Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29-05-2024 15:51

General

  • Target

    813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

  • Size

    618KB

  • MD5

    813f353b1285bcaea41f868746ab9fdd

  • SHA1

    301209445bdfd758b1f647bdbcf1609ee07296e7

  • SHA256

    ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982

  • SHA512

    1ef96e09c43a7c71395112c2a867e60259483585deeb60c122482d4e943b7eef7f432196eb62387655d819d29e8c64c98cf49b04623ff185924135b8aa128d38

  • SSDEEP

    12288:LlZyWuK5AwBaCPY5OtC36PdbidyQPdF58SxXnkXnmHuYYOm:WZlwBaCPtC3+e4S1k0D

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Defender Security

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_XoAJ77Kcpkuyjz4MJK

Attributes
  • encryption_key

    5nIMwmTRG5wyVhouaxGb

  • install_name

    Windows Defender Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender Security

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 5 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 5 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 10 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Loads dropped DLL
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Defender Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2788
      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
          4⤵
          • Executes dropped EXE
          PID:2548
        • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
          4⤵
          • Executes dropped EXE
          PID:2204
        • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
          4⤵
          • Executes dropped EXE
          PID:2512
        • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2564
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "Windows Defender Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:2940
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\BVPHdEHRPMhT.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1612
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
                PID:1540
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                6⤵
                • Runs ping.exe
                PID:2396
              • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
                "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1292
                • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:1224
                • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:2064
                • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2308
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1468
              5⤵
              • Loads dropped DLL
              • Program crash
              PID:2460
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2524
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
          3⤵
            PID:2684
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
              4⤵
                PID:576
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\XD7tDiXpWjxx.bat" "
              3⤵
                PID:2384
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  4⤵
                    PID:1764
                  • C:\Windows\SysWOW64\PING.EXE
                    ping -n 10 localhost
                    4⤵
                    • Runs ping.exe
                    PID:1356
                  • C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
                    "C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"
                    4⤵
                    • Suspicious use of SetThreadContext
                    PID:752
                    • C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
                      "C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2212

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\BVPHdEHRPMhT.bat

              Filesize

              226B

              MD5

              76226eeb4eb0b9d7aa482eeef3d049fa

              SHA1

              d9e8c59757018d85e1932831b23a28186222507f

              SHA256

              7f6efa931854c0f5400e8cc4a828af4fe26cc4b10bb5f4da1883b0abffc56efc

              SHA512

              9a11d4cfe3d290a1508532dd5cdbf18ed1240fac0377f84bd2835bde04a00112268a60bab6c274406cd773a1c402d408462c33b9d25d288af50b0a2c9dc9e787

            • C:\Users\Admin\AppData\Local\Temp\XD7tDiXpWjxx.bat

              Filesize

              243B

              MD5

              304176c8d670b08df6c6f5344e5fdee7

              SHA1

              0c4f618cc813cd66c05d0b8a4e31121bfd4b5cd3

              SHA256

              78cae96ffb8032f1d4ec5e1a70de697baa508d0eb0c660f39a4fd08b3847171d

              SHA512

              e8be96d5f1197c865651517db8886c6e50b0a665620a2159c017007cc4e2b5a1f3bf6fb28f34f786d34d64325bc4572f01962ee4aafd96b889da86d82da07b5d

            • \Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe

              Filesize

              618KB

              MD5

              813f353b1285bcaea41f868746ab9fdd

              SHA1

              301209445bdfd758b1f647bdbcf1609ee07296e7

              SHA256

              ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982

              SHA512

              1ef96e09c43a7c71395112c2a867e60259483585deeb60c122482d4e943b7eef7f432196eb62387655d819d29e8c64c98cf49b04623ff185924135b8aa128d38

            • memory/752-89-0x00000000010D0000-0x0000000001172000-memory.dmp

              Filesize

              648KB

            • memory/1916-1-0x0000000000340000-0x00000000003E2000-memory.dmp

              Filesize

              648KB

            • memory/1916-3-0x0000000000200000-0x000000000020A000-memory.dmp

              Filesize

              40KB

            • memory/1916-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

              Filesize

              4KB

            • memory/2212-98-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2564-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2728-24-0x00000000001C0000-0x0000000000262000-memory.dmp

              Filesize

              648KB

            • memory/2868-12-0x0000000000400000-0x000000000048C000-memory.dmp

              Filesize

              560KB

            • memory/2868-16-0x0000000074DF0000-0x00000000754DE000-memory.dmp

              Filesize

              6.9MB

            • memory/2868-15-0x0000000074DF0000-0x00000000754DE000-memory.dmp

              Filesize

              6.9MB

            • memory/2868-6-0x0000000000400000-0x000000000048C000-memory.dmp

              Filesize

              560KB

            • memory/2868-5-0x0000000000400000-0x000000000048C000-memory.dmp

              Filesize

              560KB

            • memory/2868-4-0x0000000000400000-0x000000000048C000-memory.dmp

              Filesize

              560KB

            • memory/2868-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2868-78-0x0000000074DF0000-0x00000000754DE000-memory.dmp

              Filesize

              6.9MB

            • memory/2868-10-0x0000000000400000-0x000000000048C000-memory.dmp

              Filesize

              560KB

            • memory/2868-87-0x0000000074DF0000-0x00000000754DE000-memory.dmp

              Filesize

              6.9MB

            • memory/2868-14-0x0000000000400000-0x000000000048C000-memory.dmp

              Filesize

              560KB

            • memory/2868-7-0x0000000000400000-0x000000000048C000-memory.dmp

              Filesize

              560KB