Analysis

  • max time kernel
    39s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 05:35

General

  • Target

    38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe

  • Size

    600KB

  • MD5

    38842bfc2ef9e1a4734a3ac4d4fa0b0d

  • SHA1

    d7702f8f8b6d8baa46c066948b8278bfe868cff5

  • SHA256

    995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824

  • SHA512

    067a32950f8800f2ab64d80c6910abf20e0204457abca4156a5a93624c230720b7904fe48ef26ab2ea15958abdb8a53306513c4db74ca69f02de679c5c360346

  • SSDEEP

    12288:bBU27je2sGbV7LsAlhgLTj9BBnWobokcoyhUvqA2:bBUYje21R0b9BBnWooXhQqA

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows security

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_XaCO2YtLAsadylDHBP

Attributes
  • encryption_key

    eKgGUbCubcSIafuOAN5V

  • install_name

    windows security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    windows security

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Windows security modification
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "windows security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\38842bfc2ef9e1a4734a3ac4d4fa0b0d_JaffaCakes118.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:4832
      • C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4764
        • C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
          4⤵
          • Executes dropped EXE
          PID:2172
        • C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
          4⤵
          • Executes dropped EXE
          PID:1576
        • C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
          4⤵
          • Executes dropped EXE
          PID:3076
        • C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3720
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "windows security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3848
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmgAHbB05VB3.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3016
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
                PID:2744
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                6⤵
                • Runs ping.exe
                PID:1876
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 1980
              5⤵
              • Program crash
              PID:64
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3280
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3720 -ip 3720
      1⤵
        PID:1464

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RmgAHbB05VB3.bat

        Filesize

        217B

        MD5

        a44ecbb95153177b436605332b98824c

        SHA1

        397bc8f6a410c980d5b0ca5c7b3bb981b1a64fe6

        SHA256

        99ea6f75e5ae45382bbfef7fbbfa59656d1382c7d8cfd41abf1b632dbf862617

        SHA512

        1c914718bd72208afe307b62008199f3e4f484811911aab15aa67e7736a31c4b3763fff1d979e906905b52b5b218c843dc6beb3aedba9d4caeb8e5680ebc9aae

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ymdxenly.5uv.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe

        Filesize

        600KB

        MD5

        38842bfc2ef9e1a4734a3ac4d4fa0b0d

        SHA1

        d7702f8f8b6d8baa46c066948b8278bfe868cff5

        SHA256

        995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824

        SHA512

        067a32950f8800f2ab64d80c6910abf20e0204457abca4156a5a93624c230720b7904fe48ef26ab2ea15958abdb8a53306513c4db74ca69f02de679c5c360346

      • memory/1768-8-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

      • memory/1768-12-0x0000000074DC0000-0x0000000075570000-memory.dmp

        Filesize

        7.7MB

      • memory/1768-15-0x0000000006970000-0x00000000069AC000-memory.dmp

        Filesize

        240KB

      • memory/1768-14-0x00000000063F0000-0x0000000006402000-memory.dmp

        Filesize

        72KB

      • memory/1768-13-0x00000000053E0000-0x0000000005446000-memory.dmp

        Filesize

        408KB

      • memory/1768-9-0x0000000074DC0000-0x0000000075570000-memory.dmp

        Filesize

        7.7MB

      • memory/3264-2-0x0000000074DC0000-0x0000000075570000-memory.dmp

        Filesize

        7.7MB

      • memory/3264-4-0x0000000004F30000-0x0000000004FC2000-memory.dmp

        Filesize

        584KB

      • memory/3264-1-0x0000000000440000-0x00000000004DC000-memory.dmp

        Filesize

        624KB

      • memory/3264-7-0x0000000004E40000-0x0000000004E4A000-memory.dmp

        Filesize

        40KB

      • memory/3264-5-0x0000000004FD0000-0x000000000506C000-memory.dmp

        Filesize

        624KB

      • memory/3264-3-0x00000000056A0000-0x0000000005C44000-memory.dmp

        Filesize

        5.6MB

      • memory/3264-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

        Filesize

        4KB

      • memory/3264-11-0x0000000074DC0000-0x0000000075570000-memory.dmp

        Filesize

        7.7MB

      • memory/3280-53-0x000000006F770000-0x000000006F7BC000-memory.dmp

        Filesize

        304KB

      • memory/3280-30-0x0000000002B00000-0x0000000002B36000-memory.dmp

        Filesize

        216KB

      • memory/3280-31-0x00000000055A0000-0x0000000005BC8000-memory.dmp

        Filesize

        6.2MB

      • memory/3280-32-0x0000000005550000-0x0000000005572000-memory.dmp

        Filesize

        136KB

      • memory/3280-33-0x0000000005D70000-0x0000000005DD6000-memory.dmp

        Filesize

        408KB

      • memory/3280-63-0x0000000006A70000-0x0000000006A8E000-memory.dmp

        Filesize

        120KB

      • memory/3280-40-0x0000000005E50000-0x00000000061A4000-memory.dmp

        Filesize

        3.3MB

      • memory/3280-64-0x00000000074B0000-0x0000000007553000-memory.dmp

        Filesize

        652KB

      • memory/3280-49-0x00000000064C0000-0x00000000064DE000-memory.dmp

        Filesize

        120KB

      • memory/3280-50-0x00000000064F0000-0x000000000653C000-memory.dmp

        Filesize

        304KB

      • memory/3280-52-0x0000000007470000-0x00000000074A2000-memory.dmp

        Filesize

        200KB

      • memory/3720-42-0x0000000006750000-0x000000000675A000-memory.dmp

        Filesize

        40KB

      • memory/4764-29-0x0000000074DC0000-0x0000000075570000-memory.dmp

        Filesize

        7.7MB

      • memory/4764-22-0x0000000074DC0000-0x0000000075570000-memory.dmp

        Filesize

        7.7MB

      • memory/4764-21-0x0000000074DC0000-0x0000000075570000-memory.dmp

        Filesize

        7.7MB