General

  • Target

    76869ef841f2820d0bbadddc46fc3c9a_JaffaCakes118

  • Size

    615KB

  • Sample

    240727-bpnxnazhkd

  • MD5

    76869ef841f2820d0bbadddc46fc3c9a

  • SHA1

    e827d9b426e4ef75f31e6e9d81f47e70da3ac3a2

  • SHA256

    29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5

  • SHA512

    582047f529fae9eacf9b4c762904b21c1d430d219e77b9bc65730e89c00be5f666a452f95cd1b0af067480eb9abd4446bf9431aa4afe2a4f68ad8226d1c11995

  • SSDEEP

    6144:QYhWwTVvvVDzRW1BHH3g1NWT+AKYEM+gW4SmSMX0zCVsVwX+v456/bT8GoaEKwae:dhHTVXFRW1ZpK2bNV0CgwuX8GmkAh

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

RAT

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_It9SqdFDNndEItXfKp

Attributes
  • encryption_key

    txgQXKaATimN7DY8jnPH

  • install_name

    Windows Defender Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    Microsoft

Targets

    • Target

      76869ef841f2820d0bbadddc46fc3c9a_JaffaCakes118

    • Size

      615KB

    • MD5

      76869ef841f2820d0bbadddc46fc3c9a

    • SHA1

      e827d9b426e4ef75f31e6e9d81f47e70da3ac3a2

    • SHA256

      29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5

    • SHA512

      582047f529fae9eacf9b4c762904b21c1d430d219e77b9bc65730e89c00be5f666a452f95cd1b0af067480eb9abd4446bf9431aa4afe2a4f68ad8226d1c11995

    • SSDEEP

      6144:QYhWwTVvvVDzRW1BHH3g1NWT+AKYEM+gW4SmSMX0zCVsVwX+v456/bT8GoaEKwae:dhHTVXFRW1ZpK2bNV0CgwuX8GmkAh

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks