General

  • Target

    813f353b1285bcaea41f868746ab9fdd_JaffaCakes118

  • Size

    618KB

  • Sample

    240529-taflvaba4y

  • MD5

    813f353b1285bcaea41f868746ab9fdd

  • SHA1

    301209445bdfd758b1f647bdbcf1609ee07296e7

  • SHA256

    ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982

  • SHA512

    1ef96e09c43a7c71395112c2a867e60259483585deeb60c122482d4e943b7eef7f432196eb62387655d819d29e8c64c98cf49b04623ff185924135b8aa128d38

  • SSDEEP

    12288:LlZyWuK5AwBaCPY5OtC36PdbidyQPdF58SxXnkXnmHuYYOm:WZlwBaCPtC3+e4S1k0D

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Defender Security

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_XoAJ77Kcpkuyjz4MJK

Attributes
  • encryption_key

    5nIMwmTRG5wyVhouaxGb

  • install_name

    Windows Defender Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender Security

  • subdirectory

    SubDir

Targets

    • Target

      813f353b1285bcaea41f868746ab9fdd_JaffaCakes118

    • Size

      618KB

    • MD5

      813f353b1285bcaea41f868746ab9fdd

    • SHA1

      301209445bdfd758b1f647bdbcf1609ee07296e7

    • SHA256

      ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982

    • SHA512

      1ef96e09c43a7c71395112c2a867e60259483585deeb60c122482d4e943b7eef7f432196eb62387655d819d29e8c64c98cf49b04623ff185924135b8aa128d38

    • SSDEEP

      12288:LlZyWuK5AwBaCPY5OtC36PdbidyQPdF58SxXnkXnmHuYYOm:WZlwBaCPtC3+e4S1k0D

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks