quasar | 2261f624e99b92e00913fd0fc189ae96bb115b3ae5b393e0170066f032b12af1

General

Target

48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe
Size

1.2MB
MD5

48578ca46a647e621583b8b3da2bbbc4
SHA1

d18da5d905ddc8977a63019df1aa32032c94a946
SHA256

2261f624e99b92e00913fd0fc189ae96bb115b3ae5b393e0170066f032b12af1
SHA512

55da81e0b1002f6678d64989939836606c40da7b65c43be12de41e0b5a365ed73d9b97aa41f94f9deea5d813707353630b7c70740f523af5aa576dd80bdde0ec
SSDEEP

24576:X53uhF8ZcjXB476PaZMr5U3aDAWaPUPTRNTwX6KR8+:X5+hFxPaZSCOtNkq8

Score

10^/10

quasar office spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

5.45.65.1:5552

Mutex

yeGmQfVnPgbImyPaxF

Attributes

encryption_key
983PIud97BRSEjju8fCD
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3196-27-0x00000000127A0000-0x00000000127EE000-memory.dmp	family_quasar

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

certutil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

csrss.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aes.url csrss.com
Executes dropped EXE 3 IoCs

Processes:

csrss.comcsrss.comRegAsm.exe

pid process

4260 csrss.com
3248 csrss.com
3196 RegAsm.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

41 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

csrss.com

description pid process target process

PID 3248 set thread context of 3196 3248 csrss.com RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3664 PING.EXE
2276 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 3196 RegAsm.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

csrss.comcsrss.com

pid process

4260 csrss.com
4260 csrss.com
4260 csrss.com
3248 csrss.com
3248 csrss.com
3248 csrss.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

csrss.comcsrss.com

pid process

4260 csrss.com
4260 csrss.com
4260 csrss.com
3248 csrss.com
3248 csrss.com
3248 csrss.com

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aes.url	csrss.com

pid	process
4260	csrss.com
3248	csrss.com
3196	RegAsm.exe

flow	ioc
41	ip-api.com

description	pid	process	target process
PID 3248 set thread context of 3196	3248	csrss.com	RegAsm.exe

pid	process
3664	PING.EXE
2276	PING.EXE

description	pid	process
Token: SeDebugPrivilege	3196	RegAsm.exe

pid	process
4260	csrss.com
4260	csrss.com
4260	csrss.com
3248	csrss.com
3248	csrss.com
3248	csrss.com

pid	process
4260	csrss.com
4260	csrss.com
4260	csrss.com
3248	csrss.com
3248	csrss.com
3248	csrss.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.execmd.execmd.execsrss.comcsrss.com

description	pid	process	target process
PID 1112 wrote to memory of 4664	1112	48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe	cmd.exe
PID 1112 wrote to memory of 4664	1112	48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe	cmd.exe
PID 1112 wrote to memory of 4664	1112	48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe	cmd.exe
PID 1112 wrote to memory of 3412	1112	48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe	cmd.exe
PID 1112 wrote to memory of 3412	1112	48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe	cmd.exe
PID 1112 wrote to memory of 3412	1112	48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe	cmd.exe
PID 3412 wrote to memory of 872	3412	cmd.exe	cmd.exe
PID 3412 wrote to memory of 872	3412	cmd.exe	cmd.exe
PID 3412 wrote to memory of 872	3412	cmd.exe	cmd.exe
PID 872 wrote to memory of 3664	872	cmd.exe	PING.EXE
PID 872 wrote to memory of 3664	872	cmd.exe	PING.EXE
PID 872 wrote to memory of 3664	872	cmd.exe	PING.EXE
PID 872 wrote to memory of 2460	872	cmd.exe	certutil.exe
PID 872 wrote to memory of 2460	872	cmd.exe	certutil.exe
PID 872 wrote to memory of 2460	872	cmd.exe	certutil.exe
PID 872 wrote to memory of 4260	872	cmd.exe	csrss.com
PID 872 wrote to memory of 4260	872	cmd.exe	csrss.com
PID 872 wrote to memory of 4260	872	cmd.exe	csrss.com
PID 872 wrote to memory of 2276	872	cmd.exe	PING.EXE
PID 872 wrote to memory of 2276	872	cmd.exe	PING.EXE
PID 872 wrote to memory of 2276	872	cmd.exe	PING.EXE
PID 4260 wrote to memory of 3248	4260	csrss.com	csrss.com
PID 4260 wrote to memory of 3248	4260	csrss.com	csrss.com
PID 4260 wrote to memory of 3248	4260	csrss.com	csrss.com
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe
PID 3248 wrote to memory of 3196	3248	csrss.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo JzHWSBvTS
2⤵
PID:4664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < oNuxTjCXjWnYpM.com
2⤵
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\PING.EXE
ping -n 1 SrHBN.SqZJ
4⤵
- Runs ping.exe
PID:3664

C:\Windows\SysWOW64\certutil.exe
certutil -decode Lhe.com y
4⤵
- Manipulates Digital Signatures
PID:2460

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
csrss.com y
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4260

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com y
5⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3248

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\HSamoVfevY.com

Filesize
921KB

MD5
dab8f26db6e8d76655d96b463513ce6a

SHA1
ea9c3631f94233c06750776cd9bd18e27fbd8677

SHA256
549d70cf61a50e8970e274bf7e76f4c9fab1e185189a8ad074e2a5bdea39005b

SHA512
e406093eb802a5edbdc0e5f0a849d7f58f10dded413db9b6e0a4788125ba73c5b90f5d42a5d98ac68ba2e1fc01879c1403f32cfb3d8e5c26231c58e9751c2093

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\KjEeEFcMnmgksGRLWGE.com

Filesize
288KB

MD5
50e71d12a6308a43ecafdff7c0c288ed

SHA1
ace1d17c0ffacfa236090c947dc641973edb52cf

SHA256
8c518b693e8030f1889578ccf7eaf3387f00ab0d80f08dcd2ce4c7e709cd74a1

SHA512
e9c3cb2cb331ee12baa8efeb80c9d7a24a1b2c350ef1160d5b09c6481a895850e0eb8802692f1ba4a59b3b192354267cd6f0205c7babaf5db089ca3f4408a542

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lhe.com

Filesize
1.3MB

MD5
52eaf780e2565257d38cb1b928fc7bd7

SHA1
d7f7b5180966241b1408d69cb75913b82f9975cc

SHA256
41de5f343229c79727df473de3b8e2fd8cdfcf495df5dbf039930c789f4aa473

SHA512
65a85f84ab0bc6cb5ad593aa7a84472b0f0bb717097daece9fb3845fc87f01f9c0eb9f03ee8f08477c5b2dbb35ce27a376fdc52e1c5f9d3f391bbf9116645459

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\oNuxTjCXjWnYpM.com

Filesize
2KB

MD5
7e79b5745337937bd60e266c1f045229

SHA1
f165e11b04bc713ee702c6052b430af2157d74ec

SHA256
412bed46d2ea8b3aa867940e3feae8889ca0669cd03097f7f83a39823d9a9f3c

SHA512
66aa34a36e6f370018ebf00e4bd948fa19cad1f2fef0a6af6984d8da0ed270cc09b8f1fe3fdb06a7caf6b0302855b508cf35b45c55141eb3c8a7f739b3bd1ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\y

Filesize
934KB

MD5
6598c41a263fcf26913b8e26711c5bc0

SHA1
1505e9b28252c11b99016fb86ac89eb4bb99e382

SHA256
2d4521be86113f3f235149feb339401106524c644a09faed37a1e7bc17cac9c1

SHA512
289d6e7ccfacefdad592faa263980adad656e90368475392b1c9b529104a0d2f74ad875b4913210f000ac3edc77c9701f24b0f23bea9b80376645c8e4d272346

Download Submit
memory/3196-27-0x00000000127A0000-0x00000000127EE000-memory.dmp

Filesize
312KB

Download
memory/3196-31-0x0000000017230000-0x00000000177D4000-memory.dmp

Filesize
5.6MB

Download
memory/3196-32-0x0000000016D80000-0x0000000016E12000-memory.dmp

Filesize
584KB

Download
memory/3196-38-0x0000000016D00000-0x0000000016D66000-memory.dmp

Filesize
408KB

Download
memory/3196-39-0x0000000017A10000-0x0000000017A22000-memory.dmp

Filesize
72KB

Download
memory/3196-40-0x0000000017F50000-0x0000000017F8C000-memory.dmp

Filesize
240KB

Download
memory/3196-41-0x0000000018110000-0x000000001811A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads