General
-
Target
33ce258b07afea582cc317a398b8770c_JaffaCakes118
-
Size
488KB
-
Sample
240511-kz463adb74
-
MD5
33ce258b07afea582cc317a398b8770c
-
SHA1
9a81235b698e5477847280626b729f5347ed2585
-
SHA256
39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065
-
SHA512
4fbd58e79881313b8c29ccafd9ef7c479e9bbc427869a44981bc4077bd81ed1532c5bcb679e8973470833e18dc5c81a54c69d958030f31f053e92f35a6d2ad66
-
SSDEEP
12288:ayJgDWpL20Rr3oPm1PC8CcxZsfi8H8fxQpwW2R7NoBE:aAgDWWm1HCX9cz1dNoS
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
2.1.0.0
awtes
193.161.193.99:25334
VNM_MUTEX_kCeYnA1EuESMOTFzJZ
-
encryption_key
mUjLzgxM95Q9fARNfgET
-
install_name
_isdel.exe
-
log_directory
SetupDir
-
reconnect_delay
3000
-
startup_key
_isdel
-
subdirectory
Shield
Targets
-
-
Target
33ce258b07afea582cc317a398b8770c_JaffaCakes118
-
Size
488KB
-
MD5
33ce258b07afea582cc317a398b8770c
-
SHA1
9a81235b698e5477847280626b729f5347ed2585
-
SHA256
39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065
-
SHA512
4fbd58e79881313b8c29ccafd9ef7c479e9bbc427869a44981bc4077bd81ed1532c5bcb679e8973470833e18dc5c81a54c69d958030f31f053e92f35a6d2ad66
-
SSDEEP
12288:ayJgDWpL20Rr3oPm1PC8CcxZsfi8H8fxQpwW2R7NoBE:aAgDWWm1HCX9cz1dNoS
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-