qarallax | be9d8b26678dd00c0cfc0cdbd59f5510247fce9379a7213ceaeeef1c0207f27c

Analysis

max time kernel
120s
max time network
145s
platform
windows7_x64
resource
win7
submitted
30-08-2020 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rechnung.jar
Size

424KB
MD5

03bdde0d47b8c25a13f53f6fbba8b08b
SHA1

0bc4b8ff28f996ddebaa5eede774d23498fbb6e8
SHA256

be9d8b26678dd00c0cfc0cdbd59f5510247fce9379a7213ceaeeef1c0207f27c
SHA512

07a0518aab94e9e812f6e4fa0e96045c43cbddf2c412e3c27b693c9e39ec82ff336d3547825e90be5981ee1fe1f384b721ce8166a4c8630169865a6f465e41aa

Score

10^/10

persistence trojan qarallax

Malware Config

Signatures

QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000001351e-7.dat	qarallax_dll

Loads dropped DLL 1 IoCs

pid	Process
1124	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\koNVrQY = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\gNKCW\\qgTkj.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\koNVrQY = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\gNKCW\\qgTkj.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\gNKCW\Desktop.ini	java.exe
File created	C:\Users\Admin\gNKCW\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\gNKCW\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\gNKCW\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\KYmxr	java.exe
File opened for modification	C:\Windows\System32\KYmxr	java.exe

Suspicious use of AdjustPrivilegeToken 120 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1904	WMIC.exe
Token: SeSecurityPrivilege	1904	WMIC.exe
Token: SeTakeOwnershipPrivilege	1904	WMIC.exe
Token: SeLoadDriverPrivilege	1904	WMIC.exe
Token: SeSystemProfilePrivilege	1904	WMIC.exe
Token: SeSystemtimePrivilege	1904	WMIC.exe
Token: SeProfSingleProcessPrivilege	1904	WMIC.exe
Token: SeIncBasePriorityPrivilege	1904	WMIC.exe
Token: SeCreatePagefilePrivilege	1904	WMIC.exe
Token: SeBackupPrivilege	1904	WMIC.exe
Token: SeRestorePrivilege	1904	WMIC.exe
Token: SeShutdownPrivilege	1904	WMIC.exe
Token: SeDebugPrivilege	1904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1904	WMIC.exe
Token: SeRemoteShutdownPrivilege	1904	WMIC.exe
Token: SeUndockPrivilege	1904	WMIC.exe
Token: SeManageVolumePrivilege	1904	WMIC.exe
Token: 33	1904	WMIC.exe
Token: 34	1904	WMIC.exe
Token: 35	1904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1904	WMIC.exe
Token: SeSecurityPrivilege	1904	WMIC.exe
Token: SeTakeOwnershipPrivilege	1904	WMIC.exe
Token: SeLoadDriverPrivilege	1904	WMIC.exe
Token: SeSystemProfilePrivilege	1904	WMIC.exe
Token: SeSystemtimePrivilege	1904	WMIC.exe
Token: SeProfSingleProcessPrivilege	1904	WMIC.exe
Token: SeIncBasePriorityPrivilege	1904	WMIC.exe
Token: SeCreatePagefilePrivilege	1904	WMIC.exe
Token: SeBackupPrivilege	1904	WMIC.exe
Token: SeRestorePrivilege	1904	WMIC.exe
Token: SeShutdownPrivilege	1904	WMIC.exe
Token: SeDebugPrivilege	1904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1904	WMIC.exe
Token: SeRemoteShutdownPrivilege	1904	WMIC.exe
Token: SeUndockPrivilege	1904	WMIC.exe
Token: SeManageVolumePrivilege	1904	WMIC.exe
Token: 33	1904	WMIC.exe
Token: 34	1904	WMIC.exe
Token: 35	1904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1968	WMIC.exe
Token: SeSecurityPrivilege	1968	WMIC.exe
Token: SeTakeOwnershipPrivilege	1968	WMIC.exe
Token: SeLoadDriverPrivilege	1968	WMIC.exe
Token: SeSystemProfilePrivilege	1968	WMIC.exe
Token: SeSystemtimePrivilege	1968	WMIC.exe
Token: SeProfSingleProcessPrivilege	1968	WMIC.exe
Token: SeIncBasePriorityPrivilege	1968	WMIC.exe
Token: SeCreatePagefilePrivilege	1968	WMIC.exe
Token: SeBackupPrivilege	1968	WMIC.exe
Token: SeRestorePrivilege	1968	WMIC.exe
Token: SeShutdownPrivilege	1968	WMIC.exe
Token: SeDebugPrivilege	1968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1968	WMIC.exe
Token: SeRemoteShutdownPrivilege	1968	WMIC.exe
Token: SeUndockPrivilege	1968	WMIC.exe
Token: SeManageVolumePrivilege	1968	WMIC.exe
Token: 33	1968	WMIC.exe
Token: 34	1968	WMIC.exe
Token: 35	1968	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1968	WMIC.exe
Token: SeSecurityPrivilege	1968	WMIC.exe
Token: SeTakeOwnershipPrivilege	1968	WMIC.exe
Token: SeLoadDriverPrivilege	1968	WMIC.exe
Token: SeSystemProfilePrivilege	1968	WMIC.exe
Token: SeSystemtimePrivilege	1968	WMIC.exe
Token: SeProfSingleProcessPrivilege	1968	WMIC.exe
Token: SeIncBasePriorityPrivilege	1968	WMIC.exe
Token: SeCreatePagefilePrivilege	1968	WMIC.exe
Token: SeBackupPrivilege	1968	WMIC.exe
Token: SeRestorePrivilege	1968	WMIC.exe
Token: SeShutdownPrivilege	1968	WMIC.exe
Token: SeDebugPrivilege	1968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1968	WMIC.exe
Token: SeRemoteShutdownPrivilege	1968	WMIC.exe
Token: SeUndockPrivilege	1968	WMIC.exe
Token: SeManageVolumePrivilege	1968	WMIC.exe
Token: 33	1968	WMIC.exe
Token: 34	1968	WMIC.exe
Token: 35	1968	WMIC.exe
Token: SeIncreaseQuotaPrivilege	624	WMIC.exe
Token: SeSecurityPrivilege	624	WMIC.exe
Token: SeTakeOwnershipPrivilege	624	WMIC.exe
Token: SeLoadDriverPrivilege	624	WMIC.exe
Token: SeSystemProfilePrivilege	624	WMIC.exe
Token: SeSystemtimePrivilege	624	WMIC.exe
Token: SeProfSingleProcessPrivilege	624	WMIC.exe
Token: SeIncBasePriorityPrivilege	624	WMIC.exe
Token: SeCreatePagefilePrivilege	624	WMIC.exe
Token: SeBackupPrivilege	624	WMIC.exe
Token: SeRestorePrivilege	624	WMIC.exe
Token: SeShutdownPrivilege	624	WMIC.exe
Token: SeDebugPrivilege	624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	624	WMIC.exe
Token: SeRemoteShutdownPrivilege	624	WMIC.exe
Token: SeUndockPrivilege	624	WMIC.exe
Token: SeManageVolumePrivilege	624	WMIC.exe
Token: 33	624	WMIC.exe
Token: 34	624	WMIC.exe
Token: 35	624	WMIC.exe
Token: SeIncreaseQuotaPrivilege	624	WMIC.exe
Token: SeSecurityPrivilege	624	WMIC.exe
Token: SeTakeOwnershipPrivilege	624	WMIC.exe
Token: SeLoadDriverPrivilege	624	WMIC.exe
Token: SeSystemProfilePrivilege	624	WMIC.exe
Token: SeSystemtimePrivilege	624	WMIC.exe
Token: SeProfSingleProcessPrivilege	624	WMIC.exe
Token: SeIncBasePriorityPrivilege	624	WMIC.exe
Token: SeCreatePagefilePrivilege	624	WMIC.exe
Token: SeBackupPrivilege	624	WMIC.exe
Token: SeRestorePrivilege	624	WMIC.exe
Token: SeShutdownPrivilege	624	WMIC.exe
Token: SeDebugPrivilege	624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	624	WMIC.exe
Token: SeRemoteShutdownPrivilege	624	WMIC.exe
Token: SeUndockPrivilege	624	WMIC.exe
Token: SeManageVolumePrivilege	624	WMIC.exe
Token: 33	624	WMIC.exe
Token: 34	624	WMIC.exe
Token: 35	624	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1124	java.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 1920	1124	java.exe	29
PID 1124 wrote to memory of 1920	1124	java.exe	29
PID 1124 wrote to memory of 1920	1124	java.exe	29
PID 1124 wrote to memory of 1900	1124	java.exe	30
PID 1124 wrote to memory of 1900	1124	java.exe	30
PID 1124 wrote to memory of 1900	1124	java.exe	30
PID 1900 wrote to memory of 1904	1900	cmd.exe	31
PID 1900 wrote to memory of 1904	1900	cmd.exe	31
PID 1900 wrote to memory of 1904	1900	cmd.exe	31
PID 1124 wrote to memory of 1976	1124	java.exe	32
PID 1124 wrote to memory of 1976	1124	java.exe	32
PID 1124 wrote to memory of 1976	1124	java.exe	32
PID 1976 wrote to memory of 1968	1976	cmd.exe	33
PID 1976 wrote to memory of 1968	1976	cmd.exe	33
PID 1976 wrote to memory of 1968	1976	cmd.exe	33
PID 1124 wrote to memory of 1104	1124	java.exe	34
PID 1124 wrote to memory of 1104	1124	java.exe	34
PID 1124 wrote to memory of 1104	1124	java.exe	34
PID 1124 wrote to memory of 528	1124	java.exe	35
PID 1124 wrote to memory of 528	1124	java.exe	35
PID 1124 wrote to memory of 528	1124	java.exe	35
PID 1124 wrote to memory of 520	1124	java.exe	36
PID 1124 wrote to memory of 520	1124	java.exe	36
PID 1124 wrote to memory of 520	1124	java.exe	36
PID 1124 wrote to memory of 1336	1124	java.exe	37
PID 1124 wrote to memory of 1336	1124	java.exe	37
PID 1124 wrote to memory of 1336	1124	java.exe	37
PID 1124 wrote to memory of 860	1124	java.exe	38
PID 1124 wrote to memory of 860	1124	java.exe	38
PID 1124 wrote to memory of 860	1124	java.exe	38
PID 1124 wrote to memory of 1176	1124	java.exe	39
PID 1124 wrote to memory of 1176	1124	java.exe	39
PID 1124 wrote to memory of 1176	1124	java.exe	39
PID 1124 wrote to memory of 776	1124	java.exe	40
PID 1124 wrote to memory of 776	1124	java.exe	40
PID 1124 wrote to memory of 776	1124	java.exe	40
PID 1124 wrote to memory of 332	1124	java.exe	41
PID 1124 wrote to memory of 332	1124	java.exe	41
PID 1124 wrote to memory of 332	1124	java.exe	41
PID 1124 wrote to memory of 344	1124	java.exe	42
PID 1124 wrote to memory of 344	1124	java.exe	42
PID 1124 wrote to memory of 344	1124	java.exe	42
PID 344 wrote to memory of 624	344	cmd.exe	43
PID 344 wrote to memory of 624	344	cmd.exe	43
PID 344 wrote to memory of 624	344	cmd.exe	43

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
332	attrib.exe
1104	attrib.exe
528	attrib.exe
520	attrib.exe
1336	attrib.exe
860	attrib.exe
1176	attrib.exe
776	attrib.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Rechnung.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1104
- C:\Windows\system32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:528
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\gNKCW\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:520
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\gNKCW\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1336
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\gNKCW
  2⤵
  - Views/modifies file attributes
  PID:860
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\gNKCW
  2⤵
  - Views/modifies file attributes
  PID:1176
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\gNKCW
  2⤵
  - Views/modifies file attributes
  PID:776
- C:\Windows\system32\attrib.exe
  attrib +h +s +r C:\Users\Admin\gNKCW\qgTkj.class
  2⤵
  - Views/modifies file attributes
  PID:332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads