quasar | 39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
Size

488KB
MD5

33ce258b07afea582cc317a398b8770c
SHA1

9a81235b698e5477847280626b729f5347ed2585
SHA256

39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065
SHA512

4fbd58e79881313b8c29ccafd9ef7c479e9bbc427869a44981bc4077bd81ed1532c5bcb679e8973470833e18dc5c81a54c69d958030f31f053e92f35a6d2ad66
SSDEEP

12288:ayJgDWpL20Rr3oPm1PC8CcxZsfi8H8fxQpwW2R7NoBE:aAgDWWm1HCX9cz1dNoS

Score

10^/10

quasar spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Signatures

Contains code to disable Windows Defender 10 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1704-3-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1704-13-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1704-12-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1704-11-0x0000000000402000-0x0000000000489000-memory.dmp	disable_win_def
behavioral1/memory/1704-14-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1704-17-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1704-25-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1704-24-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1704-28-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1704-46-0x0000000000402000-0x0000000000489000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/memory/1704-3-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1704-13-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1704-12-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1704-11-0x0000000000402000-0x0000000000489000-memory.dmp	family_quasar
behavioral1/memory/1704-14-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1704-17-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1704-25-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1704-24-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1704-28-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1704-46-0x0000000000402000-0x0000000000489000-memory.dmp	family_quasar

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2684	1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2684	1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2684	1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2684	1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2684	1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2684	1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2684	1704	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704
- \??\c:\windows\SysWOW64\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\k4bwqwn4.inf
  2⤵
  PID:2684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\temp\k4bwqwn4.inf

Filesize
606B

MD5
5be15073f32f85ae9153f0ca665c1753

SHA1
637f6f58ec16ebd41c9961d8cede765f9f689ecd

SHA256
dbdef92c142210d3e247611cfdbd6d777638f0e83358a9f5cdc43dc2c4845d0c

SHA512
8a727fdb77d092ae49f96293afadfcca5dfdf5cdd6dc87e380bf4e5434d01919880757b2c6060ed611ac5e6a24be4971be3a6d2892478bb16cb466a3b340aea6

Download Submit
memory/1704-24-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1704-44-0x00000000740B0000-0x00000000740C3000-memory.dmp

Filesize
76KB

Download
memory/1704-3-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1704-5-0x0000000001CF0000-0x0000000001D37000-memory.dmp

Filesize
284KB

Download
memory/1704-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1704-8-0x0000000076E10000-0x0000000076E57000-memory.dmp

Filesize
284KB

Download
memory/1704-25-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1704-7-0x0000000076E60000-0x0000000076F0C000-memory.dmp

Filesize
688KB

Download
memory/1704-10-0x0000000074F50000-0x0000000074F59000-memory.dmp

Filesize
36KB

Download
memory/1704-13-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1704-12-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1704-11-0x0000000000402000-0x0000000000489000-memory.dmp

Filesize
540KB

Download
memory/1704-14-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1704-16-0x0000000075980000-0x0000000075ADC000-memory.dmp

Filesize
1.4MB

Download
memory/1704-17-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1704-18-0x0000000075FA0000-0x000000007602F000-memory.dmp

Filesize
572KB

Download
memory/1704-19-0x0000000074450000-0x00000000744D0000-memory.dmp

Filesize
512KB

Download
memory/1704-0-0x0000000074E50000-0x0000000074E9A000-memory.dmp

Filesize
296KB

Download
memory/1704-9-0x0000000077260000-0x00000000772B7000-memory.dmp

Filesize
348KB

Download
memory/1704-2-0x0000000001CF0000-0x0000000001D37000-memory.dmp

Filesize
284KB

Download
memory/1704-20-0x0000000076030000-0x0000000076C7A000-memory.dmp

Filesize
12.3MB

Download
memory/1704-26-0x0000000074090000-0x00000000740A7000-memory.dmp

Filesize
92KB

Download
memory/1704-28-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1704-33-0x0000000074E50000-0x0000000074E9A000-memory.dmp

Filesize
296KB

Download
memory/1704-38-0x0000000074F50000-0x0000000074F59000-memory.dmp

Filesize
36KB

Download
memory/1704-37-0x0000000074CC0000-0x0000000074D3D000-memory.dmp

Filesize
500KB

Download
memory/1704-34-0x0000000076030000-0x0000000076C7A000-memory.dmp

Filesize
12.3MB

Download
memory/1704-31-0x0000000076E60000-0x0000000076F0C000-memory.dmp

Filesize
688KB

Download
memory/1704-29-0x0000000076E10000-0x0000000076E57000-memory.dmp

Filesize
284KB

Download
memory/1704-27-0x0000000001CF0000-0x0000000001D37000-memory.dmp

Filesize
284KB

Download
memory/1704-36-0x0000000075980000-0x0000000075ADC000-memory.dmp

Filesize
1.4MB

Download
memory/1704-35-0x0000000077260000-0x00000000772B7000-memory.dmp

Filesize
348KB

Download
memory/1704-46-0x0000000000402000-0x0000000000489000-memory.dmp

Filesize
540KB

Download
memory/1704-45-0x0000000074090000-0x00000000740A7000-memory.dmp

Filesize
92KB

Download
memory/1704-1-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1704-43-0x0000000075FA0000-0x000000007602F000-memory.dmp

Filesize
572KB

Download
memory/1704-42-0x0000000074450000-0x00000000744D0000-memory.dmp

Filesize
512KB

Download
memory/1704-41-0x0000000074F40000-0x0000000074F43000-memory.dmp

Filesize
12KB

Download
memory/1704-40-0x00000000744D0000-0x00000000745C5000-memory.dmp

Filesize
980KB

Download
memory/1704-39-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download