quasar | 19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd

General

Target

783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe
Size

610KB
MD5

783dde94a3c4fdad4663bc9e370e9de8
SHA1

262fa6fe51d779ae988d6b99ac8ee37d71c75064
SHA256

19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd
SHA512

a41f2f23272e55d9b275f868439758618f96c30fe47fd433431b07322f135fcbba3c43be199aba86160abe5e362e44ce9aa862bbf48cd0a33b716b278ec565b8
SSDEEP

12288:KU+xqEiGfCnAUfyg1Dv1wH/umXwyTWlxHsgL7A26:TETCnX5Dv+bhTWlxH1L

Score

10^/10

quasar venomrat svhost evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_rHOHbrAQKctPD4d68w

Attributes

encryption_key
rDFwhCyuKMqXO7llDpB2
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe	disable_win_def
behavioral1/memory/1124-11-0x0000000000C70000-0x0000000000D1A000-memory.dmp	disable_win_def
behavioral1/memory/2480-25-0x0000000001140000-0x00000000011EA000-memory.dmp	disable_win_def
behavioral1/memory/1140-102-0x00000000003C0000-0x000000000046A000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Pnabmtbcti.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Pnabmtbcti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Pnabmtbcti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Pnabmtbcti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Pnabmtbcti.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe	family_quasar
behavioral1/memory/1124-11-0x0000000000C70000-0x0000000000D1A000-memory.dmp	family_quasar
behavioral1/memory/2480-25-0x0000000001140000-0x00000000011EA000-memory.dmp	family_quasar
behavioral1/memory/1140-102-0x00000000003C0000-0x000000000046A000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2252 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

Pnabmtbcti.exeClient.exePnabmtbcti.exe

pid process

1124 Pnabmtbcti.exe
2480 Client.exe
1140 Pnabmtbcti.exe
Loads dropped DLL 3 IoCs

Processes:

783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exePnabmtbcti.execmd.exe

pid process

836 783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe
1124 Pnabmtbcti.exe
1440 cmd.exe

pid	process
2252	cmd.exe

pid	process
1124	Pnabmtbcti.exe
2480	Client.exe
1140	Pnabmtbcti.exe

pid	process
836	783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe
1124	Pnabmtbcti.exe
1440	cmd.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Pnabmtbcti.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Pnabmtbcti.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	Pnabmtbcti.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2024 schtasks.exe
1084 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1832 PING.EXE

flow	ioc
2	ip-api.com

pid	process
2024	schtasks.exe
1084	schtasks.exe

pid	process
1832	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exePnabmtbcti.exePnabmtbcti.exe

pid	process
2580	powershell.exe
1124	Pnabmtbcti.exe
1124	Pnabmtbcti.exe
1124	Pnabmtbcti.exe
1124	Pnabmtbcti.exe
1124	Pnabmtbcti.exe
1124	Pnabmtbcti.exe
1124	Pnabmtbcti.exe
1140	Pnabmtbcti.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Pnabmtbcti.exepowershell.exeClient.exePnabmtbcti.exe

description	pid	process
Token: SeDebugPrivilege	1124	Pnabmtbcti.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2480	Client.exe
Token: SeDebugPrivilege	2480	Client.exe
Token: SeDebugPrivilege	1140	Pnabmtbcti.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2552 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

2480 Client.exe

pid	process
2552	DllHost.exe

pid	process
2480	Client.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exePnabmtbcti.exeClient.execmd.execmd.exe

description	pid	process	target process
PID 836 wrote to memory of 1124	836	783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe	Pnabmtbcti.exe
PID 836 wrote to memory of 1124	836	783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe	Pnabmtbcti.exe
PID 836 wrote to memory of 1124	836	783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe	Pnabmtbcti.exe
PID 836 wrote to memory of 1124	836	783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe	Pnabmtbcti.exe
PID 1124 wrote to memory of 2024	1124	Pnabmtbcti.exe	schtasks.exe
PID 1124 wrote to memory of 2024	1124	Pnabmtbcti.exe	schtasks.exe
PID 1124 wrote to memory of 2024	1124	Pnabmtbcti.exe	schtasks.exe
PID 1124 wrote to memory of 2024	1124	Pnabmtbcti.exe	schtasks.exe
PID 1124 wrote to memory of 2480	1124	Pnabmtbcti.exe	Client.exe
PID 1124 wrote to memory of 2480	1124	Pnabmtbcti.exe	Client.exe
PID 1124 wrote to memory of 2480	1124	Pnabmtbcti.exe	Client.exe
PID 1124 wrote to memory of 2480	1124	Pnabmtbcti.exe	Client.exe
PID 1124 wrote to memory of 2580	1124	Pnabmtbcti.exe	powershell.exe
PID 1124 wrote to memory of 2580	1124	Pnabmtbcti.exe	powershell.exe
PID 1124 wrote to memory of 2580	1124	Pnabmtbcti.exe	powershell.exe
PID 1124 wrote to memory of 2580	1124	Pnabmtbcti.exe	powershell.exe
PID 2480 wrote to memory of 1084	2480	Client.exe	schtasks.exe
PID 2480 wrote to memory of 1084	2480	Client.exe	schtasks.exe
PID 2480 wrote to memory of 1084	2480	Client.exe	schtasks.exe
PID 2480 wrote to memory of 1084	2480	Client.exe	schtasks.exe
PID 1124 wrote to memory of 2292	1124	Pnabmtbcti.exe	cmd.exe
PID 1124 wrote to memory of 2292	1124	Pnabmtbcti.exe	cmd.exe
PID 1124 wrote to memory of 2292	1124	Pnabmtbcti.exe	cmd.exe
PID 1124 wrote to memory of 2292	1124	Pnabmtbcti.exe	cmd.exe
PID 2292 wrote to memory of 2252	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 2252	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 2252	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 2252	2292	cmd.exe	cmd.exe
PID 1124 wrote to memory of 1440	1124	Pnabmtbcti.exe	cmd.exe
PID 1124 wrote to memory of 1440	1124	Pnabmtbcti.exe	cmd.exe
PID 1124 wrote to memory of 1440	1124	Pnabmtbcti.exe	cmd.exe
PID 1124 wrote to memory of 1440	1124	Pnabmtbcti.exe	cmd.exe
PID 1440 wrote to memory of 812	1440	cmd.exe	chcp.com
PID 1440 wrote to memory of 812	1440	cmd.exe	chcp.com
PID 1440 wrote to memory of 812	1440	cmd.exe	chcp.com
PID 1440 wrote to memory of 812	1440	cmd.exe	chcp.com
PID 1440 wrote to memory of 1832	1440	cmd.exe	PING.EXE
PID 1440 wrote to memory of 1832	1440	cmd.exe	PING.EXE
PID 1440 wrote to memory of 1832	1440	cmd.exe	PING.EXE
PID 1440 wrote to memory of 1832	1440	cmd.exe	PING.EXE
PID 1440 wrote to memory of 1140	1440	cmd.exe	Pnabmtbcti.exe
PID 1440 wrote to memory of 1140	1440	cmd.exe	Pnabmtbcti.exe
PID 1440 wrote to memory of 1140	1440	cmd.exe	Pnabmtbcti.exe
PID 1440 wrote to memory of 1140	1440	cmd.exe	Pnabmtbcti.exe

C:\Users\Admin\AppData\Local\Temp\783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe
"C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2024

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
4⤵
- Deletes itself
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ufKxY65rfzTC.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:812

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1832

C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe
"C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
d951d65f4cd9a4ee7880d32f7f042e8d

SHA1
a9d364f468fd0b6ed203fc30cacfd63f13456329

SHA256
a5520b617a58b088f75726d056927ea4409c5801df9d7f5896b0542d7f45bdf8

SHA512
ed9e616056e0a0d80075742abed8d0cda8a49bd368e0d61ed036d945d42b41c3778cbf34ee73678139e6afb24b06a030cd5f8dae71625c5fe606210222df39dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Joqnjogev.jpg

Filesize
72KB

MD5
277f0e029298e0dffee3f8820726c6e3

SHA1
df2cdaa12ccc9e0eb0de1871c9fa12cec9f575a2

SHA256
f7ede3780d2e6789dfd5aaf99d8613040e6150f44ab547116817dc2f7ad442a8

SHA512
b2fc83d2e4d682007109be8b33aff144af3ad8f6466b911c6f48516fde5530234ed964d12a82e1e10a4a79130ee59fdc2076106d4f7460e036cdd0454da90272

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2264.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufKxY65rfzTC.bat

Filesize
207B

MD5
23a35e6bfb1b1ac43f76894128d3ea91

SHA1
35adddbf217fd25775bcc8b6d7b730c0c699f9af

SHA256
2a5ea155390899e2fdbab485a96abe31fa828bc72a85acf1a560ca85b9a28ddd

SHA512
44f2dce195f6af25d3a898b00d1f50be8baec74bdc21cc6b3a771e4cd1c0e9c0f8b02034df0fb333d7596d8f32748a9ff191743728fc9b0581c32820365a47e2

Download Submit
\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe

Filesize
655KB

MD5
43e5556cab3ba9cd353b0c6cf1548d75

SHA1
64cf51c0d612cb6276e59639071406c1d2e86702

SHA256
286ea33997e28cad2651bc27c091e45c3502c4c7f69e4f28965bf846cf9528b8

SHA512
edde4a5af40e65afbe4e212e356879277f9641e4b8d46950fed33397754fe87ff81a337623e6c5202776e1636cefcd58f0ed94a212e8dd25ba427a017fcb2bdf

Download Submit
memory/836-1-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/836-14-0x0000000004AD0000-0x0000000004AD2000-memory.dmp

Filesize
8KB

Download
memory/836-2-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/836-16-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/836-0-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download
memory/1124-89-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/1124-13-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/1124-11-0x0000000000C70000-0x0000000000D1A000-memory.dmp

Filesize
680KB

Download
memory/1124-12-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/1124-99-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/1140-102-0x00000000003C0000-0x000000000046A000-memory.dmp

Filesize
680KB

Download
memory/2480-25-0x0000000001140000-0x00000000011EA000-memory.dmp

Filesize
680KB

Download
memory/2552-15-0x00000000002E0000-0x00000000002E2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads