Overview

overview

10

Static

static

3

e2afad2e44...18.exe

windows7-x64

10

e2afad2e44...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2afad2e4405ec0c5c22398203a3443d_JaffaCakes118.exe

  • Size

    640KB

  • MD5

    e2afad2e4405ec0c5c22398203a3443d

  • SHA1

    eb212f7682d5fa24f9580aaeeaee6c3b3318f548

  • SHA256

    6fb67950f8de0f87ee4cd34d50d068ee4b5e5418d363a189da0d9949db6be8ed

  • SHA512

    30aa913e09d206d7ed08d0d71e97444fdb350dd2f8d8e382c2c4c4b236196b245a4dc6e229d5c7cad5f1ce0bfba1675cd677f82eb7728f59299922008843b5c3

  • SSDEEP

    12288:Ke/qyvMV80A9RzEPTWJVBpDyFjbgexPprcLFI0gNoxHsgL7A26:RRMV8P9uPTqmjUexBr8xH1L

Score
10/10
quasarvenomratsvhostdiscoveryevasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_rHOHbrAQKctPD4d68w

Attributes
  • encryption_key

    rDFwhCyuKMqXO7llDpB2

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 4 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2afad2e4405ec0c5c22398203a3443d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e2afad2e4405ec0c5c22398203a3443d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Roaming\test1.exe
      "C:\Users\Admin\AppData\Roaming\test1.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\test1.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2724
      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2756
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2900
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1792
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:1812
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9GF8R1tErA7z.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2952
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:304
        • C:\Users\Admin\AppData\Roaming\test1.exe
          "C:\Users\Admin\AppData\Roaming\test1.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2152
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:2112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9GF8R1tErA7z.bat
    Filesize

    199B

    MD5

    8423f014ec1542cfacaf33de536cbc91

    SHA1

    9abd02421ca455ff3de41cf92a6badbd461cfe69

    SHA256

    414b9e0eb140571d33786270a91af3233fe50bbba5fe38f4d83ed91b5154d2dd

    SHA512

    05329148555e557189584ac040bb0597406e28e85f6a009aee5b9a84acaae214e3d00f6c2ea1332f96f53476aac5ac4ddc36384ddc16e7bd81f72d5982276101

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabB7FB.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarB81E.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wotengin.jpg
    Filesize

    72KB

    MD5

    277f0e029298e0dffee3f8820726c6e3

    SHA1

    df2cdaa12ccc9e0eb0de1871c9fa12cec9f575a2

    SHA256

    f7ede3780d2e6789dfd5aaf99d8613040e6150f44ab547116817dc2f7ad442a8

    SHA512

    b2fc83d2e4d682007109be8b33aff144af3ad8f6466b911c6f48516fde5530234ed964d12a82e1e10a4a79130ee59fdc2076106d4f7460e036cdd0454da90272

    Download Submit

  • \Users\Admin\AppData\Roaming\test1.exe
    Filesize

    655KB

    MD5

    43e5556cab3ba9cd353b0c6cf1548d75

    SHA1

    64cf51c0d612cb6276e59639071406c1d2e86702

    SHA256

    286ea33997e28cad2651bc27c091e45c3502c4c7f69e4f28965bf846cf9528b8

    SHA512

    edde4a5af40e65afbe4e212e356879277f9641e4b8d46950fed33397754fe87ff81a337623e6c5202776e1636cefcd58f0ed94a212e8dd25ba427a017fcb2bdf

    Download Submit

  • memory/1732-11-0x0000000072E8E000-0x0000000072E8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1732-14-0x00000000003C0000-0x000000000046A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/1732-80-0x0000000072E8E000-0x0000000072E8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-13-0x00000000000B0000-0x00000000000B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2152-91-0x00000000000E0000-0x000000000018A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2292-15-0x0000000074F40000-0x00000000754EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2292-12-0x0000000000E20000-0x0000000000E22000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2292-0-0x0000000074F41000-0x0000000074F42000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-2-0x0000000074F40000-0x00000000754EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2292-1-0x0000000074F40000-0x00000000754EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2640-24-0x0000000000B30000-0x0000000000BDA000-memory.dmp

    Filesize

    680KB

    Download