Overview

overview

10

Static

static

Rechnung.jar

windows7_x64

10

Rechnung.jar

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    30-08-2020 06:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Rechnung.jar

  • Size

    424KB

  • MD5

    03bdde0d47b8c25a13f53f6fbba8b08b

  • SHA1

    0bc4b8ff28f996ddebaa5eede774d23498fbb6e8

  • SHA256

    be9d8b26678dd00c0cfc0cdbd59f5510247fce9379a7213ceaeeef1c0207f27c

  • SHA512

    07a0518aab94e9e812f6e4fa0e96045c43cbddf2c412e3c27b693c9e39ec82ff336d3547825e90be5981ee1fe1f384b721ce8166a4c8630169865a6f465e41aa

Score
10/10
persistencetrojanqarallax

Malware Config

Signatures

  • QarallaxRAT

    Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).

    trojanqarallax
  • Qarallax RAT support DLL 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 120 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Views/modifies file attributes 1 TTPs 8 IoCs
    evasion

Processes

  • C:\Windows\system32\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\Rechnung.jar
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Windows\system32\cmd.exe
      cmd.exe
      2⤵
        PID:1920
      • C:\Windows\system32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1900
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1904
      • C:\Windows\system32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1968
      • C:\Windows\system32\attrib.exe
        attrib +h C:\Users\Admin\Oracle
        2⤵
        • Views/modifies file attributes
        PID:1104
      • C:\Windows\system32\attrib.exe
        attrib +h +r +s C:\Users\Admin\.ntusernt.ini
        2⤵
        • Views/modifies file attributes
        PID:528
      • C:\Windows\system32\attrib.exe
        attrib -s -r C:\Users\Admin\gNKCW\Desktop.ini
        2⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:520
      • C:\Windows\system32\attrib.exe
        attrib +s +r C:\Users\Admin\gNKCW\Desktop.ini
        2⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:1336
      • C:\Windows\system32\attrib.exe
        attrib -s -r C:\Users\Admin\gNKCW
        2⤵
        • Views/modifies file attributes
        PID:860
      • C:\Windows\system32\attrib.exe
        attrib +s +r C:\Users\Admin\gNKCW
        2⤵
        • Views/modifies file attributes
        PID:1176
      • C:\Windows\system32\attrib.exe
        attrib +h C:\Users\Admin\gNKCW
        2⤵
        • Views/modifies file attributes
        PID:776
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r C:\Users\Admin\gNKCW\qgTkj.class
        2⤵
        • Views/modifies file attributes
        PID:332
      • C:\Windows\system32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:344
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
          3⤵
            PID:624

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\.ntusernt.ini
        Download Submit

      • C:\Users\Admin\gNKCW\Desktop.ini
        Download Submit

      • C:\Users\Admin\gNKCW\qgTkj.class
        Download Submit

      • \Users\Admin\AppData\Local\Temp\jKmLNiqjuv8135730138405363007.xml
        Download Submit

      • memory/332-16-0x0000000000000000-mapping.dmp

        Download

      • memory/344-18-0x0000000000000000-mapping.dmp

        Download

      • memory/520-10-0x0000000000000000-mapping.dmp

        Download

      • memory/528-8-0x0000000000000000-mapping.dmp

        Download

      • memory/624-19-0x0000000000000000-mapping.dmp

        Download

      • memory/776-15-0x0000000000000000-mapping.dmp

        Download

      • memory/860-13-0x0000000000000000-mapping.dmp

        Download

      • memory/1104-6-0x0000000000000000-mapping.dmp

        Download

      • memory/1176-14-0x0000000000000000-mapping.dmp

        Download

      • memory/1336-11-0x0000000000000000-mapping.dmp

        Download

      • memory/1900-2-0x0000000000000000-mapping.dmp

        Download

      • memory/1904-3-0x0000000000000000-mapping.dmp

        Download

      • memory/1920-1-0x0000000000000000-mapping.dmp

        Download

      • memory/1968-5-0x0000000000000000-mapping.dmp

        Download

      • memory/1976-4-0x0000000000000000-mapping.dmp

        Download