Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
22-06-2024 05:26
General
-
Target
017d1ddeb4f16982eda16fe8f07c63e6_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
017d1ddeb4f16982eda16fe8f07c63e6
-
SHA1
ac0bca32f8eb453aad9df1b9fb0ca6dad9d70556
-
SHA256
317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87
-
SHA512
d0439cdcea450461ce8f61121b86fada72abd52d13251e47d76949aa9ce370c8bc64169be96719e7010411fe92d8194db9835df1825490da4bc283b1660886bc
-
SSDEEP
49152:sslxW0qtwxdh9Q7Wm1kX8sp1ua2oUHXN5Wr7Pf:nlwTtWhs1a8KOVHXNgXf
Malware Config
Extracted
quasar
2.1.0.0
RAT
23.105.131.178:7812
VNM_MUTEX_It9SqdFDNndEItXfKp
-
encryption_key
txgQXKaATimN7DY8jnPH
-
install_name
Windows Defender Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
Microsoft
Signatures
-
Contains code to disable Windows Defender 8 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 7 IoCs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\017d1ddeb4f16982eda16fe8f07c63e6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\017d1ddeb4f16982eda16fe8f07c63e6_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\017d1ddeb4f16982eda16fe8f07c63e6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\017d1ddeb4f16982eda16fe8f07c63e6_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AMAZON VALID EMAILS CHECKER BY X-SLAYER.EXE"C:\Users\Admin\AppData\Local\Temp\AMAZON VALID EMAILS CHECKER BY X-SLAYER.EXE"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE"C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE"3⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOe4fztH5FfQ.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE"C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4264,i,5229431749694857451,16836185654682871752,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
Filesize
803KB
MD5305aa19532d3f9b073a00554136f0e98
SHA1e09303e02e1205319979676e73aff57b69ea8c17
SHA2565d7840b21dfc68963642589e4089f762cb4af25653ed66db8ff880efbe8b86c6
SHA5121b078b431a12e869d6aa9c0bf44815934d6c1548ba8f09f37ddccd0988a3bcd2dc40944ddcb53003f1a259c26576f37fa9cec7a8ca1285ddbb459f66e297f83a
-
Filesize
222B
MD5bbb10ceb91723efcb5f9489362d70bd1
SHA10c62c8aaad20c924fdccc99986082a2446bc633c
SHA256352dc0c0c26223bb3a61321bc622a0209b5db3f4544b05cc60343d33bd99f116
SHA512e48507ec076142a92b0962c8d7e2eaa5caf79b993e8e78cfedd2f99369c4ccb83ac8ed1acf5a7b88f9345ab23670f2757d94ae6163acb1ac0d7429aff56c1148
-
Filesize
535KB
MD50bd3018c9c566328497be54c7d882159
SHA18d90c23ee373ab935ba930f25c96374762c4a5a6
SHA256026971c3fba531247627dd9f3f7d51c566d8df28a52332bd3d0eb8ca55d96176
SHA51290cfde84ae14de5151c4950b8f8fe05d108a9716f3e0c104e2793a9c8bbb6a4385fe24a1bd9bc020cd061a128bb258ef44ef8679ac4b0e8a280107b22ed9e8cc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
64KB
-
Filesize
24KB
-
Filesize
840KB
-
Filesize
1.4MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
560KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
6.2MB
-
Filesize
652KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
216KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
600KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.2MB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
2.6MB
-
Filesize
7.7MB