Analysis

  • max time kernel
    137s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    27-05-2024 06:45

General

  • Target

    783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe

  • Size

    610KB

  • MD5

    783dde94a3c4fdad4663bc9e370e9de8

  • SHA1

    262fa6fe51d779ae988d6b99ac8ee37d71c75064

  • SHA256

    19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd

  • SHA512

    a41f2f23272e55d9b275f868439758618f96c30fe47fd433431b07322f135fcbba3c43be199aba86160abe5e362e44ce9aa862bbf48cd0a33b716b278ec565b8

  • SSDEEP

    12288:KU+xqEiGfCnAUfyg1Dv1wH/umXwyTWlxHsgL7A26:TETCnX5Dv+bhTWlxH1L

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_rHOHbrAQKctPD4d68w

Attributes
  • encryption_key

    rDFwhCyuKMqXO7llDpB2

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 4 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe
      "C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2024
      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:1084
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2580
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
          • Deletes itself
          PID:2252
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ufKxY65rfzTC.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1440
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:812
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:1832
          • C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe
            "C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1140
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2552

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      242B

      MD5

      d951d65f4cd9a4ee7880d32f7f042e8d

      SHA1

      a9d364f468fd0b6ed203fc30cacfd63f13456329

      SHA256

      a5520b617a58b088f75726d056927ea4409c5801df9d7f5896b0542d7f45bdf8

      SHA512

      ed9e616056e0a0d80075742abed8d0cda8a49bd368e0d61ed036d945d42b41c3778cbf34ee73678139e6afb24b06a030cd5f8dae71625c5fe606210222df39dc

    • C:\Users\Admin\AppData\Local\Temp\Joqnjogev.jpg

      Filesize

      72KB

      MD5

      277f0e029298e0dffee3f8820726c6e3

      SHA1

      df2cdaa12ccc9e0eb0de1871c9fa12cec9f575a2

      SHA256

      f7ede3780d2e6789dfd5aaf99d8613040e6150f44ab547116817dc2f7ad442a8

      SHA512

      b2fc83d2e4d682007109be8b33aff144af3ad8f6466b911c6f48516fde5530234ed964d12a82e1e10a4a79130ee59fdc2076106d4f7460e036cdd0454da90272

    • C:\Users\Admin\AppData\Local\Temp\Tar2264.tmp

      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    • C:\Users\Admin\AppData\Local\Temp\ufKxY65rfzTC.bat

      Filesize

      207B

      MD5

      23a35e6bfb1b1ac43f76894128d3ea91

      SHA1

      35adddbf217fd25775bcc8b6d7b730c0c699f9af

      SHA256

      2a5ea155390899e2fdbab485a96abe31fa828bc72a85acf1a560ca85b9a28ddd

      SHA512

      44f2dce195f6af25d3a898b00d1f50be8baec74bdc21cc6b3a771e4cd1c0e9c0f8b02034df0fb333d7596d8f32748a9ff191743728fc9b0581c32820365a47e2

    • \Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe

      Filesize

      655KB

      MD5

      43e5556cab3ba9cd353b0c6cf1548d75

      SHA1

      64cf51c0d612cb6276e59639071406c1d2e86702

      SHA256

      286ea33997e28cad2651bc27c091e45c3502c4c7f69e4f28965bf846cf9528b8

      SHA512

      edde4a5af40e65afbe4e212e356879277f9641e4b8d46950fed33397754fe87ff81a337623e6c5202776e1636cefcd58f0ed94a212e8dd25ba427a017fcb2bdf

    • memory/836-1-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

    • memory/836-14-0x0000000004AD0000-0x0000000004AD2000-memory.dmp

      Filesize

      8KB

    • memory/836-2-0x0000000074440000-0x0000000074B2E000-memory.dmp

      Filesize

      6.9MB

    • memory/836-16-0x0000000074440000-0x0000000074B2E000-memory.dmp

      Filesize

      6.9MB

    • memory/836-0-0x000000007444E000-0x000000007444F000-memory.dmp

      Filesize

      4KB

    • memory/1124-89-0x0000000074440000-0x0000000074B2E000-memory.dmp

      Filesize

      6.9MB

    • memory/1124-13-0x0000000074440000-0x0000000074B2E000-memory.dmp

      Filesize

      6.9MB

    • memory/1124-11-0x0000000000C70000-0x0000000000D1A000-memory.dmp

      Filesize

      680KB

    • memory/1124-12-0x0000000074440000-0x0000000074B2E000-memory.dmp

      Filesize

      6.9MB

    • memory/1124-99-0x0000000074440000-0x0000000074B2E000-memory.dmp

      Filesize

      6.9MB

    • memory/1140-102-0x00000000003C0000-0x000000000046A000-memory.dmp

      Filesize

      680KB

    • memory/2480-25-0x0000000001140000-0x00000000011EA000-memory.dmp

      Filesize

      680KB

    • memory/2552-15-0x00000000002E0000-0x00000000002E2000-memory.dmp

      Filesize

      8KB