Overview

overview

10

Static

static

Invoice.jar

windows7_x64

10

Invoice.jar

windows10_x64

10

Analysis

  • max time kernel
    31s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    31-08-2020 05:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice.jar

  • Size

    511KB

  • MD5

    7e5b34776de19e8b482564a11d3fb699

  • SHA1

    f66ae725fdb2810fa3dbf2d22bced29541d5c077

  • SHA256

    4ecf27cb1628ff8ccf85facded0efd4dcc31c3fb822a23b04b8f44d2b1a2561d

  • SHA512

    e1c1c7e63041b6aff959024246e84e70119c4d7953e1631f981873c07b6ff3bf6527006b637f11f2b5746c96417c1c6272dcb9ec911073bc1cf8fbde4a1201b8

Score
10/10
persistencetrojanqarallax

Malware Config

Signatures

  • QarallaxRAT

    Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).

    trojanqarallax
  • Qarallax RAT support DLL 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 120 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Views/modifies file attributes 1 TTPs 8 IoCs
    evasion

Processes

  • C:\Windows\system32\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\Invoice.jar
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:604
    • C:\Windows\system32\cmd.exe
      cmd.exe
      2⤵
        PID:1596
      • C:\Windows\system32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1632
      • C:\Windows\system32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1924
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1920
      • C:\Windows\system32\attrib.exe
        attrib +h C:\Users\Admin\Oracle
        2⤵
        • Views/modifies file attributes
        PID:1992
      • C:\Windows\system32\attrib.exe
        attrib +h +r +s C:\Users\Admin\.ntusernt.ini
        2⤵
        • Views/modifies file attributes
        PID:1944
      • C:\Windows\system32\attrib.exe
        attrib -s -r C:\Users\Admin\gNKCW\Desktop.ini
        2⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:2032
      • C:\Windows\system32\attrib.exe
        attrib +s +r C:\Users\Admin\gNKCW\Desktop.ini
        2⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:1128
      • C:\Windows\system32\attrib.exe
        attrib -s -r C:\Users\Admin\gNKCW
        2⤵
        • Views/modifies file attributes
        PID:1080
      • C:\Windows\system32\attrib.exe
        attrib +s +r C:\Users\Admin\gNKCW
        2⤵
        • Views/modifies file attributes
        PID:428
      • C:\Windows\system32\attrib.exe
        attrib +h C:\Users\Admin\gNKCW
        2⤵
        • Views/modifies file attributes
        PID:1316
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r C:\Users\Admin\gNKCW\qgTkj.class
        2⤵
        • Views/modifies file attributes
        PID:1848
      • C:\Windows\system32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
          3⤵
            PID:908

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\.ntusernt.ini
        Download Submit

      • C:\Users\Admin\gNKCW\Desktop.ini
        Download Submit

      • C:\Users\Admin\gNKCW\qgTkj.class
        Download Submit

      • \Users\Admin\AppData\Local\Temp\XdZnVvtcNT4569942217149019813.xml
        Download Submit

      • memory/428-14-0x0000000000000000-mapping.dmp

        Download

      • memory/804-18-0x0000000000000000-mapping.dmp

        Download

      • memory/908-19-0x0000000000000000-mapping.dmp

        Download

      • memory/1080-12-0x0000000000000000-mapping.dmp

        Download

      • memory/1128-11-0x0000000000000000-mapping.dmp

        Download

      • memory/1316-15-0x0000000000000000-mapping.dmp

        Download

      • memory/1592-2-0x0000000000000000-mapping.dmp

        Download

      • memory/1596-1-0x0000000000000000-mapping.dmp

        Download

      • memory/1632-3-0x0000000000000000-mapping.dmp

        Download

      • memory/1848-16-0x0000000000000000-mapping.dmp

        Download

      • memory/1920-5-0x0000000000000000-mapping.dmp

        Download

      • memory/1924-4-0x0000000000000000-mapping.dmp

        Download

      • memory/1944-8-0x0000000000000000-mapping.dmp

        Download

      • memory/1992-6-0x0000000000000000-mapping.dmp

        Download

      • memory/2032-10-0x0000000000000000-mapping.dmp

        Download