General

  • Target

    e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240408-hp7hbsbc9t

  • MD5

    e6e2378b5d5ef85b039d0b261db4fa9e

  • SHA1

    2ab9b906aff4722d91b824b4ac887c5f9fc769c8

  • SHA256

    f06f42f55d97811886559c435e20fa273b088c08552ed47a70b715c21e74308d

  • SHA512

    24fbc820af4d86186f5cd76408add26cdd54e15573e0fce1b89b8167e5f736a06b45096bc99ef601ed4b01b4f3a9446051e678caea36f1188d9136c156856ce0

  • SSDEEP

    12288:tKhh8Op3AVN1B2bPHzdThCblOA1RIV84xR12UcHa2dCaGT576f+j1lc1SWZIBpLQ:tKhh8Op3AVN10bPHzdTg6

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

rat34.ddns.net:25565

Mutex

7bf81572-f7bb-4bdf-9c79-2c3a4754a152

Attributes
  • encryption_key

    C3DCCCB06A6A0C21F917BABB61CE259EB0570761

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118

    • Size

      2.6MB

    • MD5

      e6e2378b5d5ef85b039d0b261db4fa9e

    • SHA1

      2ab9b906aff4722d91b824b4ac887c5f9fc769c8

    • SHA256

      f06f42f55d97811886559c435e20fa273b088c08552ed47a70b715c21e74308d

    • SHA512

      24fbc820af4d86186f5cd76408add26cdd54e15573e0fce1b89b8167e5f736a06b45096bc99ef601ed4b01b4f3a9446051e678caea36f1188d9136c156856ce0

    • SSDEEP

      12288:tKhh8Op3AVN1B2bPHzdThCblOA1RIV84xR12UcHa2dCaGT576f+j1lc1SWZIBpLQ:tKhh8Op3AVN10bPHzdTg6

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Windows security bypass

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks