quasar | 8ad13febcc803f9ee8a83e5e5dad20e4ab0083b206d2b2c1e1bd5809125031be

General

Target

3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exe
Size

470KB
MD5

3c5a4a6e0984220de5f8945f7e7d2fb7
SHA1

d8cc682345256e7529c06bf6dc61bd262bfb724f
SHA256

8ad13febcc803f9ee8a83e5e5dad20e4ab0083b206d2b2c1e1bd5809125031be
SHA512

22ecf95c7aab5c71beda5cf45f07d10e3d7b174751d46d5f157239272b84ec4001cc1ddcc4cc9d49c6c70dbb64cdda6e3b0111a0cb53266d23ded811f8905aa0
SSDEEP

6144:58E5banFRAD6ByRaFqLjWg5iVkLWHJsFZMrATekM5fLH7kWBxjdpCPyS9TDEx:t6ROuBOjWvVkLWH+TjSllDhBrpCP2

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

anglekeys.duckdns.org:4782

anglekeys.dynu.com:4782

anglekeys.dynu.net:4782

Mutex

QSR_MUTEX_sgMP7QuqDU0bxo1dBD

Attributes

encryption_key
NCiE6G1xAqLWGNL2JrfI
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT 3 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

Processes:

3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21268EncedFile.aes	3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exe
5	ip-api.com
41	ip-api.com

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21268Client-built1.exe	family_quasar
behavioral2/memory/4420-20-0x0000000000200000-0x000000000025E000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IntelOpteronDriver21268Client-built1.exe3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exeIntelOpteronDriver21268Client-built1.exeIntelOpteronDriver21268Client-built1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	IntelOpteronDriver21268Client-built1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	IntelOpteronDriver21268Client-built1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	IntelOpteronDriver21268Client-built1.exe

Drops startup file 3 IoCs

Processes:

3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21268Client-built1.exe	3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21268EncedFile.aes	3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21268EncedFile.aes	3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

Processes:

IntelOpteronDriver21268Client-built1.exeIntelOpteronDriver21268Client-built1.exeIntelOpteronDriver21268Client-built1.exeIntelOpteronDriver21268Client-built1.exe

pid	process
4420	IntelOpteronDriver21268Client-built1.exe
1592	IntelOpteronDriver21268Client-built1.exe
3784	IntelOpteronDriver21268Client-built1.exe
1964	IntelOpteronDriver21268Client-built1.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
41 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
5	ip-api.com
41	ip-api.com

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1588	4420	WerFault.exe	IntelOpteronDriver21268Client-built1.exe
2328	1592	WerFault.exe	IntelOpteronDriver21268Client-built1.exe
4848	3784	WerFault.exe	IntelOpteronDriver21268Client-built1.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1528 PING.EXE
2600 PING.EXE
3688 PING.EXE

pid	process
1528	PING.EXE
2600	PING.EXE
3688	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

IntelOpteronDriver21268Client-built1.exeIntelOpteronDriver21268Client-built1.exeIntelOpteronDriver21268Client-built1.exeIntelOpteronDriver21268Client-built1.exe

description	pid	process
Token: SeDebugPrivilege	4420	IntelOpteronDriver21268Client-built1.exe
Token: SeDebugPrivilege	1592	IntelOpteronDriver21268Client-built1.exe
Token: SeDebugPrivilege	3784	IntelOpteronDriver21268Client-built1.exe
Token: SeDebugPrivilege	1964	IntelOpteronDriver21268Client-built1.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

IntelOpteronDriver21268Client-built1.exeIntelOpteronDriver21268Client-built1.exeIntelOpteronDriver21268Client-built1.exeIntelOpteronDriver21268Client-built1.exe

pid	process
4420	IntelOpteronDriver21268Client-built1.exe
1592	IntelOpteronDriver21268Client-built1.exe
3784	IntelOpteronDriver21268Client-built1.exe
1964	IntelOpteronDriver21268Client-built1.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exeIntelOpteronDriver21268Client-built1.execmd.exeIntelOpteronDriver21268Client-built1.execmd.exeIntelOpteronDriver21268Client-built1.execmd.exe

description	pid	process	target process
PID 2348 wrote to memory of 4420	2348	3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exe	IntelOpteronDriver21268Client-built1.exe
PID 2348 wrote to memory of 4420	2348	3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exe	IntelOpteronDriver21268Client-built1.exe
PID 2348 wrote to memory of 4420	2348	3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exe	IntelOpteronDriver21268Client-built1.exe
PID 4420 wrote to memory of 2860	4420	IntelOpteronDriver21268Client-built1.exe	cmd.exe
PID 4420 wrote to memory of 2860	4420	IntelOpteronDriver21268Client-built1.exe	cmd.exe
PID 4420 wrote to memory of 2860	4420	IntelOpteronDriver21268Client-built1.exe	cmd.exe
PID 2860 wrote to memory of 4888	2860	cmd.exe	chcp.com
PID 2860 wrote to memory of 4888	2860	cmd.exe	chcp.com
PID 2860 wrote to memory of 4888	2860	cmd.exe	chcp.com
PID 2860 wrote to memory of 1528	2860	cmd.exe	PING.EXE
PID 2860 wrote to memory of 1528	2860	cmd.exe	PING.EXE
PID 2860 wrote to memory of 1528	2860	cmd.exe	PING.EXE
PID 2860 wrote to memory of 1592	2860	cmd.exe	IntelOpteronDriver21268Client-built1.exe
PID 2860 wrote to memory of 1592	2860	cmd.exe	IntelOpteronDriver21268Client-built1.exe
PID 2860 wrote to memory of 1592	2860	cmd.exe	IntelOpteronDriver21268Client-built1.exe
PID 1592 wrote to memory of 1056	1592	IntelOpteronDriver21268Client-built1.exe	cmd.exe
PID 1592 wrote to memory of 1056	1592	IntelOpteronDriver21268Client-built1.exe	cmd.exe
PID 1592 wrote to memory of 1056	1592	IntelOpteronDriver21268Client-built1.exe	cmd.exe
PID 1056 wrote to memory of 3652	1056	cmd.exe	chcp.com
PID 1056 wrote to memory of 3652	1056	cmd.exe	chcp.com
PID 1056 wrote to memory of 3652	1056	cmd.exe	chcp.com
PID 1056 wrote to memory of 2600	1056	cmd.exe	PING.EXE
PID 1056 wrote to memory of 2600	1056	cmd.exe	PING.EXE
PID 1056 wrote to memory of 2600	1056	cmd.exe	PING.EXE
PID 1056 wrote to memory of 3784	1056	cmd.exe	IntelOpteronDriver21268Client-built1.exe
PID 1056 wrote to memory of 3784	1056	cmd.exe	IntelOpteronDriver21268Client-built1.exe
PID 1056 wrote to memory of 3784	1056	cmd.exe	IntelOpteronDriver21268Client-built1.exe
PID 3784 wrote to memory of 4024	3784	IntelOpteronDriver21268Client-built1.exe	cmd.exe
PID 3784 wrote to memory of 4024	3784	IntelOpteronDriver21268Client-built1.exe	cmd.exe
PID 3784 wrote to memory of 4024	3784	IntelOpteronDriver21268Client-built1.exe	cmd.exe
PID 4024 wrote to memory of 4960	4024	cmd.exe	chcp.com
PID 4024 wrote to memory of 4960	4024	cmd.exe	chcp.com
PID 4024 wrote to memory of 4960	4024	cmd.exe	chcp.com
PID 4024 wrote to memory of 3688	4024	cmd.exe	PING.EXE
PID 4024 wrote to memory of 3688	4024	cmd.exe	PING.EXE
PID 4024 wrote to memory of 3688	4024	cmd.exe	PING.EXE
PID 4024 wrote to memory of 1964	4024	cmd.exe	IntelOpteronDriver21268Client-built1.exe
PID 4024 wrote to memory of 1964	4024	cmd.exe	IntelOpteronDriver21268Client-built1.exe
PID 4024 wrote to memory of 1964	4024	cmd.exe	IntelOpteronDriver21268Client-built1.exe

C:\Users\Admin\AppData\Local\Temp\3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118.exe"
1⤵
- Quasar RAT
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21268Client-built1.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21268Client-built1.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ORQfKyKWeewa.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4888

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1528

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21268Client-built1.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21268Client-built1.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uxzgCDUAcD5x.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:3652

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2600

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21268Client-built1.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21268Client-built1.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owTvdotwDdwi.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4960

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3688

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21268Client-built1.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21268Client-built1.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 2016
7⤵
- Program crash
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 2284
5⤵
- Program crash
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1652
3⤵
- Program crash
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4420 -ip 4420
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1592 -ip 1592
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3784 -ip 3784
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ORQfKyKWeewa.bat

Filesize
276B

MD5
85e1ef8c1a7d5d11dc64837631440da9

SHA1
9b6eac9edd18366dde96a1ad997e1b72a304bb09

SHA256
3a9cd1ffe8e90a28dc2e7b2c9a87d2b5fd1fb4af257a699a52bcf22a7109f89b

SHA512
2a6db09272079166918644680bd409323d5e9840aaf793044056207ae3b87c67494919766a7343e9af3e08dc273ab2d645defd5222a7d8fa5ac600116c52d4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\owTvdotwDdwi.bat

Filesize
276B

MD5
a80e1093d30c93c31f48ed49bf1301fe

SHA1
5168a1ae254a7d6096aa2ed9b8893eb58ec4b783

SHA256
0dc302e70eb27080bc365f067c667f98b846c692854b4f7a59d27e8178716e59

SHA512
db51a564483be07ef02856d33d525622b1c2ee36dc13036477a37c21ea340e1afa28140aaf5298718c3e5b8472de2ae61f2ba67cfb7c27fbbca8f300fd942c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxzgCDUAcD5x.bat

Filesize
276B

MD5
8bd0a86a2d355fce6a8271d03dda7487

SHA1
0dd1a40bdb7bf4ced64a790a12576f99ff0a0a34

SHA256
144203e00220204d2987d260be5dc8cb0de672b5646dbc914cf22dd9317414b8

SHA512
2fd4809c37a0a20ef8b6c7960afe73cdeadc00873b7a21b8a98bf4d829714162c87e5cee8ce783804dfe5c4ee9be08a973e1eb0747878ec0179d4461c8abf86a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-13-2024

Filesize
224B

MD5
9047731adbc05d8875d0fdc60ab3ea25

SHA1
99671d78f348dc2c5e5a84992639b2b356161d48

SHA256
05daadbf630f478e8003bdab6d2210c3967621b1597bbc54679fe201da186955

SHA512
c29f7c2fc5198325541b3f37c69d51414b03912882505c90d11b391ab000d6972eced5174471175d8528a01dab0de181d1b38251764d88d24447cefe768341ee

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-13-2024

Filesize
224B

MD5
0f27aa3418b84dc8b8404e9673c55a8f

SHA1
9e78722839a55881a151f2fa830cf3512ed6a777

SHA256
f087e326ff11652e3eecc576c53598310dd94ec633e219cef20a5a035f578480

SHA512
5cb28229041e7913fa38ddc16705954bb4badcfae99c95403c1e0dbe5530913bbf3071463abcf2da7f612d29d04df753f43d2deaba49d0cec1ed05791bfcecf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelOpteronDriver21268Client-built1.exe

Filesize
348KB

MD5
36718e4b2c3f854427be03b5af3264a0

SHA1
117d4a068ed727fc7d22b283d7ca89a9177ba208

SHA256
a704f5b0501d516530a80c29903fe131bd2a8fbf8d6f09dc1a820be7e743eb5d

SHA512
86f1d355b2d56d399ad24e13a25b9ff17426f79a5ca2a7f0d1a6a44033f8c6487346bc912ae7ed1ff65163cc97ce542e0b48e45903fe93c0e7498044a572db5c

Download Submit
memory/2348-0-0x0000000000760000-0x00000000007DC000-memory.dmp

Filesize
496KB

Download
memory/2348-1-0x00007FFE899C3000-0x00007FFE899C5000-memory.dmp

Filesize
8KB

Download
memory/2348-6-0x00007FFE899C0000-0x00007FFE8A481000-memory.dmp

Filesize
10.8MB

Download
memory/2348-18-0x00007FFE899C0000-0x00007FFE8A481000-memory.dmp

Filesize
10.8MB

Download
memory/4420-24-0x0000000004D10000-0x0000000004D76000-memory.dmp

Filesize
408KB

Download
memory/4420-25-0x0000000005970000-0x0000000005982000-memory.dmp

Filesize
72KB

Download
memory/4420-26-0x0000000005EB0000-0x0000000005EEC000-memory.dmp

Filesize
240KB

Download
memory/4420-28-0x0000000006240000-0x000000000624A000-memory.dmp

Filesize
40KB

Download
memory/4420-29-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download
memory/4420-30-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4420-23-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4420-35-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4420-22-0x0000000004C70000-0x0000000004D02000-memory.dmp

Filesize
584KB

Download
memory/4420-21-0x0000000005120000-0x00000000056C4000-memory.dmp

Filesize
5.6MB

Download
memory/4420-20-0x0000000000200000-0x000000000025E000-memory.dmp

Filesize
376KB

Download
memory/4420-19-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads