Overview

overview

10

Static

static

3

76869ef841...18.exe

windows7-x64

10

76869ef841...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-07-2024 01:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76869ef841f2820d0bbadddc46fc3c9a_JaffaCakes118.exe

  • Size

    615KB

  • MD5

    76869ef841f2820d0bbadddc46fc3c9a

  • SHA1

    e827d9b426e4ef75f31e6e9d81f47e70da3ac3a2

  • SHA256

    29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5

  • SHA512

    582047f529fae9eacf9b4c762904b21c1d430d219e77b9bc65730e89c00be5f666a452f95cd1b0af067480eb9abd4446bf9431aa4afe2a4f68ad8226d1c11995

  • SSDEEP

    6144:QYhWwTVvvVDzRW1BHH3g1NWT+AKYEM+gW4SmSMX0zCVsVwX+v456/bT8GoaEKwae:dhHTVXFRW1ZpK2bNV0CgwuX8GmkAh

Score
10/10
quasarvenomratratdiscoveryevasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

RAT

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_It9SqdFDNndEItXfKp

Attributes
  • encryption_key

    txgQXKaATimN7DY8jnPH

  • install_name

    Windows Defender Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    Microsoft

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76869ef841f2820d0bbadddc46fc3c9a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\76869ef841f2820d0bbadddc46fc3c9a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3704
    • C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
      "C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Checks computer location settings
      • Executes dropped EXE
      • Windows security modification
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4928
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2312
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4892
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe" /rl HIGHEST /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3936
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5064
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4196
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3196
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rI3EHTyJ89cy.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4128
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2576
        • C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
          "C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Defender Security.exe.log
    Filesize

    1KB

    MD5

    10eab9c2684febb5327b6976f2047587

    SHA1

    a12ed54146a7f5c4c580416aecb899549712449e

    SHA256

    f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

    SHA512

    7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_50fzcwqq.fbx.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rI3EHTyJ89cy.bat
    Filesize

    219B

    MD5

    7f101d01c35d507b20c78749a3b40c7f

    SHA1

    1b982ef132e1d738032ca889ec7054114178d322

    SHA256

    4362d8fb26d8bf754953ec68def21af2231edcb9a4763872f6a0fc9974643651

    SHA512

    61cd553a2bd6ee766af10494c0d58cff3afb5c6c763ecd9e0fccb4748992be7dd66c9e71cbc9b2654e0ba740b443eedac93de4a2766d2913d90fdf25a5556c79

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
    Filesize

    535KB

    MD5

    0bd3018c9c566328497be54c7d882159

    SHA1

    8d90c23ee373ab935ba930f25c96374762c4a5a6

    SHA256

    026971c3fba531247627dd9f3f7d51c566d8df28a52332bd3d0eb8ca55d96176

    SHA512

    90cfde84ae14de5151c4950b8f8fe05d108a9716f3e0c104e2793a9c8bbb6a4385fe24a1bd9bc020cd061a128bb258ef44ef8679ac4b0e8a280107b22ed9e8cc

    Download Submit

  • memory/3704-1-0x0000000074B80000-0x0000000075131000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3704-2-0x0000000074B80000-0x0000000075131000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3704-0-0x0000000074B82000-0x0000000074B83000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3704-16-0x0000000074B80000-0x0000000075131000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4892-29-0x0000000071D50000-0x0000000072500000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4892-74-0x0000000071D50000-0x0000000072500000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4892-56-0x0000000006BF0000-0x0000000006BFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4928-21-0x0000000005570000-0x00000000055D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4928-23-0x0000000006810000-0x000000000684C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4928-22-0x00000000062D0000-0x00000000062E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4928-20-0x0000000071D50000-0x0000000072500000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4928-80-0x0000000071D50000-0x0000000072500000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4928-19-0x0000000005460000-0x00000000054F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4928-18-0x0000000005B20000-0x00000000060C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4928-17-0x00000000009D0000-0x0000000000A5C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4928-73-0x0000000071D50000-0x0000000072500000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4928-15-0x0000000071D5E000-0x0000000071D5F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4928-72-0x0000000071D5E000-0x0000000071D5F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5064-45-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5064-48-0x000000006FE30000-0x000000006FE7C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5064-47-0x0000000006490000-0x00000000064C2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/5064-59-0x0000000007080000-0x000000000709E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/5064-60-0x00000000070B0000-0x0000000007153000-memory.dmp

    Filesize

    652KB

    Download

  • memory/5064-61-0x0000000007820000-0x0000000007E9A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/5064-62-0x00000000071E0000-0x00000000071FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5064-63-0x0000000007250000-0x000000000725A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5064-64-0x0000000007460000-0x00000000074F6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/5064-65-0x00000000073E0000-0x00000000073F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5064-66-0x0000000007410000-0x000000000741E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/5064-67-0x0000000007420000-0x0000000007434000-memory.dmp

    Filesize

    80KB

    Download

  • memory/5064-68-0x0000000007520000-0x000000000753A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5064-69-0x0000000007500000-0x0000000007508000-memory.dmp

    Filesize

    32KB

    Download

  • memory/5064-44-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/5064-43-0x0000000005AC0000-0x0000000005E14000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/5064-38-0x0000000005800000-0x0000000005866000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5064-32-0x0000000004F10000-0x0000000004F32000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5064-31-0x0000000004FA0000-0x00000000055C8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/5064-30-0x00000000025B0000-0x00000000025E6000-memory.dmp

    Filesize

    216KB

    Download