Overview

overview

10

Static

static

3

3c5a4a6e09...18.exe

windows7-x64

10

3c5a4a6e09...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 19:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exe

  • Size

    470KB

  • MD5

    3c5a4a6e0984220de5f8945f7e7d2fb7

  • SHA1

    d8cc682345256e7529c06bf6dc61bd262bfb724f

  • SHA256

    8ad13febcc803f9ee8a83e5e5dad20e4ab0083b206d2b2c1e1bd5809125031be

  • SHA512

    22ecf95c7aab5c71beda5cf45f07d10e3d7b174751d46d5f157239272b84ec4001cc1ddcc4cc9d49c6c70dbb64cdda6e3b0111a0cb53266d23ded811f8905aa0

  • SSDEEP

    6144:58E5banFRAD6ByRaFqLjWg5iVkLWHJsFZMrATekM5fLH7kWBxjdpCPyS9TDEx:t6ROuBOjWvVkLWH+TjSllDhBrpCP2

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

anglekeys.duckdns.org:4782

anglekeys.dynu.com:4782

anglekeys.dynu.net:4782
Mutex

QSR_MUTEX_sgMP7QuqDU0bxo1dBD

Attributes
  • encryption_key

    NCiE6G1xAqLWGNL2JrfI

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21448Client-built1.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21448Client-built1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qVqe6uNJStxh.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:2252
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:2168
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21448Client-built1.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21448Client-built1.exe"
            4⤵
            • Executes dropped EXE
            PID:1720
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 1464
          3⤵
          • Loads dropped DLL
          • Program crash
          PID:2148

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\qVqe6uNJStxh.bat
      Filesize

      276B

      MD5

      ce7215879cac5aa53b2d0d9e5b953e79

      SHA1

      a465575857eb33e5f43b3cf35b437e889987037e

      SHA256

      c70b98d0b3e7666738be847ef5cd80b06be72190716115e15c36ed9bacfa8e18

      SHA512

      bcbbec98e555482896a939f9915220220d9f49ed5af8e0614a936fe09dadbb950b5c16b2038c85e14ac803936276189dbb2bb7673d7a134755d34eaffa4b6db1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21448Client-built1.exe
      Filesize

      348KB

      MD5

      36718e4b2c3f854427be03b5af3264a0

      SHA1

      117d4a068ed727fc7d22b283d7ca89a9177ba208

      SHA256

      a704f5b0501d516530a80c29903fe131bd2a8fbf8d6f09dc1a820be7e743eb5d

      SHA512

      86f1d355b2d56d399ad24e13a25b9ff17426f79a5ca2a7f0d1a6a44033f8c6487346bc912ae7ed1ff65163cc97ce542e0b48e45903fe93c0e7498044a572db5c

      Download Submit

    • memory/948-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

      Filesize

      4KB

      Download

    • memory/948-1-0x0000000000D70000-0x0000000000DEC000-memory.dmp

      Filesize

      496KB

      Download

    • memory/948-11-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/948-16-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2192-12-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2192-13-0x0000000000CA0000-0x0000000000CFE000-memory.dmp

      Filesize

      376KB

      Download

    • memory/2192-14-0x0000000074E70000-0x000000007555E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2192-17-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2192-18-0x0000000074E70000-0x000000007555E000-memory.dmp

      Filesize

      6.9MB

      Download