Analysis
-
max time kernel
90s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-03-2024 06:44
General
-
Target
1b465c6989637df1d5c511919c43e457_JaffaCakes118.exe
-
Size
861KB
-
MD5
1b465c6989637df1d5c511919c43e457
-
SHA1
317f8bf5133176cd0f4125c6f2f0fdfc226754ab
-
SHA256
0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
-
SHA512
e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc
-
SSDEEP
24576:nc6zD+4oOZ34MRxbnCiZXsqK+eHTesb/hyDVeb:5D+NOZoax7CSX/g
Malware Config
Extracted
quasar
2.1.0.0
Office04
grace.adds-only.xyz:1609
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
-
encryption_key
wHq4o3k6UfKZv19jkcxs
-
install_name
winrara.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB3BB.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457_JaffaCakes118.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4F10.tmp"4⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6KogI8HJBSwE.bat" "5⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 16925⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 25603⤵
- Program crash
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4348 -ip 43481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2012 -ip 20121⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD54d744765fc4ad2dfc6aa1498113d820f
SHA1757dc61acb942e1a20f3fae51abfb45b86cbc145
SHA256908ab04882cfc595e53224d10b82afdb3eb7c3a4afe6001c3e9f382e8711ce3e
SHA512fefec50021b1e652754282ade077d0508dd7dd2c6beebd53b7104af711ea8bc3e14d2b36990761785eecd66d4b5e0fee73a3b3b2566a239f617d4f8cfac93624
-
Filesize
243B
MD551bfe982dac75e8ae94c2dc63f947e78
SHA17713ea28edb574178989f61c8f77c121959f3f2b
SHA256ec9d20c1dc6c79e77e4f4c344bfd6404b1ea77935f28e60f66b04eef480f83f8
SHA512923b7e31e89a72f2ae065b93b38520e8674a51a24b082e586aa87be54adcb83bf34be73c881d2a502845732896279c4493c029f771698fe063673d29d227a89f
-
Filesize
208B
MD5e2711c6cf8bbaf0ce087c4a660f3a214
SHA1ee537621ff261877eb5059e5d58cf9f5e01ae4d1
SHA2560ccdeb17039dc5956753faf1ca5252e854b15e836a3d98b58fd87463ad86bb35
SHA512029cf7b65a830e8e8527352141aeb2461cea63199cd5e743deb1b864456a24ce52176645fd5941dc164918c24012d20f053e51e3163b2502e1d2daf47a59d277
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
861KB
MD51b465c6989637df1d5c511919c43e457
SHA1317f8bf5133176cd0f4125c6f2f0fdfc226754ab
SHA2560b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
SHA512e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
80KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
560KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
56KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
704KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
888KB
-
Filesize
304KB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
6.5MB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB