quasar | fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314

General

Target

2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe
Size

757KB
MD5

2957c39376a38df6aefaee72674c92af
SHA1

f32007bbb1c99bda6e4c97b4a695e87913fd87b1
SHA256

fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314
SHA512

8cecae621972be05ab9be0071689fcf29028f63b1519c4698d531bc754af7363f7bc21dbfb1d97e75914d884ecf4e1264ff20b2903f7b11c45dc88a77ec5dcbc
SSDEEP

12288:cgvSXyMjLJFlHSXDe/XDsKI+6lHE50yzXcpimSZRtvifjP8HQQaf8+TX:cTJmXyzsKOlHEOyzXcpRSZRNIjPrF

Score

10^/10

quasar persistence spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2860-12-0x0000000000400000-0x000000000048E000-memory.dmp	disable_win_def
behavioral1/memory/2860-18-0x0000000000400000-0x000000000048E000-memory.dmp	disable_win_def
behavioral1/memory/2860-16-0x0000000000400000-0x000000000048E000-memory.dmp	disable_win_def
behavioral1/memory/2860-20-0x0000000000400000-0x000000000048E000-memory.dmp	disable_win_def
behavioral1/memory/2860-13-0x0000000000400000-0x000000000048E000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2860-12-0x0000000000400000-0x000000000048E000-memory.dmp	family_quasar
behavioral1/memory/2860-18-0x0000000000400000-0x000000000048E000-memory.dmp	family_quasar
behavioral1/memory/2860-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_quasar
behavioral1/memory/2860-20-0x0000000000400000-0x000000000048E000-memory.dmp	family_quasar
behavioral1/memory/2860-13-0x0000000000400000-0x000000000048E000-memory.dmp	family_quasar

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\lxxgldt snybyasm = "C:\\Users\\Admin\\AppData\\Roaming\\fdfhhuxv ssqavqkxj\\chome_exe.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe

description pid process target process

PID 1280 set thread context of 2860 1280 2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe RegAsm.exe

description	pid	process	target process
PID 1280 set thread context of 2860	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2957c39376a38df6aefaee72674c92af_JaffaCakes118.exeRegAsm.exe

pid	process
1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe
2860	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2957c39376a38df6aefaee72674c92af_JaffaCakes118.exeRegAsm.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe
Token: SeDebugPrivilege	2860	RegAsm.exe
Token: SeDebugPrivilege	2692	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

2860 RegAsm.exe
2860 RegAsm.exe

pid	process
2860	RegAsm.exe
2860	RegAsm.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

2957c39376a38df6aefaee72674c92af_JaffaCakes118.exeRegAsm.exe

description	pid	process	target process
PID 1280 wrote to memory of 2692	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	powershell.exe
PID 1280 wrote to memory of 2692	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	powershell.exe
PID 1280 wrote to memory of 2692	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	powershell.exe
PID 1280 wrote to memory of 2692	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	powershell.exe
PID 1280 wrote to memory of 2732	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2732	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2732	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2732	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2732	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2732	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2732	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2860	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2860	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2860	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2860	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2860	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2860	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2860	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2860	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2860	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2860	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2860	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 1280 wrote to memory of 2860	1280	2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe	RegAsm.exe
PID 2860 wrote to memory of 2544	2860	RegAsm.exe	cmstp.exe
PID 2860 wrote to memory of 2544	2860	RegAsm.exe	cmstp.exe
PID 2860 wrote to memory of 2544	2860	RegAsm.exe	cmstp.exe
PID 2860 wrote to memory of 2544	2860	RegAsm.exe	cmstp.exe
PID 2860 wrote to memory of 2544	2860	RegAsm.exe	cmstp.exe
PID 2860 wrote to memory of 2544	2860	RegAsm.exe	cmstp.exe
PID 2860 wrote to memory of 2544	2860	RegAsm.exe	cmstp.exe

C:\Users\Admin\AppData\Local\Temp\2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'lxxgldt snybyasm';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'lxxgldt snybyasm' -Value '"C:\Users\Admin\AppData\Roaming\fdfhhuxv ssqavqkxj\chome_exe.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2860
- - \??\c:\windows\SysWOW64\cmstp.exe
    "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\umgmhtrx.inf
    3⤵
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\temp\umgmhtrx.inf

Filesize
606B

MD5
e1f797d8d24d721296f1887790ab0c1f

SHA1
8ea62d38b06e11d401d008cacd251b48080688e3

SHA256
1441d415e0626039a6e5d462643951893042f54df2b363defdd6d678896fc2c1

SHA512
8b267cb3848c647a548740954606827fc01dbeb85facb0ab40622eb0c6f520facccadfbc95af02d59dc4391e47704b8328ec3f3a58e8daf243029619b4e5a66d

Download Submit
memory/1280-21-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1280-1-0x0000000000F60000-0x0000000001024000-memory.dmp

Filesize
784KB

Download
memory/1280-2-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1280-3-0x0000000000DD0000-0x0000000000E62000-memory.dmp

Filesize
584KB

Download
memory/1280-4-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/1280-5-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1280-6-0x0000000004430000-0x00000000044C0000-memory.dmp

Filesize
576KB

Download
memory/1280-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/2860-12-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2860-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2860-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2860-20-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2860-13-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2860-18-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2860-10-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2860-8-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads