quasar | e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
Size

488KB
MD5

0f9120aa260daa1849a56062f8b6a492
SHA1

a56e35f6cc5424936a56827d307253c56a937a0e
SHA256

e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215
SHA512

ae52b328521f6a550951ac0c53745034f985230dcd850d0881079d1a2f50b865c30e646271dd4230f3d07db34bf6515b434bcf0f085f8e703533ae14180f81dc
SSDEEP

12288:RhMM2P6wZMGWIHT0K5DDeOGYJeSyzLIB/xk5:Plk6SF9HT0gGie4B/x

Score

10^/10

quasar venomrat office04 rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

193.161.193.99:25334

Mutex

VNM_MUTEX_3gEHJWUppmmJSCirO4

Attributes

encryption_key
WrqRQZrwZ1NbyFhWiYhM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 11 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/1020-5-0x0000000000402000-0x0000000000489000-memory.dmp	disable_win_def
behavioral2/memory/1020-2-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/memory/1020-6-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/memory/1020-9-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/memory/1020-11-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/memory/1020-12-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/memory/1020-19-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/memory/1020-24-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/files/0x0009000000023b10-30.dat	disable_win_def
behavioral2/memory/2956-35-0x0000000000E30000-0x0000000000EBC000-memory.dmp	disable_win_def
behavioral2/memory/1020-49-0x0000000000402000-0x0000000000489000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1020-5-0x0000000000402000-0x0000000000489000-memory.dmp	family_quasar
behavioral2/memory/1020-2-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/memory/1020-6-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/memory/1020-9-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/memory/1020-11-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/memory/1020-12-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/memory/1020-19-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/memory/1020-24-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/files/0x0009000000023b10-30.dat	family_quasar
behavioral2/memory/2956-35-0x0000000000E30000-0x0000000000EBC000-memory.dmp	family_quasar
behavioral2/memory/1020-49-0x0000000000402000-0x0000000000489000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 1 IoCs

Processes:

krvcp3e1.exe

pid	Process
2956	krvcp3e1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
13	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe

pid	Process
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
888	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe

pid	Process
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exetaskkill.exekrvcp3e1.exe

description	pid	Process
Token: SeDebugPrivilege	1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
Token: SeDebugPrivilege	888	taskkill.exe
Token: SeDebugPrivilege	2956	krvcp3e1.exe
Token: SeDebugPrivilege	2956	krvcp3e1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe

pid	Process
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exeDllHost.execmd.exe

description	pid	Process	procid_target
PID 1020 wrote to memory of 4432	1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe	85
PID 1020 wrote to memory of 4432	1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe	85
PID 1020 wrote to memory of 4432	1020	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe	85
PID 3168 wrote to memory of 2832	3168	DllHost.exe	88
PID 3168 wrote to memory of 2832	3168	DllHost.exe	88
PID 3168 wrote to memory of 2832	3168	DllHost.exe	88
PID 2832 wrote to memory of 2956	2832	cmd.exe	90
PID 2832 wrote to memory of 2956	2832	cmd.exe	90
PID 2832 wrote to memory of 2956	2832	cmd.exe	90
PID 3168 wrote to memory of 888	3168	DllHost.exe	91
PID 3168 wrote to memory of 888	3168	DllHost.exe	91
PID 3168 wrote to memory of 888	3168	DllHost.exe	91

C:\Users\Admin\AppData\Local\Temp\0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1020
- \??\c:\windows\SysWOW64\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\bnc1mqfg.inf
  2⤵
  PID:4432

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Windows\temp\krvcp3e1.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\temp\krvcp3e1.exe
    C:\Windows\temp\krvcp3e1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM cmstp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\krvcp3e1.exe

Filesize
534KB

MD5
f9173b96d6fe649de1d4ab61ab76beb4

SHA1
403bf6cc3f682b575beb79186cef5b38bc2fe59f

SHA256
228ade38d24df70b545682076a142874ad4385528179a90c585d574c1aad2aac

SHA512
6060bc2ef5295df71bf78b29bfd7d5576d5299df9553ec5d41852455cbcfa3f9bcb50ad16b13337aff3b68b34387855675948276343d65ae03d5eac4e8470700

Download Submit
C:\Windows\temp\bnc1mqfg.inf

Filesize
606B

MD5
f69043a2ac6ae406d96c1f07cd6377dd

SHA1
28df1e9b190e110e7ac861935d5dd61dd110fa2d

SHA256
11a87db16d1f964c06a18ffd4bc17e6e5f6f72f9c04e7a351f8d6e6eee16d624

SHA512
9b54c0061e05464330bc750bb9a84154560a9057edd5a1f99761808249c8ecd69f8e7f28bebae3d415da92b0fcc820d94ecdacd09e9bf7e55a959b8615e7e304

Download Submit
memory/1020-27-0x00000000751F0000-0x000000007526B000-memory.dmp

Filesize
492KB

Download
memory/1020-42-0x00000000748A0000-0x00000000748A8000-memory.dmp

Filesize
32KB

Download
memory/1020-3-0x0000000002150000-0x0000000002197000-memory.dmp

Filesize
284KB

Download
memory/1020-2-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1020-6-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1020-7-0x0000000076FE0000-0x00000000771F5000-memory.dmp

Filesize
2.1MB

Download
memory/1020-9-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1020-8-0x0000000075A40000-0x0000000075CC1000-memory.dmp

Filesize
2.5MB

Download
memory/1020-11-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1020-10-0x0000000075E80000-0x0000000075F63000-memory.dmp

Filesize
908KB

Download
memory/1020-12-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1020-13-0x0000000072B80000-0x0000000072C09000-memory.dmp

Filesize
548KB

Download
memory/1020-14-0x0000000004C60000-0x0000000005204000-memory.dmp

Filesize
5.6MB

Download
memory/1020-15-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/1020-16-0x0000000076620000-0x0000000076BD3000-memory.dmp

Filesize
5.7MB

Download
memory/1020-5-0x0000000000402000-0x0000000000489000-memory.dmp

Filesize
540KB

Download
memory/1020-0-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1020-21-0x00000000053D0000-0x00000000053DA000-memory.dmp

Filesize
40KB

Download
memory/1020-23-0x0000000002150000-0x0000000002197000-memory.dmp

Filesize
284KB

Download
memory/1020-24-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1020-25-0x0000000076FE0000-0x00000000771F5000-memory.dmp

Filesize
2.1MB

Download
memory/1020-26-0x0000000076BE0000-0x0000000076C04000-memory.dmp

Filesize
144KB

Download
memory/1020-1-0x0000000002150000-0x0000000002197000-memory.dmp

Filesize
284KB

Download
memory/1020-28-0x0000000075610000-0x0000000075730000-memory.dmp

Filesize
1.1MB

Download
memory/1020-19-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1020-32-0x0000000075D30000-0x0000000075DEF000-memory.dmp

Filesize
764KB

Download
memory/1020-34-0x0000000076620000-0x0000000076BD3000-memory.dmp

Filesize
5.7MB

Download
memory/1020-33-0x00000000754D0000-0x000000007558F000-memory.dmp

Filesize
764KB

Download
memory/1020-44-0x00000000740D0000-0x00000000740E4000-memory.dmp

Filesize
80KB

Download
memory/1020-36-0x00000000750F0000-0x0000000075142000-memory.dmp

Filesize
328KB

Download
memory/1020-37-0x0000000075A40000-0x0000000075CC1000-memory.dmp

Filesize
2.5MB

Download
memory/1020-38-0x0000000076DC0000-0x0000000076E56000-memory.dmp

Filesize
600KB

Download
memory/1020-39-0x0000000075310000-0x0000000075355000-memory.dmp

Filesize
276KB

Download
memory/1020-40-0x00000000748C0000-0x000000007494D000-memory.dmp

Filesize
564KB

Download
memory/1020-4-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1020-41-0x00000000748B0000-0x00000000748BF000-memory.dmp

Filesize
60KB

Download
memory/1020-43-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/1020-45-0x0000000074020000-0x00000000740CB000-memory.dmp

Filesize
684KB

Download
memory/1020-48-0x0000000076F10000-0x0000000076F29000-memory.dmp

Filesize
100KB

Download
memory/1020-49-0x0000000000402000-0x0000000000489000-memory.dmp

Filesize
540KB

Download
memory/1020-47-0x0000000072B80000-0x0000000072C09000-memory.dmp

Filesize
548KB

Download
memory/1020-46-0x0000000075E80000-0x0000000075F63000-memory.dmp

Filesize
908KB

Download
memory/2956-35-0x0000000000E30000-0x0000000000EBC000-memory.dmp

Filesize
560KB

Download
memory/2956-50-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/2956-51-0x00000000064A0000-0x00000000064B2000-memory.dmp

Filesize
72KB

Download
memory/2956-52-0x00000000069E0000-0x0000000006A1C000-memory.dmp

Filesize
240KB

Download