qarallax | 4ecf27cb1628ff8ccf85facded0efd4dcc31c3fb822a23b04b8f44d2b1a2561d

Analysis

max time kernel
76s
max time network
136s
platform
windows10_x64
resource
win10
submitted
31-08-2020 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice.jar
Size

511KB
MD5

7e5b34776de19e8b482564a11d3fb699
SHA1

f66ae725fdb2810fa3dbf2d22bced29541d5c077
SHA256

4ecf27cb1628ff8ccf85facded0efd4dcc31c3fb822a23b04b8f44d2b1a2561d
SHA512

e1c1c7e63041b6aff959024246e84e70119c4d7953e1631f981873c07b6ff3bf6527006b637f11f2b5746c96417c1c6272dcb9ec911073bc1cf8fbde4a1201b8

Score

10^/10

trojan qarallax persistence

Malware Config

Signatures

QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ae5d-68.dat	qarallax_dll

Loads dropped DLL 1 IoCs

pid	Process
3788	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\koNVrQY = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\gNKCW\\qgTkj.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\koNVrQY = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\gNKCW\\qgTkj.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\gNKCW\Desktop.ini	java.exe
File created	C:\Users\Admin\gNKCW\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\gNKCW\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\gNKCW\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\ONvaG	java.exe
File opened for modification	C:\Windows\System32\ONvaG	java.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 97b886ce5a7fd601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe

Suspicious use of AdjustPrivilegeToken 128 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3824	svchost.exe
Token: SeCreatePagefilePrivilege	3824	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	WMIC.exe
Token: SeSecurityPrivilege	852	WMIC.exe
Token: SeTakeOwnershipPrivilege	852	WMIC.exe
Token: SeLoadDriverPrivilege	852	WMIC.exe
Token: SeSystemProfilePrivilege	852	WMIC.exe
Token: SeSystemtimePrivilege	852	WMIC.exe
Token: SeProfSingleProcessPrivilege	852	WMIC.exe
Token: SeIncBasePriorityPrivilege	852	WMIC.exe
Token: SeCreatePagefilePrivilege	852	WMIC.exe
Token: SeBackupPrivilege	852	WMIC.exe
Token: SeRestorePrivilege	852	WMIC.exe
Token: SeShutdownPrivilege	852	WMIC.exe
Token: SeDebugPrivilege	852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	852	WMIC.exe
Token: SeRemoteShutdownPrivilege	852	WMIC.exe
Token: SeUndockPrivilege	852	WMIC.exe
Token: SeManageVolumePrivilege	852	WMIC.exe
Token: 33	852	WMIC.exe
Token: 34	852	WMIC.exe
Token: 35	852	WMIC.exe
Token: 36	852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	852	WMIC.exe
Token: SeSecurityPrivilege	852	WMIC.exe
Token: SeTakeOwnershipPrivilege	852	WMIC.exe
Token: SeLoadDriverPrivilege	852	WMIC.exe
Token: SeSystemProfilePrivilege	852	WMIC.exe
Token: SeSystemtimePrivilege	852	WMIC.exe
Token: SeProfSingleProcessPrivilege	852	WMIC.exe
Token: SeIncBasePriorityPrivilege	852	WMIC.exe
Token: SeCreatePagefilePrivilege	852	WMIC.exe
Token: SeBackupPrivilege	852	WMIC.exe
Token: SeRestorePrivilege	852	WMIC.exe
Token: SeShutdownPrivilege	852	WMIC.exe
Token: SeDebugPrivilege	852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	852	WMIC.exe
Token: SeRemoteShutdownPrivilege	852	WMIC.exe
Token: SeUndockPrivilege	852	WMIC.exe
Token: SeManageVolumePrivilege	852	WMIC.exe
Token: 33	852	WMIC.exe
Token: 34	852	WMIC.exe
Token: 35	852	WMIC.exe
Token: 36	852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1476	WMIC.exe
Token: SeSecurityPrivilege	1476	WMIC.exe
Token: SeTakeOwnershipPrivilege	1476	WMIC.exe
Token: SeLoadDriverPrivilege	1476	WMIC.exe
Token: SeSystemProfilePrivilege	1476	WMIC.exe
Token: SeSystemtimePrivilege	1476	WMIC.exe
Token: SeProfSingleProcessPrivilege	1476	WMIC.exe
Token: SeIncBasePriorityPrivilege	1476	WMIC.exe
Token: SeCreatePagefilePrivilege	1476	WMIC.exe
Token: SeBackupPrivilege	1476	WMIC.exe
Token: SeRestorePrivilege	1476	WMIC.exe
Token: SeShutdownPrivilege	1476	WMIC.exe
Token: SeDebugPrivilege	1476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1476	WMIC.exe
Token: SeRemoteShutdownPrivilege	1476	WMIC.exe
Token: SeUndockPrivilege	1476	WMIC.exe
Token: SeManageVolumePrivilege	1476	WMIC.exe
Token: 33	1476	WMIC.exe
Token: 34	1476	WMIC.exe
Token: 35	1476	WMIC.exe
Token: 36	1476	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1476	WMIC.exe
Token: SeSecurityPrivilege	1476	WMIC.exe
Token: SeTakeOwnershipPrivilege	1476	WMIC.exe
Token: SeLoadDriverPrivilege	1476	WMIC.exe
Token: SeSystemProfilePrivilege	1476	WMIC.exe
Token: SeSystemtimePrivilege	1476	WMIC.exe
Token: SeProfSingleProcessPrivilege	1476	WMIC.exe
Token: SeIncBasePriorityPrivilege	1476	WMIC.exe
Token: SeCreatePagefilePrivilege	1476	WMIC.exe
Token: SeBackupPrivilege	1476	WMIC.exe
Token: SeRestorePrivilege	1476	WMIC.exe
Token: SeShutdownPrivilege	1476	WMIC.exe
Token: SeDebugPrivilege	1476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1476	WMIC.exe
Token: SeRemoteShutdownPrivilege	1476	WMIC.exe
Token: SeUndockPrivilege	1476	WMIC.exe
Token: SeManageVolumePrivilege	1476	WMIC.exe
Token: 33	1476	WMIC.exe
Token: 34	1476	WMIC.exe
Token: 35	1476	WMIC.exe
Token: 36	1476	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2840	WMIC.exe
Token: SeSecurityPrivilege	2840	WMIC.exe
Token: SeTakeOwnershipPrivilege	2840	WMIC.exe
Token: SeLoadDriverPrivilege	2840	WMIC.exe
Token: SeSystemProfilePrivilege	2840	WMIC.exe
Token: SeSystemtimePrivilege	2840	WMIC.exe
Token: SeProfSingleProcessPrivilege	2840	WMIC.exe
Token: SeIncBasePriorityPrivilege	2840	WMIC.exe
Token: SeCreatePagefilePrivilege	2840	WMIC.exe
Token: SeBackupPrivilege	2840	WMIC.exe
Token: SeRestorePrivilege	2840	WMIC.exe
Token: SeShutdownPrivilege	2840	WMIC.exe
Token: SeDebugPrivilege	2840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2840	WMIC.exe
Token: SeRemoteShutdownPrivilege	2840	WMIC.exe
Token: SeUndockPrivilege	2840	WMIC.exe
Token: SeManageVolumePrivilege	2840	WMIC.exe
Token: 33	2840	WMIC.exe
Token: 34	2840	WMIC.exe
Token: 35	2840	WMIC.exe
Token: 36	2840	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2840	WMIC.exe
Token: SeSecurityPrivilege	2840	WMIC.exe
Token: SeTakeOwnershipPrivilege	2840	WMIC.exe
Token: SeLoadDriverPrivilege	2840	WMIC.exe
Token: SeSystemProfilePrivilege	2840	WMIC.exe
Token: SeSystemtimePrivilege	2840	WMIC.exe
Token: SeProfSingleProcessPrivilege	2840	WMIC.exe
Token: SeIncBasePriorityPrivilege	2840	WMIC.exe
Token: SeCreatePagefilePrivilege	2840	WMIC.exe
Token: SeBackupPrivilege	2840	WMIC.exe
Token: SeRestorePrivilege	2840	WMIC.exe
Token: SeShutdownPrivilege	2840	WMIC.exe
Token: SeDebugPrivilege	2840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2840	WMIC.exe
Token: SeRemoteShutdownPrivilege	2840	WMIC.exe
Token: SeUndockPrivilege	2840	WMIC.exe
Token: SeManageVolumePrivilege	2840	WMIC.exe
Token: 33	2840	WMIC.exe
Token: 34	2840	WMIC.exe
Token: 35	2840	WMIC.exe
Token: 36	2840	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3788	java.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 948	3788	java.exe	77
PID 3788 wrote to memory of 948	3788	java.exe	77
PID 3788 wrote to memory of 4092	3788	java.exe	79
PID 3788 wrote to memory of 4092	3788	java.exe	79
PID 4092 wrote to memory of 852	4092	cmd.exe	81
PID 4092 wrote to memory of 852	4092	cmd.exe	81
PID 3788 wrote to memory of 1076	3788	java.exe	82
PID 3788 wrote to memory of 1076	3788	java.exe	82
PID 1076 wrote to memory of 1476	1076	cmd.exe	84
PID 1076 wrote to memory of 1476	1076	cmd.exe	84
PID 3788 wrote to memory of 1796	3788	java.exe	85
PID 3788 wrote to memory of 1796	3788	java.exe	85
PID 3788 wrote to memory of 2572	3788	java.exe	87
PID 3788 wrote to memory of 2572	3788	java.exe	87
PID 3788 wrote to memory of 3452	3788	java.exe	89
PID 3788 wrote to memory of 3452	3788	java.exe	89
PID 3788 wrote to memory of 1004	3788	java.exe	90
PID 3788 wrote to memory of 1004	3788	java.exe	90
PID 3788 wrote to memory of 1972	3788	java.exe	92
PID 3788 wrote to memory of 1972	3788	java.exe	92
PID 3788 wrote to memory of 1276	3788	java.exe	94
PID 3788 wrote to memory of 1276	3788	java.exe	94
PID 3788 wrote to memory of 904	3788	java.exe	96
PID 3788 wrote to memory of 904	3788	java.exe	96
PID 3788 wrote to memory of 852	3788	java.exe	98
PID 3788 wrote to memory of 852	3788	java.exe	98
PID 3788 wrote to memory of 2352	3788	java.exe	101
PID 3788 wrote to memory of 2352	3788	java.exe	101
PID 2352 wrote to memory of 2840	2352	cmd.exe	103
PID 2352 wrote to memory of 2840	2352	cmd.exe	103

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
904	attrib.exe
852	attrib.exe
1796	attrib.exe
2572	attrib.exe
3452	attrib.exe
1004	attrib.exe
1972	attrib.exe
1276	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Invoice.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:948
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1796
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:2572
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\gNKCW\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:3452
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\gNKCW\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1004
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\gNKCW
  2⤵
  - Views/modifies file attributes
  PID:1972
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\gNKCW
  2⤵
  - Views/modifies file attributes
  PID:1276
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\gNKCW
  2⤵
  - Views/modifies file attributes
  PID:904
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\gNKCW\qgTkj.class
  2⤵
  - Views/modifies file attributes
  PID:852
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads