc15ac3eec442feb4f41.exe"
    1⤵
    • System Binary Proxy Execution: InstallUtil
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROk6Hkfsgr5y.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1388
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1688
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1584
        • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
          "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
    Filesize

    1KB

    MD5

    10eab9c2684febb5327b6976f2047587

    SHA1

    a12ed54146a7f5c4c580416aecb899549712449e

    SHA256

    f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

    SHA512

    7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ROk6Hkfsgr5y.bat
    Filesize

    208B

    MD5

    061732bc2ded34a9d2fc93c33980a4e5

    SHA1

    fc4351fc0e8da71c54c4d098ec568638d0f0b31d

    SHA256

    d94cd30886f9acd9700dee1b1996c2b2dddc6f5724b592cb065bed0b4151d518

    SHA512

    403e3d7f39c15c7a3352555059df2be1dc52f21e84c525a878769b7d1a35c8f3687f84fd5ca1d63b7bf543eadc9d27a6dfbc614873ff6ba98dc5d1881fc53730

    Download Submit

  • memory/3020-14-0x0000000074DA0000-0x0000000075550000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3020-2-0x0000000074DAE000-0x0000000074DAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-5-0x0000000074DA0000-0x0000000075550000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3020-8-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-3-0x0000000004AF0000-0x0000000004B56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3020-0-0x0000000074DAE000-0x0000000074DAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-1-0x0000000000130000-0x000000000019A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/3020-4-0x0000000074DA0000-0x0000000075550000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4056-31-0x00000000056B0000-0x00000000056CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4056-30-0x0000000000F30000-0x0000000000F3C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4996-17-0x0000000005430000-0x00000000054C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4996-19-0x0000000005540000-0x00000000055A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4996-20-0x0000000006150000-0x0000000006162000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4996-21-0x0000000006690000-0x00000000066CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4996-26-0x0000000074DA0000-0x0000000075550000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4996-18-0x0000000074DA0000-0x0000000075550000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4996-16-0x0000000005900000-0x0000000005EA4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4996-15-0x0000000074DA0000-0x0000000075550000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4996-10-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download