quasar | defe3d66f022bc223894b56b30aa6075f1341b700d256ab795f95088bae1f7c1

General

Target

fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe
Size

3.9MB
MD5

fc5416311f5e64294d3033abef2ae5d7
SHA1

d57361cdd2e1e5cd9c1ab64ba6fa20e977dc3efe
SHA256

defe3d66f022bc223894b56b30aa6075f1341b700d256ab795f95088bae1f7c1
SHA512

c0b41a9630ab63d802d2949fb8e0e2865da62d69bda880dbee3fd31368009f787ffac6b4d5edff5422d0ab66d0040221309447af1d87d4bff1bc0e6da70bb0ee
SSDEEP

98304:3CFNQ00DlHJb9fhTkmYpYNuSZTKA0t9FFPEC8HOolPsliHLhg3arcO8GkfhUcZtI:3CFNQ00DlHJb9fhTkmY6bk9fchHOolPv

Score

10^/10

quasar venom client spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.6.0.0

Botnet

Venom Client

C2

127.0.0.1:4782

192.168.1.154:4782

Mutex

u1Cabu0SD85QXhFG45

Attributes

encryption_key
PhBvMV17IAAI7PAlZTmm
install_name
Venom.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2064-0-0x0000000000E40000-0x0000000001234000-memory.dmp	family_quasar
behavioral1/memory/2492-14-0x0000000001160000-0x0000000001554000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Venom.exe	family_quasar

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 pastebin.com
5 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2576 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2472 PING.EXE

flow	ioc
4	pastebin.com
5	pastebin.com

flow	ioc
2	ip-api.com

pid	process
2576	schtasks.exe

pid	process
2472	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exefc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2064	fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe
Token: SeDebugPrivilege	2492	fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2064 wrote to memory of 2576	2064	fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe	schtasks.exe
PID 2064 wrote to memory of 2576	2064	fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe	schtasks.exe
PID 2064 wrote to memory of 2576	2064	fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe	schtasks.exe
PID 2064 wrote to memory of 2576	2064	fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe	schtasks.exe
PID 2064 wrote to memory of 2716	2064	fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe	cmd.exe
PID 2064 wrote to memory of 2716	2064	fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe	cmd.exe
PID 2064 wrote to memory of 2716	2064	fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe	cmd.exe
PID 2064 wrote to memory of 2716	2064	fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe	cmd.exe
PID 2716 wrote to memory of 2728	2716	cmd.exe	chcp.com
PID 2716 wrote to memory of 2728	2716	cmd.exe	chcp.com
PID 2716 wrote to memory of 2728	2716	cmd.exe	chcp.com
PID 2716 wrote to memory of 2728	2716	cmd.exe	chcp.com
PID 2716 wrote to memory of 2472	2716	cmd.exe	PING.EXE
PID 2716 wrote to memory of 2472	2716	cmd.exe	PING.EXE
PID 2716 wrote to memory of 2472	2716	cmd.exe	PING.EXE
PID 2716 wrote to memory of 2472	2716	cmd.exe	PING.EXE
PID 2716 wrote to memory of 2492	2716	cmd.exe	fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe
PID 2716 wrote to memory of 2492	2716	cmd.exe	fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe
PID 2716 wrote to memory of 2492	2716	cmd.exe	fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe
PID 2716 wrote to memory of 2492	2716	cmd.exe	fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Venom.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MYZWgCDokcQE.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:2728

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:2472

C:\Users\Admin\AppData\Local\Temp\fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc5416311f5e64294d3033abef2ae5d7_JaffaCakes118.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MYZWgCDokcQE.bat
Filesize
243B

MD5
f159364657d35b2da62e670d0061a932

SHA1
d3526069590e6ceb7ce38ab7d04d2ca8f0d9fc06

SHA256
f9688e28885bdd01e507882a27f5185c7ffa701e4f9334c2ed76a8e5c7ac24f5

SHA512
242b7767615d4e38f1a5d381922fc1c81881e37fab829497a5100e14a4addda48c1ae67a9ec7c7b82e65592a49cf11ed05b77346f6c19fb6e3e34aa24ab1f430

Download Submit
C:\Users\Admin\AppData\Roaming\Venom.exe
Filesize
3.9MB

MD5
fc5416311f5e64294d3033abef2ae5d7

SHA1
d57361cdd2e1e5cd9c1ab64ba6fa20e977dc3efe

SHA256
defe3d66f022bc223894b56b30aa6075f1341b700d256ab795f95088bae1f7c1

SHA512
c0b41a9630ab63d802d2949fb8e0e2865da62d69bda880dbee3fd31368009f787ffac6b4d5edff5422d0ab66d0040221309447af1d87d4bff1bc0e6da70bb0ee

Download Submit
memory/2064-1-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-0-0x0000000000E40000-0x0000000001234000-memory.dmp

Filesize
4.0MB

Download
memory/2064-2-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/2064-13-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-15-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-14-0x0000000001160000-0x0000000001554000-memory.dmp

Filesize
4.0MB

Download
memory/2492-16-0x0000000000D00000-0x0000000000D40000-memory.dmp

Filesize
256KB

Download
memory/2492-18-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads