qarallax | 0d521ebb66bdf9e181c19695526645d3d003281c972591b02f8cbdfaffa94797

Analysis

max time kernel
30s
max time network
149s
platform
windows7_x64
resource
win7v200722
submitted
31-08-2020 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rechnung.jar
Size

431KB
MD5

ef2cf24398d222642a2684b6ac8731d7
SHA1

7d8f0d63a27f59b481803895098bfe3049fa98c4
SHA256

0d521ebb66bdf9e181c19695526645d3d003281c972591b02f8cbdfaffa94797
SHA512

33619a6c10ce3d483039918749b8bc2b251f2a8b1e189b110d910829ed70c21bb420e9717a7b391ab63bb2e14d748cf03669354f3fdb002b1965ac75f274163d

Score

10^/10

trojan qarallax persistence

Malware Config

Signatures

QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral1/files/0x0003000000013552-7.dat	qarallax_dll

Loads dropped DLL 1 IoCs

pid	Process
1680	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\koNVrQY = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\gNKCW\\qgTkj.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\koNVrQY = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\gNKCW\\qgTkj.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\gNKCW\Desktop.ini	java.exe
File created	C:\Users\Admin\gNKCW\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\gNKCW\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\gNKCW\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\fYXfT	java.exe
File opened for modification	C:\Windows\System32\fYXfT	java.exe

Suspicious use of AdjustPrivilegeToken 120 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe
Token: SeManageVolumePrivilege	1684	WMIC.exe
Token: 33	1684	WMIC.exe
Token: 34	1684	WMIC.exe
Token: 35	1684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe
Token: SeManageVolumePrivilege	1684	WMIC.exe
Token: 33	1684	WMIC.exe
Token: 34	1684	WMIC.exe
Token: 35	1684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1164	WMIC.exe
Token: SeSecurityPrivilege	1164	WMIC.exe
Token: SeTakeOwnershipPrivilege	1164	WMIC.exe
Token: SeLoadDriverPrivilege	1164	WMIC.exe
Token: SeSystemProfilePrivilege	1164	WMIC.exe
Token: SeSystemtimePrivilege	1164	WMIC.exe
Token: SeProfSingleProcessPrivilege	1164	WMIC.exe
Token: SeIncBasePriorityPrivilege	1164	WMIC.exe
Token: SeCreatePagefilePrivilege	1164	WMIC.exe
Token: SeBackupPrivilege	1164	WMIC.exe
Token: SeRestorePrivilege	1164	WMIC.exe
Token: SeShutdownPrivilege	1164	WMIC.exe
Token: SeDebugPrivilege	1164	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1164	WMIC.exe
Token: SeRemoteShutdownPrivilege	1164	WMIC.exe
Token: SeUndockPrivilege	1164	WMIC.exe
Token: SeManageVolumePrivilege	1164	WMIC.exe
Token: 33	1164	WMIC.exe
Token: 34	1164	WMIC.exe
Token: 35	1164	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1164	WMIC.exe
Token: SeSecurityPrivilege	1164	WMIC.exe
Token: SeTakeOwnershipPrivilege	1164	WMIC.exe
Token: SeLoadDriverPrivilege	1164	WMIC.exe
Token: SeSystemProfilePrivilege	1164	WMIC.exe
Token: SeSystemtimePrivilege	1164	WMIC.exe
Token: SeProfSingleProcessPrivilege	1164	WMIC.exe
Token: SeIncBasePriorityPrivilege	1164	WMIC.exe
Token: SeCreatePagefilePrivilege	1164	WMIC.exe
Token: SeBackupPrivilege	1164	WMIC.exe
Token: SeRestorePrivilege	1164	WMIC.exe
Token: SeShutdownPrivilege	1164	WMIC.exe
Token: SeDebugPrivilege	1164	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1164	WMIC.exe
Token: SeRemoteShutdownPrivilege	1164	WMIC.exe
Token: SeUndockPrivilege	1164	WMIC.exe
Token: SeManageVolumePrivilege	1164	WMIC.exe
Token: 33	1164	WMIC.exe
Token: 34	1164	WMIC.exe
Token: 35	1164	WMIC.exe
Token: SeIncreaseQuotaPrivilege	864	WMIC.exe
Token: SeSecurityPrivilege	864	WMIC.exe
Token: SeTakeOwnershipPrivilege	864	WMIC.exe
Token: SeLoadDriverPrivilege	864	WMIC.exe
Token: SeSystemProfilePrivilege	864	WMIC.exe
Token: SeSystemtimePrivilege	864	WMIC.exe
Token: SeProfSingleProcessPrivilege	864	WMIC.exe
Token: SeIncBasePriorityPrivilege	864	WMIC.exe
Token: SeCreatePagefilePrivilege	864	WMIC.exe
Token: SeBackupPrivilege	864	WMIC.exe
Token: SeRestorePrivilege	864	WMIC.exe
Token: SeShutdownPrivilege	864	WMIC.exe
Token: SeDebugPrivilege	864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	864	WMIC.exe
Token: SeRemoteShutdownPrivilege	864	WMIC.exe
Token: SeUndockPrivilege	864	WMIC.exe
Token: SeManageVolumePrivilege	864	WMIC.exe
Token: 33	864	WMIC.exe
Token: 34	864	WMIC.exe
Token: 35	864	WMIC.exe
Token: SeIncreaseQuotaPrivilege	864	WMIC.exe
Token: SeSecurityPrivilege	864	WMIC.exe
Token: SeTakeOwnershipPrivilege	864	WMIC.exe
Token: SeLoadDriverPrivilege	864	WMIC.exe
Token: SeSystemProfilePrivilege	864	WMIC.exe
Token: SeSystemtimePrivilege	864	WMIC.exe
Token: SeProfSingleProcessPrivilege	864	WMIC.exe
Token: SeIncBasePriorityPrivilege	864	WMIC.exe
Token: SeCreatePagefilePrivilege	864	WMIC.exe
Token: SeBackupPrivilege	864	WMIC.exe
Token: SeRestorePrivilege	864	WMIC.exe
Token: SeShutdownPrivilege	864	WMIC.exe
Token: SeDebugPrivilege	864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	864	WMIC.exe
Token: SeRemoteShutdownPrivilege	864	WMIC.exe
Token: SeUndockPrivilege	864	WMIC.exe
Token: SeManageVolumePrivilege	864	WMIC.exe
Token: 33	864	WMIC.exe
Token: 34	864	WMIC.exe
Token: 35	864	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1680	java.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1636	1680	java.exe	29
PID 1680 wrote to memory of 1636	1680	java.exe	29
PID 1680 wrote to memory of 1636	1680	java.exe	29
PID 1680 wrote to memory of 1664	1680	java.exe	30
PID 1680 wrote to memory of 1664	1680	java.exe	30
PID 1680 wrote to memory of 1664	1680	java.exe	30
PID 1664 wrote to memory of 1684	1664	cmd.exe	31
PID 1664 wrote to memory of 1684	1664	cmd.exe	31
PID 1664 wrote to memory of 1684	1664	cmd.exe	31
PID 1680 wrote to memory of 1656	1680	java.exe	32
PID 1680 wrote to memory of 1656	1680	java.exe	32
PID 1680 wrote to memory of 1656	1680	java.exe	32
PID 1656 wrote to memory of 1164	1656	cmd.exe	33
PID 1656 wrote to memory of 1164	1656	cmd.exe	33
PID 1656 wrote to memory of 1164	1656	cmd.exe	33
PID 1680 wrote to memory of 1432	1680	java.exe	34
PID 1680 wrote to memory of 1432	1680	java.exe	34
PID 1680 wrote to memory of 1432	1680	java.exe	34
PID 1680 wrote to memory of 1188	1680	java.exe	35
PID 1680 wrote to memory of 1188	1680	java.exe	35
PID 1680 wrote to memory of 1188	1680	java.exe	35
PID 1680 wrote to memory of 1412	1680	java.exe	36
PID 1680 wrote to memory of 1412	1680	java.exe	36
PID 1680 wrote to memory of 1412	1680	java.exe	36
PID 1680 wrote to memory of 748	1680	java.exe	37
PID 1680 wrote to memory of 748	1680	java.exe	37
PID 1680 wrote to memory of 748	1680	java.exe	37
PID 1680 wrote to memory of 528	1680	java.exe	38
PID 1680 wrote to memory of 528	1680	java.exe	38
PID 1680 wrote to memory of 528	1680	java.exe	38
PID 1680 wrote to memory of 428	1680	java.exe	39
PID 1680 wrote to memory of 428	1680	java.exe	39
PID 1680 wrote to memory of 428	1680	java.exe	39
PID 1680 wrote to memory of 916	1680	java.exe	40
PID 1680 wrote to memory of 916	1680	java.exe	40
PID 1680 wrote to memory of 916	1680	java.exe	40
PID 1680 wrote to memory of 828	1680	java.exe	41
PID 1680 wrote to memory of 828	1680	java.exe	41
PID 1680 wrote to memory of 828	1680	java.exe	41
PID 1680 wrote to memory of 1000	1680	java.exe	42
PID 1680 wrote to memory of 1000	1680	java.exe	42
PID 1680 wrote to memory of 1000	1680	java.exe	42
PID 1000 wrote to memory of 864	1000	cmd.exe	43
PID 1000 wrote to memory of 864	1000	cmd.exe	43
PID 1000 wrote to memory of 864	1000	cmd.exe	43

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1432	attrib.exe
1188	attrib.exe
1412	attrib.exe
748	attrib.exe
528	attrib.exe
428	attrib.exe
916	attrib.exe
828	attrib.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Rechnung.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1432
- C:\Windows\system32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:1188
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\gNKCW\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1412
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\gNKCW\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:748
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\gNKCW
  2⤵
  - Views/modifies file attributes
  PID:528
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\gNKCW
  2⤵
  - Views/modifies file attributes
  PID:428
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\gNKCW
  2⤵
  - Views/modifies file attributes
  PID:916
- C:\Windows\system32\attrib.exe
  attrib +h +s +r C:\Users\Admin\gNKCW\qgTkj.class
  2⤵
  - Views/modifies file attributes
  PID:828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads