General

  • Target

    3e5b3579e97745512e8766b9c89aba66_JaffaCakes118

  • Size

    503KB

  • Sample

    240513-h9z9rafc68

  • MD5

    3e5b3579e97745512e8766b9c89aba66

  • SHA1

    43a67810e5278a542f6a4d8eb86040b64e34fb35

  • SHA256

    90e165246c0518ce77a98adbe2cd589bdc75d162f23fde3e7f837882b8facd2f

  • SHA512

    d967309ba2e26e71c692850c04aae9a90880614848c021e332d06d4de123c02cf07768b42503d065cde9187e3d56b1637d16b775f2c755a7b1ae01632000dc6c

  • SSDEEP

    12288:mY9OgcjseeEyx6a7AX8EmUfsgHYYKDWHe3odvByqTX:mgcjsfH6aamUfUfWDvcA

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_ND6PULLW5ZVLwo1nwR

Attributes
  • encryption_key

    yaa63tXY4j55os5llHHd

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      3e5b3579e97745512e8766b9c89aba66_JaffaCakes118

    • Size

      503KB

    • MD5

      3e5b3579e97745512e8766b9c89aba66

    • SHA1

      43a67810e5278a542f6a4d8eb86040b64e34fb35

    • SHA256

      90e165246c0518ce77a98adbe2cd589bdc75d162f23fde3e7f837882b8facd2f

    • SHA512

      d967309ba2e26e71c692850c04aae9a90880614848c021e332d06d4de123c02cf07768b42503d065cde9187e3d56b1637d16b775f2c755a7b1ae01632000dc6c

    • SSDEEP

      12288:mY9OgcjseeEyx6a7AX8EmUfsgHYYKDWHe3odvByqTX:mgcjsfH6aamUfUfWDvcA

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks