Overview

overview

10

Static

static

3

017d1ddeb4...18.exe

windows7-x64

10

017d1ddeb4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-06-2024 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    017d1ddeb4f16982eda16fe8f07c63e6_JaffaCakes118.exe

  • Size

    2.6MB

  • MD5

    017d1ddeb4f16982eda16fe8f07c63e6

  • SHA1

    ac0bca32f8eb453aad9df1b9fb0ca6dad9d70556

  • SHA256

    317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87

  • SHA512

    d0439cdcea450461ce8f61121b86fada72abd52d13251e47d76949aa9ce370c8bc64169be96719e7010411fe92d8194db9835df1825490da4bc283b1660886bc

  • SSDEEP

    49152:sslxW0qtwxdh9Q7Wm1kX8sp1ua2oUHXN5Wr7Pf:nlwTtWhs1a8KOVHXNgXf

Score
10/10
quasarvenomratratevasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

RAT

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_It9SqdFDNndEItXfKp

Attributes
  • encryption_key

    txgQXKaATimN7DY8jnPH

  • install_name

    Windows Defender Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    Microsoft

Signatures

  • Contains code to disable Windows Defender 9 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 9 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\017d1ddeb4f16982eda16fe8f07c63e6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\017d1ddeb4f16982eda16fe8f07c63e6_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\017d1ddeb4f16982eda16fe8f07c63e6_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\017d1ddeb4f16982eda16fe8f07c63e6_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Users\Admin\AppData\Local\Temp\AMAZON VALID EMAILS CHECKER BY X-SLAYER.EXE
        "C:\Users\Admin\AppData\Local\Temp\AMAZON VALID EMAILS CHECKER BY X-SLAYER.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2992 -s 608
          4⤵
            PID:2264
        • C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE
          "C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE"
          3⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Loads dropped DLL
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2876
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2092
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1756
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1900
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell" Get-MpPreference -verbose
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2800
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1664
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
              5⤵
              • Deletes itself
              PID:3012
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\xRIwx57tIPdL.bat" "
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1604
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:1500
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                5⤵
                • Runs ping.exe
                PID:3064
              • C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE
                "C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE"
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2412

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\AMAZON VALID EMAILS CHECKER BY X-SLAYER.EXE
        Filesize

        803KB

        MD5

        305aa19532d3f9b073a00554136f0e98

        SHA1

        e09303e02e1205319979676e73aff57b69ea8c17

        SHA256

        5d7840b21dfc68963642589e4089f762cb4af25653ed66db8ff880efbe8b86c6

        SHA512

        1b078b431a12e869d6aa9c0bf44815934d6c1548ba8f09f37ddccd0988a3bcd2dc40944ddcb53003f1a259c26576f37fa9cec7a8ca1285ddbb459f66e297f83a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar34FC.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\xRIwx57tIPdL.bat
        Filesize

        222B

        MD5

        3d7374adbf4b89091d94a1379d0855f1

        SHA1

        8fcf11900246e2718ceff2617d8a338b4795122c

        SHA256

        d036e3f5305380f6409d43c8775e46ad7f9e17612d8ba92ffe37461587e266e7

        SHA512

        2f5afb289c2281121db703ad6edf904f212e3be3573f749d8a6f8af4b78dc8c146b4b7e2a88f1050cfc4cbb033aea4e44087b0bcf097a9aa0c1a1db5154638d7

        Download Submit

      • \Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE
        Filesize

        535KB

        MD5

        0bd3018c9c566328497be54c7d882159

        SHA1

        8d90c23ee373ab935ba930f25c96374762c4a5a6

        SHA256

        026971c3fba531247627dd9f3f7d51c566d8df28a52332bd3d0eb8ca55d96176

        SHA512

        90cfde84ae14de5151c4950b8f8fe05d108a9716f3e0c104e2793a9c8bbb6a4385fe24a1bd9bc020cd061a128bb258ef44ef8679ac4b0e8a280107b22ed9e8cc

        Download Submit

      • memory/848-20-0x0000000000400000-0x0000000000564000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/848-13-0x0000000000400000-0x0000000000564000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/848-18-0x0000000000400000-0x0000000000564000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/848-22-0x0000000000400000-0x0000000000564000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/848-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/848-15-0x0000000000400000-0x0000000000564000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/848-11-0x0000000000400000-0x0000000000564000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/848-9-0x0000000000400000-0x0000000000564000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/848-8-0x0000000000400000-0x0000000000564000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/848-35-0x0000000000400000-0x0000000000564000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/848-5-0x0000000000400000-0x0000000000564000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1672-28-0x0000000074B10000-0x00000000751FE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1672-4-0x0000000000280000-0x000000000028A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1672-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1672-3-0x0000000004F10000-0x0000000005042000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1672-2-0x0000000074B10000-0x00000000751FE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1672-1-0x0000000001000000-0x00000000012A0000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/1756-48-0x00000000012B0000-0x000000000133C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/2412-120-0x0000000000290000-0x000000000031C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/2876-37-0x0000000000B90000-0x0000000000C1C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/2992-38-0x0000000000C30000-0x0000000000D02000-memory.dmp

        Filesize

        840KB

        Download

      • memory/2992-39-0x00000000002C0000-0x00000000002C6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2992-40-0x000000001B570000-0x000000001B6CC000-memory.dmp

        Filesize

        1.4MB

        Download