General
-
Target
28c368d40f35e3461b5d7e7987887da2_JaffaCakes118
-
Size
1.3MB
-
Sample
240706-tj4d9stgnk
-
MD5
28c368d40f35e3461b5d7e7987887da2
-
SHA1
24aac6a7faf1f297b36bc95893c2ec15c5603209
-
SHA256
e0f85570bf59cccc44aeb4aa9346a90939ef2bcbe6dc9be0dc70cfe9098ff0c0
-
SHA512
f77a7c05e5a2a949268279412fe546ec5ff0b8e040d1b91427fc82582fa1396833153c88b31f459dda8b6c1528022e046004cc351c6d7e1c9eda96424b642cee
-
SSDEEP
24576:a53uhFou9ucgL6zN+YEugBMq1dQnkqQ51wEqyseQAeStZfi5Z5mI:a5+hF11lN+7ugB5QkqQ5CEq1VSPK5
Static task
static1
Behavioral task
behavioral1
Sample
28c368d40f35e3461b5d7e7987887da2_JaffaCakes118.exe
Resource
win7-20240705-en
Malware Config
Extracted
quasar
1.4.0.0
Office
135.181.241.49:111
135.181.241.49:2590
utXr3KhqffAkjVnhUA
-
encryption_key
as8Kyh7GIWdsKpl9U8A9
-
install_name
csrss.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
NET framework
-
subdirectory
SubDir
Targets
-
-
Target
28c368d40f35e3461b5d7e7987887da2_JaffaCakes118
-
Size
1.3MB
-
MD5
28c368d40f35e3461b5d7e7987887da2
-
SHA1
24aac6a7faf1f297b36bc95893c2ec15c5603209
-
SHA256
e0f85570bf59cccc44aeb4aa9346a90939ef2bcbe6dc9be0dc70cfe9098ff0c0
-
SHA512
f77a7c05e5a2a949268279412fe546ec5ff0b8e040d1b91427fc82582fa1396833153c88b31f459dda8b6c1528022e046004cc351c6d7e1c9eda96424b642cee
-
SSDEEP
24576:a53uhFou9ucgL6zN+YEugBMq1dQnkqQ51wEqyseQAeStZfi5Z5mI:a5+hF11lN+7ugB5QkqQ5CEq1VSPK5
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-