Overview

overview

10

Static

static

3

806DDBB70C...20.exe

windows7-x64

10

806DDBB70C...20.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_9dc800c25349a952cf4e972456f4054d6e8f8798505cc1a4fdbdb5e72ca38310

  • Size

    3.7MB

  • Sample

    241225-qj83zatper

  • MD5

    5fc023fc26f82679558274acf31c6c79

  • SHA1

    d7233581fe4e78f8a73650d407a0a9cd439d0ea8

  • SHA256

    9dc800c25349a952cf4e972456f4054d6e8f8798505cc1a4fdbdb5e72ca38310

  • SHA512

    f9605cabede4c48d5762c82722fb120637ccad74fc8b96f50deb31b8cad18ae91e3cabbcf7f39649f4ac3fe7df67dd5ef66e6f4d1cb9598fac0e380541d68e13

  • SSDEEP

    98304:4ZEZMQXXsVhd6W2y1vmbTDHJj+G98Ir5BZVQB:CpQnsHdKEY/HJj+vItBZVw

Score
10/10
asyncratdarkcometquasardefaultnetshareoffice15discoveryevasionexecutionpersistenceratspywaretrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

netshare

C2

novachrono.dyndns-ip.com:51399

Mutex

DC_MUTEX-6JFEBFK

Attributes
  • gencode

    jJtniSTX6QWK

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

quasar

Version

1.4.0

Botnet

Office15

C2

novachrono.dyndns-ip.com:51396

Mutex

f855a54f-46fa-48dc-a390-f591a2e4bd98

Attributes
  • encryption_key

    E5D6E7988D0C5E1B3786B30C1AE84CBBC1CF4B1E

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

novachrono.dyndns-ip.com:51397

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    repair-win.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      806DDBB70CE7CF024D8C8D7206020007B303F0FB70F67445D898517944C91A20

    • Size

      3.8MB

    • MD5

      c1dc1d013b521ff6725e1e674da41209

    • SHA1

      414e10310c572e8edf7a127937033e2f23e5176d

    • SHA256

      806ddbb70ce7cf024d8c8d7206020007b303f0fb70f67445d898517944c91a20

    • SHA512

      c03f343dd4c1cd7b22e7f953ac7778116b5aebba8f47259d4773659196e6db807054aea7156a5b412a438acecf0041f07dac9a3dbbaf13105457d08029550a36

    • SSDEEP

      98304:HAI+n8ys9crUL7CKY+0lM4VI5I2mTcin9AUcPTLm17Vs+uy:gt8ysYUL7CJ+01VIcwORa+uy

    Score
    10/10
    asyncratdarkcometquasardefaultnetshareoffice15discoveryevasionexecutionratspywaretrojanupxpersistence

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

JavaScript

1
T1059.007

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Browser Information Discovery

1
T1217

Network Share Discovery

1
T1135

Peripheral Device Discovery

1
T1120

Query Registry

5
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks