quasar | e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215 | Triage

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-05-2024 03:28

Sharing

Report Analysis Logs

General

Target

0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
Size

488KB
MD5

0f9120aa260daa1849a56062f8b6a492
SHA1

a56e35f6cc5424936a56827d307253c56a937a0e
SHA256

e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215
SHA512

ae52b328521f6a550951ac0c53745034f985230dcd850d0881079d1a2f50b865c30e646271dd4230f3d07db34bf6515b434bcf0f085f8e703533ae14180f81dc
SSDEEP

12288:RhMM2P6wZMGWIHT0K5DDeOGYJeSyzLIB/xk5:Plk6SF9HT0gGie4B/x

Score

10^/10

quasar spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Signatures

Contains code to disable Windows Defender 9 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1284-2-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1284-13-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1284-12-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1284-8-0x0000000000402000-0x0000000000489000-memory.dmp	disable_win_def
behavioral1/memory/1284-14-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1284-17-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1284-23-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1284-26-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1284-28-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1284-2-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1284-13-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1284-12-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1284-8-0x0000000000402000-0x0000000000489000-memory.dmp	family_quasar
behavioral1/memory/1284-14-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1284-17-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1284-23-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1284-26-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1284-28-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe

pid	Process
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe

pid	Process
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe

pid	Process
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1284 wrote to memory of 2620	1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe	28
PID 1284 wrote to memory of 2620	1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe	28
PID 1284 wrote to memory of 2620	1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe	28
PID 1284 wrote to memory of 2620	1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe	28
PID 1284 wrote to memory of 2620	1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe	28
PID 1284 wrote to memory of 2620	1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe	28
PID 1284 wrote to memory of 2620	1284	0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f9120aa260daa1849a56062f8b6a492_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284
- \??\c:\windows\SysWOW64\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\washgse3.inf
  2⤵
  PID:2620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\temp\washgse3.inf

Filesize
606B

MD5
3e2a65fc1267aee14c638a004e00963b

SHA1
2ffffd34199450815d12457f864cf18409213ec0

SHA256
6bab55ce1aa923733a70b16f651a49890770a12d9d09afbb12b4b6f5a0ec4f07

SHA512
3ed58df6422a8b86af368a4237da0e7ba3238008a1585cd11390c69aa332cdf2e7eb119b2b8066f66b96b6db80c2a882f48fec546c2b0602b44ee73869c848f2

Download Submit
memory/1284-8-0x0000000000402000-0x0000000000489000-memory.dmp

Filesize
540KB

Download
memory/1284-45-0x0000000073F90000-0x0000000073FA7000-memory.dmp

Filesize
92KB

Download
memory/1284-1-0x0000000074D50000-0x0000000074D9A000-memory.dmp

Filesize
296KB

Download
memory/1284-13-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1284-12-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1284-11-0x0000000074E50000-0x0000000074E59000-memory.dmp

Filesize
36KB

Download
memory/1284-10-0x00000000756B0000-0x0000000075707000-memory.dmp

Filesize
348KB

Download
memory/1284-9-0x0000000075870000-0x00000000758B7000-memory.dmp

Filesize
284KB

Download
memory/1284-7-0x0000000075290000-0x000000007533C000-memory.dmp

Filesize
688KB

Download
memory/1284-0-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1284-5-0x00000000001C0000-0x0000000000207000-memory.dmp

Filesize
284KB

Download
memory/1284-4-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1284-14-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1284-25-0x0000000073F90000-0x0000000073FA7000-memory.dmp

Filesize
92KB

Download
memory/1284-16-0x00000000758D0000-0x0000000075A2C000-memory.dmp

Filesize
1.4MB

Download
memory/1284-18-0x0000000075B00000-0x0000000075B8F000-memory.dmp

Filesize
572KB

Download
memory/1284-19-0x0000000074350000-0x00000000743D0000-memory.dmp

Filesize
512KB

Download
memory/1284-20-0x0000000076350000-0x0000000076F9A000-memory.dmp

Filesize
12.3MB

Download
memory/1284-40-0x00000000743D0000-0x00000000744C5000-memory.dmp

Filesize
980KB

Download
memory/1284-2-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1284-17-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1284-26-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1284-28-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1284-38-0x0000000074E50000-0x0000000074E59000-memory.dmp

Filesize
36KB

Download
memory/1284-31-0x0000000075290000-0x000000007533C000-memory.dmp

Filesize
688KB

Download
memory/1284-33-0x0000000076350000-0x0000000076F9A000-memory.dmp

Filesize
12.3MB

Download
memory/1284-29-0x0000000075870000-0x00000000758B7000-memory.dmp

Filesize
284KB

Download
memory/1284-37-0x0000000074BC0000-0x0000000074C3D000-memory.dmp

Filesize
500KB

Download
memory/1284-27-0x00000000001C0000-0x0000000000207000-memory.dmp

Filesize
284KB

Download
memory/1284-36-0x00000000758D0000-0x0000000075A2C000-memory.dmp

Filesize
1.4MB

Download
memory/1284-35-0x0000000074D50000-0x0000000074D9A000-memory.dmp

Filesize
296KB

Download
memory/1284-34-0x00000000756B0000-0x0000000075707000-memory.dmp

Filesize
348KB

Download
memory/1284-42-0x0000000074350000-0x00000000743D0000-memory.dmp

Filesize
512KB

Download
memory/1284-3-0x00000000001C0000-0x0000000000207000-memory.dmp

Filesize
284KB

Download
memory/1284-44-0x0000000073FB0000-0x0000000073FC3000-memory.dmp

Filesize
76KB

Download
memory/1284-43-0x0000000075B00000-0x0000000075B8F000-memory.dmp

Filesize
572KB

Download
memory/1284-41-0x0000000074E40000-0x0000000074E43000-memory.dmp

Filesize
12KB

Download
memory/1284-23-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1284-39-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download