Overview

overview

10

Static

static

Invoice.jar

windows7_x64

10

Invoice.jar

windows10_x64

10

Analysis

  • max time kernel
    76s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    31-08-2020 05:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice.jar

  • Size

    511KB

  • MD5

    7e5b34776de19e8b482564a11d3fb699

  • SHA1

    f66ae725fdb2810fa3dbf2d22bced29541d5c077

  • SHA256

    4ecf27cb1628ff8ccf85facded0efd4dcc31c3fb822a23b04b8f44d2b1a2561d

  • SHA512

    e1c1c7e63041b6aff959024246e84e70119c4d7953e1631f981873c07b6ff3bf6527006b637f11f2b5746c96417c1c6272dcb9ec911073bc1cf8fbde4a1201b8

Score
10/10
trojanqarallaxpersistence

Malware Config

Signatures

  • QarallaxRAT

    Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).

    trojanqarallax
  • Qarallax RAT support DLL 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 128 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Views/modifies file attributes 1 TTPs 8 IoCs
    evasion

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\Invoice.jar
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3788
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe
      2⤵
        PID:948
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4092
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:852
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1476
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +h C:\Users\Admin\Oracle
        2⤵
        • Views/modifies file attributes
        PID:1796
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +h +r +s C:\Users\Admin\.ntusernt.ini
        2⤵
        • Views/modifies file attributes
        PID:2572
      • C:\Windows\SYSTEM32\attrib.exe
        attrib -s -r C:\Users\Admin\gNKCW\Desktop.ini
        2⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:3452
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +s +r C:\Users\Admin\gNKCW\Desktop.ini
        2⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:1004
      • C:\Windows\SYSTEM32\attrib.exe
        attrib -s -r C:\Users\Admin\gNKCW
        2⤵
        • Views/modifies file attributes
        PID:1972
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +s +r C:\Users\Admin\gNKCW
        2⤵
        • Views/modifies file attributes
        PID:1276
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +h C:\Users\Admin\gNKCW
        2⤵
        • Views/modifies file attributes
        PID:904
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +h +s +r C:\Users\Admin\gNKCW\qgTkj.class
        2⤵
        • Views/modifies file attributes
        PID:852
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2352
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
          3⤵
            PID:2840
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:3824

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\.ntusernt.ini
        Download Submit

      • C:\Users\Admin\gNKCW\Desktop.ini
        Download Submit

      • C:\Users\Admin\gNKCW\qgTkj.class
        Download Submit

      • \Users\Admin\AppData\Local\Temp\RdTdBwdIih9031915936360174939.xml
        Download Submit

      • memory/852-61-0x0000000000000000-mapping.dmp

        Download

      • memory/852-77-0x0000000000000000-mapping.dmp

        Download

      • memory/904-76-0x0000000000000000-mapping.dmp

        Download

      • memory/948-59-0x0000000000000000-mapping.dmp

        Download

      • memory/1004-73-0x0000000000000000-mapping.dmp

        Download

      • memory/1076-62-0x0000000000000000-mapping.dmp

        Download

      • memory/1276-75-0x0000000000000000-mapping.dmp

        Download

      • memory/1476-63-0x0000000000000000-mapping.dmp

        Download

      • memory/1796-66-0x0000000000000000-mapping.dmp

        Download

      • memory/1972-74-0x0000000000000000-mapping.dmp

        Download

      • memory/2352-81-0x0000000000000000-mapping.dmp

        Download

      • memory/2572-69-0x0000000000000000-mapping.dmp

        Download

      • memory/2840-82-0x0000000000000000-mapping.dmp

        Download

      • memory/3452-72-0x0000000000000000-mapping.dmp

        Download

      • memory/4092-60-0x0000000000000000-mapping.dmp

        Download