quasar | ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982

Reason

Machine shutdown

General

Target

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
Size

618KB
MD5

813f353b1285bcaea41f868746ab9fdd
SHA1

301209445bdfd758b1f647bdbcf1609ee07296e7
SHA256

ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982
SHA512

1ef96e09c43a7c71395112c2a867e60259483585deeb60c122482d4e943b7eef7f432196eb62387655d819d29e8c64c98cf49b04623ff185924135b8aa128d38
SSDEEP

12288:LlZyWuK5AwBaCPY5OtC36PdbidyQPdF58SxXnkXnmHuYYOm:WZlwBaCPtC3+e4S1k0D

Score

10^/10

quasar venomrat windows defender security evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Defender Security

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_XoAJ77Kcpkuyjz4MJK

Attributes

encryption_key
5nIMwmTRG5wyVhouaxGb
install_name
Windows Defender Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Security
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/2088-7-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2088-7-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Executes dropped EXE 2 IoCs

Processes:

Windows Defender Security.exeWindows Defender Security.exe

pid process

4736 Windows Defender Security.exe
1596 Windows Defender Security.exe

pid	process
4736	Windows Defender Security.exe
1596	Windows Defender Security.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\YmExSBNzQt = "C:\\Users\\Admin\\AppData\\Roaming\\fPKDAorSBW\\aTTSPgNpLj.exe"	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com

flow	ioc
8	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exeWindows Defender Security.exe

description	pid	process	target process
PID 4600 set thread context of 2088	4600	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 4736 set thread context of 1596	4736	Windows Defender Security.exe	Windows Defender Security.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3164 1596 WerFault.exe Windows Defender Security.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

320 schtasks.exe
2244 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2988 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1148 powershell.exe
1148 powershell.exe

pid	pid_target	process	target process
3164	1596	WerFault.exe	Windows Defender Security.exe

pid	process
320	schtasks.exe
2244	schtasks.exe

pid	process
2988	PING.EXE

pid	process
1148	powershell.exe
1148	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exepowershell.exeWindows Defender Security.exe

description	pid	process
Token: SeDebugPrivilege	2088	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1596	Windows Defender Security.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exeWindows Defender Security.exe

description	pid	process	target process
PID 4600 wrote to memory of 2088	4600	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 4600 wrote to memory of 2088	4600	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 4600 wrote to memory of 2088	4600	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 4600 wrote to memory of 2088	4600	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 4600 wrote to memory of 2088	4600	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 4600 wrote to memory of 2088	4600	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 4600 wrote to memory of 2088	4600	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 4600 wrote to memory of 2088	4600	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
PID 2088 wrote to memory of 320	2088	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	schtasks.exe
PID 2088 wrote to memory of 320	2088	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	schtasks.exe
PID 2088 wrote to memory of 320	2088	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	schtasks.exe
PID 2088 wrote to memory of 4736	2088	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	Windows Defender Security.exe
PID 2088 wrote to memory of 4736	2088	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	Windows Defender Security.exe
PID 2088 wrote to memory of 4736	2088	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	Windows Defender Security.exe
PID 2088 wrote to memory of 1148	2088	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	powershell.exe
PID 2088 wrote to memory of 1148	2088	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	powershell.exe
PID 2088 wrote to memory of 1148	2088	813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe	powershell.exe
PID 4736 wrote to memory of 1596	4736	Windows Defender Security.exe	Windows Defender Security.exe
PID 4736 wrote to memory of 1596	4736	Windows Defender Security.exe	Windows Defender Security.exe
PID 4736 wrote to memory of 1596	4736	Windows Defender Security.exe	Windows Defender Security.exe
PID 4736 wrote to memory of 1596	4736	Windows Defender Security.exe	Windows Defender Security.exe
PID 4736 wrote to memory of 1596	4736	Windows Defender Security.exe	Windows Defender Security.exe
PID 4736 wrote to memory of 1596	4736	Windows Defender Security.exe	Windows Defender Security.exe
PID 4736 wrote to memory of 1596	4736	Windows Defender Security.exe	Windows Defender Security.exe
PID 4736 wrote to memory of 1596	4736	Windows Defender Security.exe	Windows Defender Security.exe

C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Windows security modification
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Defender Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:320
- - C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1596
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2244
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Do7OeynllTJt.bat" "
        5⤵
        
        PID:4936
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2660
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:2988
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 2008
        5⤵
        Program crash
        
        PID:3164
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1596 -ip 1596
1⤵
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe.log

Filesize
507B

MD5
76ffb2f33cb32ade8fc862a67599e9d8

SHA1
920cc4ab75b36d2f9f6e979b74db568973c49130

SHA256
f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

SHA512
f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Do7OeynllTJt.bat

Filesize
226B

MD5
3a08910d46544039671848a9ceae58a6

SHA1
3239fa4fe4823d6aa8bbcd3abb856d166f3888b5

SHA256
95c8bb8f7f1055912b2ac4295f0cbd0758a2c5a0589515ac689099f179b31ed6

SHA512
5c29543b15924a4d0fb8b87b4e36fb4bd24b2320f37a68b5194ac5aa55ad89e3e06d5019b9dad0da6dd3bfd215916a0c3774cf501e57b90b3f5edf596243c2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qhzy44qs.bnt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe

Filesize
618KB

MD5
813f353b1285bcaea41f868746ab9fdd

SHA1
301209445bdfd758b1f647bdbcf1609ee07296e7

SHA256
ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982

SHA512
1ef96e09c43a7c71395112c2a867e60259483585deeb60c122482d4e943b7eef7f432196eb62387655d819d29e8c64c98cf49b04623ff185924135b8aa128d38

Download Submit
memory/1148-58-0x0000000007000000-0x000000000701A000-memory.dmp

Filesize
104KB

Download
memory/1148-55-0x0000000006EC0000-0x0000000006F63000-memory.dmp

Filesize
652KB

Download
memory/1148-31-0x0000000005730000-0x0000000005A84000-memory.dmp

Filesize
3.3MB

Download
memory/1148-70-0x0000000007320000-0x0000000007328000-memory.dmp

Filesize
32KB

Download
memory/1148-69-0x0000000007340000-0x000000000735A000-memory.dmp

Filesize
104KB

Download
memory/1148-68-0x0000000007240000-0x0000000007254000-memory.dmp

Filesize
80KB

Download
memory/1148-67-0x0000000007230000-0x000000000723E000-memory.dmp

Filesize
56KB

Download
memory/1148-65-0x0000000007200000-0x0000000007211000-memory.dmp

Filesize
68KB

Download
memory/1148-64-0x0000000007280000-0x0000000007316000-memory.dmp

Filesize
600KB

Download
memory/1148-60-0x0000000007070000-0x000000000707A000-memory.dmp

Filesize
40KB

Download
memory/1148-57-0x0000000007650000-0x0000000007CCA000-memory.dmp

Filesize
6.5MB

Download
memory/1148-42-0x0000000005E30000-0x0000000005E7C000-memory.dmp

Filesize
304KB

Download
memory/1148-22-0x00000000023B0000-0x00000000023E6000-memory.dmp

Filesize
216KB

Download
memory/1148-23-0x0000000005020000-0x0000000005648000-memory.dmp

Filesize
6.2MB

Download
memory/1148-29-0x0000000004F30000-0x0000000004F96000-memory.dmp

Filesize
408KB

Download
memory/1148-28-0x0000000004D10000-0x0000000004D32000-memory.dmp

Filesize
136KB

Download
memory/1148-43-0x00000000062A0000-0x00000000062D2000-memory.dmp

Filesize
200KB

Download
memory/1148-44-0x000000006FCE0000-0x000000006FD2C000-memory.dmp

Filesize
304KB

Download
memory/1148-54-0x0000000006280000-0x000000000629E000-memory.dmp

Filesize
120KB

Download
memory/1148-41-0x0000000005CE0000-0x0000000005CFE000-memory.dmp

Filesize
120KB

Download
memory/1596-59-0x0000000006FE0000-0x0000000006FEA000-memory.dmp

Filesize
40KB

Download
memory/2088-15-0x00000000064D0000-0x000000000650C000-memory.dmp

Filesize
240KB

Download
memory/2088-7-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2088-14-0x0000000005690000-0x00000000056A2000-memory.dmp

Filesize
72KB

Download
memory/2088-13-0x0000000005110000-0x0000000005176000-memory.dmp

Filesize
408KB

Download
memory/2088-11-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2088-12-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4600-10-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4600-4-0x0000000005880000-0x000000000591C000-memory.dmp

Filesize
624KB

Download
memory/4600-6-0x00000000031F0000-0x00000000031FA000-memory.dmp

Filesize
40KB

Download
memory/4600-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/4600-3-0x0000000005780000-0x0000000005812000-memory.dmp

Filesize
584KB

Download
memory/4600-2-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/4600-1-0x0000000000C50000-0x0000000000CF2000-memory.dmp

Filesize
648KB

Download
memory/4736-21-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-30-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads