Overview

overview

10

Static

static

3

f78e8fdb5c...18.exe

windows7-x64

10

f78e8fdb5c...18.exe

windows10-2004-x64

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe

  • Size

    602KB

  • MD5

    f78e8fdb5c76c784818c1ea7ba8217cd

  • SHA1

    9a3ca4ab923d8b93b49f5d46c6b449845ca94c6d

  • SHA256

    0e0a586e4c7a3d6508de4cffe0c78050c01dda128441853127ef10e1e3c7e25c

  • SHA512

    9fc70809bac9189e693af1ccd10f35af84fe295b048ed609262a90bf071157b0a23ff2672c57f424fbcd56fc816c1400b6a9a09cd30e12619d785518151d62b3

  • SSDEEP

    12288:hmBU27je2sGbV7LsAlhgLTj9BBnWobokcoyhUvqA2i:kBUYje21R0b9BBnWooXhQqAt

Score
10/10
quasarvenomratwindows securitydiscoveryevasionpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows security

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_XaCO2YtLAsadylDHBP

Attributes
  • encryption_key

    eKgGUbCubcSIafuOAN5V

  • install_name

    windows security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    windows security

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 5 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 5 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Users\Admin\AppData\Local\Temp\f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Loads dropped DLL
      • Windows security modification
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "windows security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2008
      • C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2252
        • C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3000
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "windows security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe" /rl HIGHEST /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2744
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\SheT0fHwUcxK.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2988
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1788
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1512
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1468
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:3040
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2212
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1040
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2784
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\c9OA6s6KxLEM.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1084
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:924
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2712
        • C:\Users\Admin\AppData\Local\Temp\f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          PID:896
          • C:\Users\Admin\AppData\Local\Temp\f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\f78e8fdb5c76c784818c1ea7ba8217cd_JaffaCakes118.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabC831.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SheT0fHwUcxK.bat
    Filesize

    217B

    MD5

    f318dcc32913d291225b7607501694ae

    SHA1

    fa635d51026420f0dcb6dbfe2f66596140a25bee

    SHA256

    dbc07e82adfc1406c01d68410fa595b23e092c0755278715e5eb5c048d99afde

    SHA512

    746144ae8cf8e82b41bd318782fd801f9234b862be1366c7e797e222b293fa8459cf9e70365c8b18261b8f41a93e3c31b29726cb94d202d3efdb660e51e22dab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarC853.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\c9OA6s6KxLEM.bat
    Filesize

    243B

    MD5

    ea87094037d876808930a92279bf20a2

    SHA1

    263d856635c21d96c56a79f05ece224488d5be02

    SHA256

    332094cf23cc90e9fcde0219a62a36e5ee525eb6e391e4f6e6f3ac0189f09aaf

    SHA512

    d64c024f038cb81c11eb1546806d62f0cd6af0548986b602a4e89b71ecc7b0bc879b853c1dcb6226f83dc6fd51339db1ade6118d8b8613325ce962e2409317f9

    Download Submit

  • \Users\Admin\AppData\Roaming\SubDir\windows security.exe
    Filesize

    602KB

    MD5

    f78e8fdb5c76c784818c1ea7ba8217cd

    SHA1

    9a3ca4ab923d8b93b49f5d46c6b449845ca94c6d

    SHA256

    0e0a586e4c7a3d6508de4cffe0c78050c01dda128441853127ef10e1e3c7e25c

    SHA512

    9fc70809bac9189e693af1ccd10f35af84fe295b048ed609262a90bf071157b0a23ff2672c57f424fbcd56fc816c1400b6a9a09cd30e12619d785518151d62b3

    Download Submit

  • memory/896-121-0x0000000000E40000-0x0000000000EDC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1012-130-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1944-15-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1944-7-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1944-8-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1944-6-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1944-5-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1944-13-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1944-17-0x00000000742E0000-0x00000000749CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1944-119-0x00000000742E0000-0x00000000749CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1944-16-0x00000000742E0000-0x00000000749CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1944-110-0x00000000742E0000-0x00000000749CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1944-11-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1944-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2252-26-0x0000000001200000-0x000000000129C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2948-0-0x00000000742EE000-0x00000000742EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2948-4-0x0000000000480000-0x000000000048A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2948-18-0x00000000742E0000-0x00000000749CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2948-2-0x00000000742E0000-0x00000000749CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2948-1-0x0000000000910000-0x00000000009AC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3000-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download