Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 23:23
Behavioral task
behavioral1
Sample
13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe
-
Size
358KB
-
MD5
13ddb4c563aa5d65f2a9822d50e3b92f
-
SHA1
2e1ccddf584175c3bd62ac8d0173fdb6ae73ea10
-
SHA256
29b58aa0ac40523e606e3a10258de337d2e76815b279402babc18e2bb410aab9
-
SHA512
ad7f92b70e64b04c3dde1b9519d88c237c62dd74d6929e17e968ce6a969449fd79caa1dca658294234759d17d9f5545ebf6fec87f5aa0c45b469c7fd27598f96
-
SSDEEP
6144:rJqQ4i1FFiEKhtpoidubrUX5v7N/Vyfs5uI:Fpli3poidD5jN/sfs5uI
Malware Config
Extracted
quasar
1.3.0.0
Office04
almammory.hopto.org:1177
QSR_MUTEX_uvFpjg4C7Cxl60AUEGAUEGGMUTEOO
-
encryption_key
WVQm2WP2iovscPfuELDp
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2372-1-0x0000000000C60000-0x0000000000CC0000-memory.dmp family_quasar \Program Files (x86)\SubDir\Client.exe family_quasar behavioral1/memory/2716-9-0x0000000000D70000-0x0000000000DD0000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
Client.exeClient.exepid process 2716 Client.exe 2844 Client.exe -
Loads dropped DLL 7 IoCs
Processes:
13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exeWerFault.execmd.exepid process 2372 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 2124 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Drops file in Program Files directory 2 IoCs
Processes:
13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\SubDir\Client.exe 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1676 2716 WerFault.exe Client.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exeClient.exedescription pid process Token: SeDebugPrivilege 2372 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe Token: SeDebugPrivilege 2716 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2716 Client.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exeClient.execmd.exedescription pid process target process PID 2372 wrote to memory of 2716 2372 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe Client.exe PID 2372 wrote to memory of 2716 2372 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe Client.exe PID 2372 wrote to memory of 2716 2372 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe Client.exe PID 2372 wrote to memory of 2716 2372 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe Client.exe PID 2716 wrote to memory of 2124 2716 Client.exe cmd.exe PID 2716 wrote to memory of 2124 2716 Client.exe cmd.exe PID 2716 wrote to memory of 2124 2716 Client.exe cmd.exe PID 2716 wrote to memory of 2124 2716 Client.exe cmd.exe PID 2716 wrote to memory of 1676 2716 Client.exe WerFault.exe PID 2716 wrote to memory of 1676 2716 Client.exe WerFault.exe PID 2716 wrote to memory of 1676 2716 Client.exe WerFault.exe PID 2716 wrote to memory of 1676 2716 Client.exe WerFault.exe PID 2124 wrote to memory of 2576 2124 cmd.exe chcp.com PID 2124 wrote to memory of 2576 2124 cmd.exe chcp.com PID 2124 wrote to memory of 2576 2124 cmd.exe chcp.com PID 2124 wrote to memory of 2576 2124 cmd.exe chcp.com PID 2124 wrote to memory of 2552 2124 cmd.exe PING.EXE PID 2124 wrote to memory of 2552 2124 cmd.exe PING.EXE PID 2124 wrote to memory of 2552 2124 cmd.exe PING.EXE PID 2124 wrote to memory of 2552 2124 cmd.exe PING.EXE PID 2124 wrote to memory of 2844 2124 cmd.exe Client.exe PID 2124 wrote to memory of 2844 2124 cmd.exe Client.exe PID 2124 wrote to memory of 2844 2124 cmd.exe Client.exe PID 2124 wrote to memory of 2844 2124 cmd.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2fOAoehTy86w.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 14803⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2fOAoehTy86w.batFilesize
199B
MD59a3a47be9418f105717cb5a8d392e421
SHA14239eae814777e5b2ba4de3dba0e301b5d3bcd26
SHA256cfe244207db25f35a6f097833c4666f5cb22f2215fb6f78e4097589cbc399708
SHA512438b598bce135d5b8966964f4fe08a32cc620672a6569ae5b97b45665c85e99dc49e46136035d5faa3497e25c69fc94fe120d1eae672b9b07011c79e80c93983
-
\Program Files (x86)\SubDir\Client.exeFilesize
358KB
MD513ddb4c563aa5d65f2a9822d50e3b92f
SHA12e1ccddf584175c3bd62ac8d0173fdb6ae73ea10
SHA25629b58aa0ac40523e606e3a10258de337d2e76815b279402babc18e2bb410aab9
SHA512ad7f92b70e64b04c3dde1b9519d88c237c62dd74d6929e17e968ce6a969449fd79caa1dca658294234759d17d9f5545ebf6fec87f5aa0c45b469c7fd27598f96
-
memory/2372-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmpFilesize
4KB
-
memory/2372-1-0x0000000000C60000-0x0000000000CC0000-memory.dmpFilesize
384KB
-
memory/2372-2-0x0000000073FB0000-0x000000007469E000-memory.dmpFilesize
6.9MB
-
memory/2372-12-0x0000000073FB0000-0x000000007469E000-memory.dmpFilesize
6.9MB
-
memory/2716-9-0x0000000000D70000-0x0000000000DD0000-memory.dmpFilesize
384KB
-
memory/2716-11-0x0000000073FB0000-0x000000007469E000-memory.dmpFilesize
6.9MB
-
memory/2716-10-0x0000000073FB0000-0x000000007469E000-memory.dmpFilesize
6.9MB
-
memory/2716-30-0x0000000073FB0000-0x000000007469E000-memory.dmpFilesize
6.9MB