General
-
Target
61052c513ec73fe0fe0cefe1f5a8d588_JaffaCakes118
-
Size
491KB
-
Sample
240520-y6t7bsgd2y
-
MD5
61052c513ec73fe0fe0cefe1f5a8d588
-
SHA1
ec74c81f9ac11a02987788c3f5ae21c7702367cb
-
SHA256
e74ca6236680178ea85d3dec5335bf054d5004d7810683cb1233f67ca3894c73
-
SHA512
83e5b267dcb6ee461ce284150be7db62f7c9012d66336206c4ae30ec9a6d8bbe73c25927ca6491da1322ae7dade5a1e67253b1025abd58df8afed1fc40614a74
-
SSDEEP
6144:PhvvWMRnH9YMaxFewKakPM+f7FUEmiFjYjOSVhr2togLXax:PhvbRndox1KJFUEJFsqSf2tTX
Malware Config
Extracted
quasar
2.1.0.0
svhost
myconect.ddns.net:6606
VNM_MUTEX_ND6PULLW5ZVLwo1nwR
-
encryption_key
yaa63tXY4j55os5llHHd
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
61052c513ec73fe0fe0cefe1f5a8d588_JaffaCakes118
-
Size
491KB
-
MD5
61052c513ec73fe0fe0cefe1f5a8d588
-
SHA1
ec74c81f9ac11a02987788c3f5ae21c7702367cb
-
SHA256
e74ca6236680178ea85d3dec5335bf054d5004d7810683cb1233f67ca3894c73
-
SHA512
83e5b267dcb6ee461ce284150be7db62f7c9012d66336206c4ae30ec9a6d8bbe73c25927ca6491da1322ae7dade5a1e67253b1025abd58df8afed1fc40614a74
-
SSDEEP
6144:PhvvWMRnH9YMaxFewKakPM+f7FUEmiFjYjOSVhr2togLXax:PhvbRndox1KJFUEJFsqSf2tTX
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-