quasar | 735cbb15792d8be93c653fd2febafc249e57b29faa25aaafb99b42b310bca104

General

Target

320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe
Size

485KB
MD5

320c9b7f61e1a20f89d2b4514d1545f0
SHA1

36d91c66517c404317ddf5b596c4e5f841005c9c
SHA256

735cbb15792d8be93c653fd2febafc249e57b29faa25aaafb99b42b310bca104
SHA512

65d6d236b510f9cf0273b822c3cdad76afcdc5cb0f4c6dc9a2502eb5ea68238810dbe4c8ec332e36270984d77a1c1a7fe2c444c361f725f8a32ce040f990c276
SSDEEP

12288:3dol1WDRTnx09/amkvj9LEuoJTtBhDSA3Lu7Yp8B4mi:Nmkd6/aTu5tfWAbuo8H

Score

10^/10

quasar venomrat office04 rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_8vaggmzqQMqTBMXSZ7

Attributes

encryption_key
qRvtw4YHx2BDHavO4SeK
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/files/0x000a00000002341d-9.dat	disable_win_def
behavioral2/memory/320-18-0x0000000000B80000-0x0000000000C0C000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000a00000002341d-9.dat	family_quasar
behavioral2/memory/320-18-0x0000000000B80000-0x0000000000C0C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

$77-Venom.exe

pid	Process
320	$77-Venom.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
7	ip-api.com

Drops file in Windows directory 3 IoCs

Processes:

320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly	320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

dw20.exe$77-Venom.exe

description	pid	Process
Token: SeRestorePrivilege	1552	dw20.exe
Token: SeBackupPrivilege	1552	dw20.exe
Token: SeBackupPrivilege	1552	dw20.exe
Token: SeBackupPrivilege	1552	dw20.exe
Token: SeDebugPrivilege	320	$77-Venom.exe
Token: SeDebugPrivilege	320	$77-Venom.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe

description	pid	Process	procid_target
PID 4056 wrote to memory of 320	4056	320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe	85
PID 4056 wrote to memory of 320	4056	320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe	85
PID 4056 wrote to memory of 320	4056	320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe	85
PID 4056 wrote to memory of 1552	4056	320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe	86
PID 4056 wrote to memory of 1552	4056	320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe	86
PID 4056 wrote to memory of 1552	4056	320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Users\Admin\AppData\Roaming\$77-Venom.exe
  "C:\Users\Admin\AppData\Roaming\$77-Venom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1152
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\$77-Venom.exe

Filesize
534KB

MD5
2e58a2182d8a2b8160b2bddadbc362a2

SHA1
8edb5e6815452d2c46f4a0b37ec7be9381ad6727

SHA256
4db62762c3c25e877f8968c46246fa4d83cc11bec22e63019ecb3c5b4d1291cf

SHA512
5e36b421351eddb89583d6c2448524a28d76576aa95ae53809f83afd695a91a68a3213f1cd043aec9f00261e9324a32a4b4b05f1fed477a89efb62c5403e3e35

Download Submit
memory/320-25-0x0000000072420000-0x0000000072BD0000-memory.dmp

Filesize
7.7MB

Download
memory/320-30-0x00000000057E0000-0x00000000057F2000-memory.dmp

Filesize
72KB

Download
memory/320-34-0x0000000072420000-0x0000000072BD0000-memory.dmp

Filesize
7.7MB

Download
memory/320-17-0x000000007242E000-0x000000007242F000-memory.dmp

Filesize
4KB

Download
memory/320-18-0x0000000000B80000-0x0000000000C0C000-memory.dmp

Filesize
560KB

Download
memory/320-19-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/320-33-0x000000007242E000-0x000000007242F000-memory.dmp

Filesize
4KB

Download
memory/320-32-0x0000000006B60000-0x0000000006B6A000-memory.dmp

Filesize
40KB

Download
memory/320-22-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/320-29-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/320-31-0x0000000006880000-0x00000000068BC000-memory.dmp

Filesize
240KB

Download
memory/4056-0-0x00000000753A2000-0x00000000753A3000-memory.dmp

Filesize
4KB

Download
memory/4056-28-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4056-2-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4056-1-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads