quasar | f1f367c2bd3c1bc93a4c4a3081a3aa1072eb7a50d13927e3b5bc03c310248d3a

Analysis

max time kernel
135s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe
Size

709KB
MD5

dbdca8a3ffa33284e03a1a7bd57e12ad
SHA1

facc92651a792c4c8abe606ca47424b4f042224b
SHA256

f1f367c2bd3c1bc93a4c4a3081a3aa1072eb7a50d13927e3b5bc03c310248d3a
SHA512

727cd27bfb0ffc7a9f76fd02417de92a34ef4a1ed341953b1f5c6f78f851c83d5de390d3168df89367196a3de25eb370be1c3867affc94ae6520dff22d36bd94
SSDEEP

12288:UJr8tk+8yQiFDmBhfyW8vXAo+bcRkkOHia0crMIsTX:Wx+5QhfP5x7Nm

Score

10^/10

quasar venomrat svhost discovery rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

myconect.ddns.net:6606

Mutex

VNM_MUTEX_ND6PULLW5ZVLwo1nwR

Attributes

encryption_key
yaa63tXY4j55os5llHHd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\$77-Venom.exe	disable_win_def
behavioral2/memory/5056-19-0x0000000000250000-0x00000000002DC000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\$77-Venom.exe	family_quasar
behavioral2/memory/5056-19-0x0000000000250000-0x00000000002DC000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

$77-Venom.exe

pid process

5056 $77-Venom.exe

pid	process
5056	$77-Venom.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com

flow	ioc
22	ip-api.com

Drops file in Windows directory 3 IoCs

Processes:

dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe$77-Venom.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77-Venom.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1860 WINWORD.EXE
1860 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

$77-Venom.exe

description pid process

Token: SeDebugPrivilege 5056 $77-Venom.exe
Token: SeDebugPrivilege 5056 $77-Venom.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

1860 WINWORD.EXE
1860 WINWORD.EXE
1860 WINWORD.EXE
1860 WINWORD.EXE
1860 WINWORD.EXE
1860 WINWORD.EXE
1860 WINWORD.EXE
1860 WINWORD.EXE

pid	process
1860	WINWORD.EXE
1860	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	5056	$77-Venom.exe
Token: SeDebugPrivilege	5056	$77-Venom.exe

pid	process
1860	WINWORD.EXE
1860	WINWORD.EXE
1860	WINWORD.EXE
1860	WINWORD.EXE
1860	WINWORD.EXE
1860	WINWORD.EXE
1860	WINWORD.EXE
1860	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe

description	pid	process	target process
PID 3548 wrote to memory of 5056	3548	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe	$77-Venom.exe
PID 3548 wrote to memory of 5056	3548	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe	$77-Venom.exe
PID 3548 wrote to memory of 5056	3548	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe	$77-Venom.exe
PID 3548 wrote to memory of 1860	3548	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe	WINWORD.EXE
PID 3548 wrote to memory of 1860	3548	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Users\Admin\AppData\Roaming\$77-Venom.exe
  "C:\Users\Admin\AppData\Roaming\$77-Venom.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\null (2).docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDF718.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\$77-Venom.exe

Filesize
534KB

MD5
84c1dc6b428904cc2a6746653849df0f

SHA1
5cce4078427481f4d7456b5a4f3930ae6e706fb4

SHA256
bc24e3c5408fea0b6f9aa0deb56a4636a8d0b9a6054ff1033efa6ccfe04ba44a

SHA512
3b7a7607c3409b5ded563f2e1fcc0fa489c4465ab764d14a647b474968a025a95fa8ceb549fc70482b7b1dd935f66a41ada7b4910059786aafc870c5847a9245

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
327B

MD5
dfd75b19360b64dc22f2a4f7dbd1b02d

SHA1
eaa381992429d43e3156029c2de95ea2d4087ab4

SHA256
4e922b07306512bc81256944914fbe6e590851cb6c41f6a0029acaac1cb33758

SHA512
c3020e5149ac87f8dedfa97d536b3397f4153607a7b5bb21506c61af94e787e268e5654bb09774d9d6ebde02d34d4bb6fbb54badda1f847e0dad2ed1d3ebe8a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
bab80f805baf551fff3281d75deeee24

SHA1
bbc0690dbe1bd7730893c52edc6d3f008890aa56

SHA256
3ad11372d1163f59810d7a0eaaf18a05a2ae1de66c067c2595f8a3c15b8ea02a

SHA512
e8b73fd56bb4947a0f90e1c4e29ea1e1f919e16556a58bd79dc51a83218fd536c2aeb5dfc3651733fc97b6c6eaf8a7891c9a0bffea7ff067e37a59b5274ef8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
447c16319f21f4c539469d75b12d401d

SHA1
db9091fd0774da3c5113755edc310cd852a07bd8

SHA256
6d63e2cb83f5a7464618e64bd5ef67d11e84ac25f1334cb6f9290cb9cc3a5349

SHA512
8d49e614dc5a557acd00a2f7287a0d0fd768ef871440c4f8cda9c6eaac877c332afd2ca5fb217afdf5d8463c8b08c8c5d5009b374e3eb01e95f801aca4947b6a

Download Submit
C:\Users\Admin\AppData\Roaming\null (2).docx

Filesize
2KB

MD5
b73ace90e3fbada0e8baa0d47b2cbd6f

SHA1
2147bfa5d92cb0c3fd296e7c90befa08564240a6

SHA256
94f271283b679ee024724d1aee0f4ead90ce56fb67813b5e0cbc082091fbe364

SHA512
d1a9d73fca25a73782bd0170937225afdb402a354a7fb6ea308114e276aed7f77ef211c458dd03292d2e90cd1d61976340396540ac410d452bda363f6d2ee157

Download Submit
memory/1860-39-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/1860-77-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/1860-26-0x00007FFEADECD000-0x00007FFEADECE000-memory.dmp

Filesize
4KB

Download
memory/1860-237-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/1860-30-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/1860-29-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/1860-28-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/1860-27-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/1860-31-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/1860-34-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/1860-36-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/1860-35-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/1860-37-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/1860-38-0x00007FFE6BCF0000-0x00007FFE6BD00000-memory.dmp

Filesize
64KB

Download
memory/1860-233-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/1860-235-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/1860-41-0x00007FFE6BCF0000-0x00007FFE6BD00000-memory.dmp

Filesize
64KB

Download
memory/1860-33-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/1860-236-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/1860-234-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/1860-84-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/1860-25-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/1860-76-0x00007FFEADECD000-0x00007FFEADECE000-memory.dmp

Filesize
4KB

Download
memory/1860-75-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/3548-2-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3548-0-0x0000000074CA2000-0x0000000074CA3000-memory.dmp

Filesize
4KB

Download
memory/3548-23-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3548-1-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/5056-66-0x0000000005F40000-0x0000000005F7C000-memory.dmp

Filesize
240KB

Download
memory/5056-17-0x0000000071D2E000-0x0000000071D2F000-memory.dmp

Filesize
4KB

Download
memory/5056-85-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/5056-59-0x0000000004D20000-0x0000000004D86000-memory.dmp

Filesize
408KB

Download
memory/5056-62-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/5056-19-0x0000000000250000-0x00000000002DC000-memory.dmp

Filesize
560KB

Download
memory/5056-67-0x0000000006230000-0x000000000623A000-memory.dmp

Filesize
40KB

Download
memory/5056-24-0x0000000005370000-0x0000000005914000-memory.dmp

Filesize
5.6MB

Download
memory/5056-74-0x0000000071D2E000-0x0000000071D2F000-memory.dmp

Filesize
4KB

Download
memory/5056-40-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/5056-32-0x0000000004DC0000-0x0000000004E52000-memory.dmp

Filesize
584KB

Download