quasar | 7655e16003aa8856e7585f5d4b76d39f9e56b784442c9523d9f0b7b9c85b714b

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1423a4be112f647fe95730150a842627_JaffaCakes118.exe
Size

348KB
MD5

1423a4be112f647fe95730150a842627
SHA1

ad705962c70d6d74afc7f69051c809240c1dc7d3
SHA256

7655e16003aa8856e7585f5d4b76d39f9e56b784442c9523d9f0b7b9c85b714b
SHA512

0df8a840711259c5026d20c069e45a996aa92e821ac870d0ae66760617e31ce5feecbdf3b03a16f3945b13df1279c1902c9a46c498b0b235217e127e49157cb0
SSDEEP

6144:b+NHXf500MwDjCTHYr1b8i4YunbL/zMoXDme:6d50sjGoP4YunHAoXDme

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Slave

134.209.192.40:4782

Mutex

QSR_MUTEX_k8JOK9yrF6X0eZEc1V

Attributes

encryption_key
Mx5vn03LCy6ul2fLffQw
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT 2 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

flow ioc

41 ip-api.com
44 ip-api.com

flow	ioc
41	ip-api.com
44	ip-api.com

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5104-1-0x0000000000360000-0x00000000003BE000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

4772 Client.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

41 ip-api.com
44 ip-api.com
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1423a4be112f647fe95730150a842627_JaffaCakes118.exeClient.exe

description pid process

Token: SeDebugPrivilege 5104 1423a4be112f647fe95730150a842627_JaffaCakes118.exe
Token: SeDebugPrivilege 4772 Client.exe

pid	process
4772	Client.exe

flow	ioc
41	ip-api.com
44	ip-api.com

description	pid	process
Token: SeDebugPrivilege	5104	1423a4be112f647fe95730150a842627_JaffaCakes118.exe
Token: SeDebugPrivilege	4772	Client.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1423a4be112f647fe95730150a842627_JaffaCakes118.exe

description	pid	process	target process
PID 5104 wrote to memory of 4772	5104	1423a4be112f647fe95730150a842627_JaffaCakes118.exe	Client.exe
PID 5104 wrote to memory of 4772	5104	1423a4be112f647fe95730150a842627_JaffaCakes118.exe	Client.exe
PID 5104 wrote to memory of 4772	5104	1423a4be112f647fe95730150a842627_JaffaCakes118.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\1423a4be112f647fe95730150a842627_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1423a4be112f647fe95730150a842627_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3020 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:4184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
348KB

MD5
1423a4be112f647fe95730150a842627

SHA1
ad705962c70d6d74afc7f69051c809240c1dc7d3

SHA256
7655e16003aa8856e7585f5d4b76d39f9e56b784442c9523d9f0b7b9c85b714b

SHA512
0df8a840711259c5026d20c069e45a996aa92e821ac870d0ae66760617e31ce5feecbdf3b03a16f3945b13df1279c1902c9a46c498b0b235217e127e49157cb0

Download Submit
memory/4772-19-0x0000000006C90000-0x0000000006C9A000-memory.dmp

Filesize
40KB

Download
memory/4772-18-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4772-15-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4772-14-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/5104-4-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/5104-6-0x0000000004D80000-0x0000000004DE6000-memory.dmp

Filesize
408KB

Download
memory/5104-7-0x0000000005300000-0x0000000005312000-memory.dmp

Filesize
72KB

Download
memory/5104-8-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/5104-9-0x0000000006000000-0x000000000603C000-memory.dmp

Filesize
240KB

Download
memory/5104-5-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/5104-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/5104-3-0x0000000004E20000-0x0000000004EB2000-memory.dmp

Filesize
584KB

Download
memory/5104-17-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/5104-2-0x0000000005330000-0x00000000058D4000-memory.dmp

Filesize
5.6MB

Download
memory/5104-1-0x0000000000360000-0x00000000003BE000-memory.dmp

Filesize
376KB

Download