General

  • Target

    3a7117d0c950b44d5464cd6841dd95cd_JaffaCakes118

  • Size

    472KB

  • Sample

    240512-q6kznacd46

  • MD5

    3a7117d0c950b44d5464cd6841dd95cd

  • SHA1

    b0dd2745f822d1e43300fa1ccb11749fdfcf1260

  • SHA256

    6a1e31b04adc8e779095fb61f7e3cafc8866f644865ee64ee1d02210f7db3766

  • SHA512

    a8c3ce748eee0ef88ce737d853d26d3f9e49bb7cfbbf7c67dfebfa7451279010f67c552f3f49275788db21f423ebfa845f2726892bdc2596af36682b7791ab25

  • SSDEEP

    6144:wYd3flbbsDpd0DHo5AqYOy8oE0B7mEuZe35o4LILBWflzgWErnrXnzmjdoBqZg:wYd901AqoES7mEuZmi4LILBelztqmi

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_ND6PULLW5ZVLwo1nwR

Attributes
  • encryption_key

    yaa63tXY4j55os5llHHd

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      3a7117d0c950b44d5464cd6841dd95cd_JaffaCakes118

    • Size

      472KB

    • MD5

      3a7117d0c950b44d5464cd6841dd95cd

    • SHA1

      b0dd2745f822d1e43300fa1ccb11749fdfcf1260

    • SHA256

      6a1e31b04adc8e779095fb61f7e3cafc8866f644865ee64ee1d02210f7db3766

    • SHA512

      a8c3ce748eee0ef88ce737d853d26d3f9e49bb7cfbbf7c67dfebfa7451279010f67c552f3f49275788db21f423ebfa845f2726892bdc2596af36682b7791ab25

    • SSDEEP

      6144:wYd3flbbsDpd0DHo5AqYOy8oE0B7mEuZe35o4LILBWflzgWErnrXnzmjdoBqZg:wYd901AqoES7mEuZmi4LILBelztqmi

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks