Overview

overview

10

Static

static

3

783dde94a3...18.exe

windows7-x64

10

783dde94a3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-05-2024 06:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe

  • Size

    610KB

  • MD5

    783dde94a3c4fdad4663bc9e370e9de8

  • SHA1

    262fa6fe51d779ae988d6b99ac8ee37d71c75064

  • SHA256

    19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd

  • SHA512

    a41f2f23272e55d9b275f868439758618f96c30fe47fd433431b07322f135fcbba3c43be199aba86160abe5e362e44ce9aa862bbf48cd0a33b716b278ec565b8

  • SSDEEP

    12288:KU+xqEiGfCnAUfyg1Dv1wH/umXwyTWlxHsgL7A26:TETCnX5Dv+bhTWlxH1L

Score
10/10
quasarvenomratsvhostevasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_rHOHbrAQKctPD4d68w

Attributes
  • encryption_key

    rDFwhCyuKMqXO7llDpB2

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\783dde94a3c4fdad4663bc9e370e9de8_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe
      "C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Checks computer location settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:4828
      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4504
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:2948
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3004
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4908
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
            PID:4736
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NNgARlylElH1.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1388
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:1668
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:1748
            • C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe
              "C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4652

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Modify Registry

      2
      T1112

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      2
      T1562.001

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Pnabmtbcti.exe.log
        Filesize

        1KB

        MD5

        10eab9c2684febb5327b6976f2047587

        SHA1

        a12ed54146a7f5c4c580416aecb899549712449e

        SHA256

        f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

        SHA512

        7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Joqnjogev.jpg
        Filesize

        72KB

        MD5

        277f0e029298e0dffee3f8820726c6e3

        SHA1

        df2cdaa12ccc9e0eb0de1871c9fa12cec9f575a2

        SHA256

        f7ede3780d2e6789dfd5aaf99d8613040e6150f44ab547116817dc2f7ad442a8

        SHA512

        b2fc83d2e4d682007109be8b33aff144af3ad8f6466b911c6f48516fde5530234ed964d12a82e1e10a4a79130ee59fdc2076106d4f7460e036cdd0454da90272

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\NNgARlylElH1.bat
        Filesize

        207B

        MD5

        b3d18533605e931d66418ff37f04cf58

        SHA1

        aa39056ba8b2d6d62c8648dd72812432b290e5ea

        SHA256

        9aee914bc1d1bb723107e4634e9c3008fa69162534f8087605ed9e96ec68b0a1

        SHA512

        728b4ac8209e713ff82f885ffc9d7177b6ef1bd9b5a4dd76ff5b891568bfbbe08e2b8247991767a964700a81047f9a2dada6d0909e308519b4cbcb820129a537

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe
        Filesize

        655KB

        MD5

        43e5556cab3ba9cd353b0c6cf1548d75

        SHA1

        64cf51c0d612cb6276e59639071406c1d2e86702

        SHA256

        286ea33997e28cad2651bc27c091e45c3502c4c7f69e4f28965bf846cf9528b8

        SHA512

        edde4a5af40e65afbe4e212e356879277f9641e4b8d46950fed33397754fe87ff81a337623e6c5202776e1636cefcd58f0ed94a212e8dd25ba427a017fcb2bdf

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jsxbh4rn.zib.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • memory/2776-5-0x00000000747A0000-0x0000000074F50000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2776-3-0x0000000004E90000-0x0000000004F22000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2776-0-0x00000000747AE000-0x00000000747AF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2776-71-0x00000000747AE000-0x00000000747AF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2776-4-0x0000000004F80000-0x0000000004F8A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2776-72-0x00000000747A0000-0x0000000074F50000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2776-1-0x0000000000400000-0x000000000049E000-memory.dmp
        Filesize

        632KB

        Download
      • memory/2776-2-0x00000000048E0000-0x0000000004E84000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2892-20-0x00000000747A0000-0x0000000074F50000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2892-23-0x00000000060A0000-0x00000000060DC000-memory.dmp
        Filesize

        240KB

        Download
      • memory/2892-22-0x00000000053B0000-0x00000000053C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2892-78-0x00000000747A0000-0x0000000074F50000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2892-73-0x00000000747A0000-0x0000000074F50000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2892-21-0x0000000004F00000-0x0000000004F66000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2892-19-0x00000000004C0000-0x000000000056A000-memory.dmp
        Filesize

        680KB

        Download
      • memory/2892-18-0x00000000747A0000-0x0000000074F50000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3004-44-0x0000000005F80000-0x0000000005FCC000-memory.dmp
        Filesize

        304KB

        Download
      • memory/3004-46-0x0000000006F20000-0x0000000006F52000-memory.dmp
        Filesize

        200KB

        Download
      • memory/3004-57-0x0000000006510000-0x000000000652E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3004-58-0x0000000007160000-0x0000000007203000-memory.dmp
        Filesize

        652KB

        Download
      • memory/3004-59-0x00000000078C0000-0x0000000007F3A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3004-60-0x0000000007270000-0x000000000728A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3004-61-0x00000000072E0000-0x00000000072EA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/3004-62-0x00000000074F0000-0x0000000007586000-memory.dmp
        Filesize

        600KB

        Download
      • memory/3004-63-0x0000000007470000-0x0000000007481000-memory.dmp
        Filesize

        68KB

        Download
      • memory/3004-64-0x00000000074A0000-0x00000000074AE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/3004-65-0x00000000074B0000-0x00000000074C4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/3004-66-0x00000000075B0000-0x00000000075CA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3004-67-0x0000000007590000-0x0000000007598000-memory.dmp
        Filesize

        32KB

        Download
      • memory/3004-47-0x000000006E740000-0x000000006E78C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/3004-43-0x0000000005F50000-0x0000000005F6E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3004-42-0x0000000005910000-0x0000000005C64000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3004-31-0x0000000004FA0000-0x0000000004FC2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3004-32-0x00000000057B0000-0x0000000005816000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3004-30-0x0000000005080000-0x00000000056A8000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/3004-29-0x0000000002620000-0x0000000002656000-memory.dmp
        Filesize

        216KB

        Download