Overview

overview

10

Static

static

3

1b465c6989...18.exe

windows7-x64

10

1b465c6989...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29-03-2024 06:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b465c6989637df1d5c511919c43e457_JaffaCakes118.exe

  • Size

    861KB

  • MD5

    1b465c6989637df1d5c511919c43e457

  • SHA1

    317f8bf5133176cd0f4125c6f2f0fdfc226754ab

  • SHA256

    0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095

  • SHA512

    e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc

  • SSDEEP

    24576:nc6zD+4oOZ34MRxbnCiZXsqK+eHTesb/hyDVeb:5D+NOZoax7CSX/g

Score
10/10
quasarvenomratoffice04evasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

grace.adds-only.xyz:1609

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    wHq4o3k6UfKZv19jkcxs

  • install_name

    winrara.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 5 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 5 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp42CA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2440
    • C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457_JaffaCakes118.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Loads dropped DLL
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1588
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2180
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEF8D.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:2484
        • C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1756
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\fBcmN8uovi3r.bat" "
            5⤵
              PID:2744
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                6⤵
                  PID:2456
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • Runs ping.exe
                  PID:2880
                • C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2556
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1488
                5⤵
                • Loads dropped DLL
                • Program crash
                PID:2424
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell" Get-MpPreference -verbose
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1964
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1892
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
              4⤵
                PID:2036
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\TGUNAtXQAqq2.bat" "
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1400
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                4⤵
                  PID:868
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  4⤵
                  • Runs ping.exe
                  PID:1840

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            68KB

            MD5

            29f65ba8e88c063813cc50a4ea544e93

            SHA1

            05a7040d5c127e68c25d81cc51271ffb8bef3568

            SHA256

            1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

            SHA512

            e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\TGUNAtXQAqq2.bat
            Filesize

            243B

            MD5

            2d4b37e45ea14c72c7b56d31003a5243

            SHA1

            2b14b9caee90924fdef8c479e88fede3b3d54b63

            SHA256

            93446a059811b4eeff02ac3d94dc1e7d2069d28855afadfe0aca582262c83b90

            SHA512

            25f4d45fdc7814e2534addcd23041a1396e8506192b1744e4af133ca4c1b4a84a1e7591d7b527c5737ec586bb7d14685ac8a8863a565e4441ecef8d58ec28cad

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Tar765F.tmp
            Filesize

            177KB

            MD5

            435a9ac180383f9fa094131b173a2f7b

            SHA1

            76944ea657a9db94f9a4bef38f88c46ed4166983

            SHA256

            67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

            SHA512

            1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\fBcmN8uovi3r.bat
            Filesize

            208B

            MD5

            e97dbf17a935933fce063a506ca59c13

            SHA1

            d8f162586027e5a7274f5663d4235804099914a3

            SHA256

            88f9e40930f18a68d195eae6d0a953d7eb98685871535b9e61c94b901c050090

            SHA512

            da2ec310add2a488368c1c9101da53863064253aac258c184c31566f6c61529214eb35bd326910854bde0ec717bb607a8908149773f2fed0b653a0dafd881567

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            7KB

            MD5

            2cfc1107f1056677e80686d731d9a34d

            SHA1

            21f4a7790292444a2c46c4b700f9c5544b771b54

            SHA256

            8a56673c5d77c4e086a7a453405eec7a7d7018510f08611d72ff04b6f492decb

            SHA512

            2b04412ff5044a795cdb3d9abbc4ea13514f2038714c0f148b902f8ce42ba49c0a48405c39b8e4010d78ba81dfe9a4abd1a3a98c3982775978b44b0489d337a4

            Download Submit

          • C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe
            Filesize

            861KB

            MD5

            1b465c6989637df1d5c511919c43e457

            SHA1

            317f8bf5133176cd0f4125c6f2f0fdfc226754ab

            SHA256

            0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095

            SHA512

            e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc

            Download Submit

          • memory/1588-124-0x0000000007210000-0x0000000007250000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1588-123-0x0000000073F20000-0x000000007460E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1588-43-0x0000000073F20000-0x000000007460E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1588-53-0x0000000007210000-0x0000000007250000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1588-150-0x0000000073F20000-0x000000007460E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1588-41-0x00000000008F0000-0x00000000009CE000-memory.dmp

            Filesize

            888KB

            Download

          • memory/1728-0-0x0000000000890000-0x000000000096E000-memory.dmp

            Filesize

            888KB

            Download

          • memory/1728-4-0x0000000073F20000-0x000000007460E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1728-5-0x0000000007150000-0x0000000007190000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1728-3-0x0000000000680000-0x000000000068E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1728-6-0x0000000007550000-0x0000000007600000-memory.dmp

            Filesize

            704KB

            Download

          • memory/1728-27-0x0000000073F20000-0x000000007460E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1728-2-0x0000000007150000-0x0000000007190000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1728-1-0x0000000073F20000-0x000000007460E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1756-135-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1756-148-0x0000000073F20000-0x000000007460E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1756-154-0x0000000004CD0000-0x0000000004D10000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1756-174-0x0000000073F20000-0x000000007460E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1756-175-0x0000000004CD0000-0x0000000004D10000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1964-54-0x0000000070280000-0x000000007082B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1964-48-0x0000000002710000-0x0000000002750000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1964-49-0x0000000070280000-0x000000007082B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1964-50-0x0000000002710000-0x0000000002750000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1964-51-0x0000000002710000-0x0000000002750000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1964-52-0x0000000070280000-0x000000007082B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2180-149-0x00000000700E0000-0x000000007068B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2180-152-0x00000000700E0000-0x000000007068B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2180-155-0x00000000700E0000-0x000000007068B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2180-151-0x00000000026E0000-0x0000000002720000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2180-153-0x00000000026E0000-0x0000000002720000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2468-26-0x0000000001F90000-0x0000000001FD0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2468-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2468-12-0x0000000000400000-0x000000000048C000-memory.dmp

            Filesize

            560KB

            Download

          • memory/2468-25-0x0000000073F20000-0x000000007460E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2468-24-0x0000000000400000-0x000000000048C000-memory.dmp

            Filesize

            560KB

            Download

          • memory/2468-22-0x0000000000400000-0x000000000048C000-memory.dmp

            Filesize

            560KB

            Download

          • memory/2468-20-0x0000000000400000-0x000000000048C000-memory.dmp

            Filesize

            560KB

            Download

          • memory/2468-14-0x0000000000400000-0x000000000048C000-memory.dmp

            Filesize

            560KB

            Download

          • memory/2468-16-0x0000000000400000-0x000000000048C000-memory.dmp

            Filesize

            560KB

            Download

          • memory/2468-121-0x0000000073F20000-0x000000007460E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2468-17-0x0000000000400000-0x000000000048C000-memory.dmp

            Filesize

            560KB

            Download

          • memory/2556-172-0x0000000073F20000-0x000000007460E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2556-173-0x00000000072D0000-0x0000000007310000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2556-176-0x0000000073F20000-0x000000007460E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2556-177-0x00000000072D0000-0x0000000007310000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2588-32-0x0000000002200000-0x0000000002240000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2588-55-0x0000000070280000-0x000000007082B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2588-31-0x0000000070280000-0x000000007082B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2588-30-0x0000000070280000-0x000000007082B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2588-33-0x0000000002200000-0x0000000002240000-memory.dmp

            Filesize

            256KB

            Download