Overview

overview

10

Static

static

3

a500424ebd...18.exe

windows7-x64

10

a500424ebd...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 10:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a500424ebd54b1e006ccad65266562e3_JaffaCakes118.exe

  • Size

    303KB

  • MD5

    a500424ebd54b1e006ccad65266562e3

  • SHA1

    18be3591da1c3d79aee29026c30c67567e3b2bad

  • SHA256

    e4b0894af3fb7948dd92288339cf2fda627c26ec25b4d37c1620f6c005c0c01c

  • SHA512

    c197f02534c15b82f81def7d60349fba1e72c0b82d8b11fe64856a7ae7833e9d9d70d723bac8e1809ceda2cc9c76eb87025199230ba08ebc89bde2f6b71931ec

  • SSDEEP

    6144:7VPN+C5cB6NYR+perZTyhGupmUfr7MUYbW2KrFrg30RSsBWRzPDzWrkpeF4+:JPN+C5cB6pGTggGHUUrdgEAsotMk

Score
10/10
quasarvenomratoffice04ratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_bW2Pm17MwUNvIYeCrf

Attributes
  • encryption_key

    skMcIyTXgvAaYya6lzLD

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a500424ebd54b1e006ccad65266562e3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a500424ebd54b1e006ccad65266562e3_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2344
    • \??\c:\windows\system32\cmstp.exe
      "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\m5wb5ahw.inf
      2⤵
        PID:1580
    • C:\Windows\system32\cmd.exe
      cmd /c start C:\Windows\temp\1px2fb0i.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\temp\1px2fb0i.exe
        C:\Windows\temp\1px2fb0i.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2552
    • C:\Windows\system32\taskkill.exe
      taskkill /IM cmstp.exe /F
      1⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\temp\1px2fb0i.exe
      Filesize

      534KB

      MD5

      e4dc9cb250120aebeee969906d1a7a22

      SHA1

      c0f9d3a2531cc25e212d9adbf8614903d8a6247e

      SHA256

      14de179b37e9958b3a1d22f22b0bb545be1cb166aeaf5a4892ccd616ee7e544f

      SHA512

      21461e4fdc16ba99ae24a1f2fa39465678e851591d7402c762a04bf286b9ec8230a0acd147f0c9d54fb6a3428be1851c4d75f46b6cf917a44b3b399e8897667b

      Download Submit

    • C:\Windows\temp\m5wb5ahw.inf
      Filesize

      606B

      MD5

      562d59edcf23445df6668b42be4a790b

      SHA1

      400bf29208468dcac16c983a245917d17115a263

      SHA256

      87567cc3874289f3b5787d1b120fb2737fb254ec61c4a692a449da37d2059c53

      SHA512

      8dc716821cd6d6cc19f6ad2975e2031d26f6ae3185e6e49da8eb077d0d4e0375d4c4b4174e46b3601cc6e0dfdd2c5fea301303bb458adeb1935dff2c3d98477a

      Download Submit

    • memory/2344-11-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2344-13-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2344-2-0x0000000000C10000-0x0000000000C9E000-memory.dmp

      Filesize

      568KB

      Download

    • memory/2344-7-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2344-8-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2344-9-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2344-10-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2344-12-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2344-0-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2344-3-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2344-14-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2344-15-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2344-16-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2344-17-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2344-18-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2344-19-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2344-1-0x0000000001330000-0x0000000001382000-memory.dmp

      Filesize

      328KB

      Download

    • memory/2552-22-0x00000000012F0000-0x000000000137C000-memory.dmp

      Filesize

      560KB

      Download