quasar | ba5fad18ee46eddf4b5934ca3fe9468f3beda482c031c5c4c294d30fbc6717d3

General

Target

45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe
Size

658KB
MD5

45303daac5f89e133dd82a6e3daa6053
SHA1

cf18d75d69bbc8554ccdd32a9def207b6abb3fea
SHA256

ba5fad18ee46eddf4b5934ca3fe9468f3beda482c031c5c4c294d30fbc6717d3
SHA512

99ff552be6edded807101365e0b59eb9993290d611e791d02bc3cfcb4d80db51da64ae9b672b5b17d8839c6f5d9c5efe3ece60da18f2b5bc3aa0109fc9a88cd3
SSDEEP

12288:OKEr+MYYF0QO2EHm81/09S6I6YZXIG/ZofFWj7:rEKMYq926YGiYsj7

Score

10^/10

quasar office04 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

simplyrat.ddns.net:7777

Mutex

QSR_MUTEX_Icgj5r6QyqJxuPNxJ7

Attributes

encryption_key
FAZB6Y2s3Cy7dzM0vpDh7SmeuqfXDwSw
install_name
skinchanger.exe
log_directory
Logs
reconnect_delay
3000
startup_key
CS:GO Skin Changer
subdirectory
windows64

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1968-1-0x0000000000C10000-0x0000000000CBA000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\windows64\skinchanger.exe	family_quasar
behavioral1/memory/2560-10-0x0000000000310000-0x00000000003BA000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

skinchanger.exeskinchanger.exe

pid process

2560 skinchanger.exe
2756 skinchanger.exe
Loads dropped DLL 6 IoCs

Processes:

45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exeWerFault.exe

pid process

1968 45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe
2968 WerFault.exe
2968 WerFault.exe
2968 WerFault.exe
2968 WerFault.exe
2968 WerFault.exe

pid	process
2560	skinchanger.exe
2756	skinchanger.exe

pid	process
1968	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe
2968	WerFault.exe
2968	WerFault.exe
2968	WerFault.exe
2968	WerFault.exe
2968	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

skinchanger.exe45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows64\\skinchanger.exe\""	skinchanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe\""	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2968 2560 WerFault.exe skinchanger.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2736 schtasks.exe
2628 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2120 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exeskinchanger.exe

description pid process

Token: SeDebugPrivilege 1968 45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe
Token: SeDebugPrivilege 2560 skinchanger.exe

flow	ioc
2	ip-api.com

pid	pid_target	process	target process
2968	2560	WerFault.exe	skinchanger.exe

pid	process
2736	schtasks.exe
2628	schtasks.exe

pid	process
2120	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1968	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe
Token: SeDebugPrivilege	2560	skinchanger.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exeskinchanger.execmd.exe

description	pid	process	target process
PID 1968 wrote to memory of 2736	1968	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe	schtasks.exe
PID 1968 wrote to memory of 2736	1968	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe	schtasks.exe
PID 1968 wrote to memory of 2736	1968	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe	schtasks.exe
PID 1968 wrote to memory of 2736	1968	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe	schtasks.exe
PID 1968 wrote to memory of 2560	1968	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe	skinchanger.exe
PID 1968 wrote to memory of 2560	1968	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe	skinchanger.exe
PID 1968 wrote to memory of 2560	1968	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe	skinchanger.exe
PID 1968 wrote to memory of 2560	1968	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe	skinchanger.exe
PID 2560 wrote to memory of 2628	2560	skinchanger.exe	schtasks.exe
PID 2560 wrote to memory of 2628	2560	skinchanger.exe	schtasks.exe
PID 2560 wrote to memory of 2628	2560	skinchanger.exe	schtasks.exe
PID 2560 wrote to memory of 2628	2560	skinchanger.exe	schtasks.exe
PID 2560 wrote to memory of 2960	2560	skinchanger.exe	cmd.exe
PID 2560 wrote to memory of 2960	2560	skinchanger.exe	cmd.exe
PID 2560 wrote to memory of 2960	2560	skinchanger.exe	cmd.exe
PID 2560 wrote to memory of 2960	2560	skinchanger.exe	cmd.exe
PID 2960 wrote to memory of 2300	2960	cmd.exe	chcp.com
PID 2960 wrote to memory of 2300	2960	cmd.exe	chcp.com
PID 2960 wrote to memory of 2300	2960	cmd.exe	chcp.com
PID 2960 wrote to memory of 2300	2960	cmd.exe	chcp.com
PID 2560 wrote to memory of 2968	2560	skinchanger.exe	WerFault.exe
PID 2560 wrote to memory of 2968	2560	skinchanger.exe	WerFault.exe
PID 2560 wrote to memory of 2968	2560	skinchanger.exe	WerFault.exe
PID 2560 wrote to memory of 2968	2560	skinchanger.exe	WerFault.exe
PID 2960 wrote to memory of 2120	2960	cmd.exe	PING.EXE
PID 2960 wrote to memory of 2120	2960	cmd.exe	PING.EXE
PID 2960 wrote to memory of 2120	2960	cmd.exe	PING.EXE
PID 2960 wrote to memory of 2120	2960	cmd.exe	PING.EXE
PID 2960 wrote to memory of 2756	2960	cmd.exe	skinchanger.exe
PID 2960 wrote to memory of 2756	2960	cmd.exe	skinchanger.exe
PID 2960 wrote to memory of 2756	2960	cmd.exe	skinchanger.exe
PID 2960 wrote to memory of 2756	2960	cmd.exe	skinchanger.exe

C:\Users\Admin\AppData\Local\Temp\45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2736

C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe
"C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gvIR9Tg7nV4V.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2300

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2120

C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe
"C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe"
4⤵
- Executes dropped EXE
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 1452
3⤵
- Loads dropped DLL
- Program crash
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gvIR9Tg7nV4V.bat

Filesize
215B

MD5
19c772f1d0286e0fe070a6027b50d69a

SHA1
77b27354a230f37390c1534da0e192685e55fea1

SHA256
e1479fad4b24b9e14a2d9e597782e1416a80282e88a63be06760e30bb906910e

SHA512
225e4f4a3a6b127bafbe78d7ecebbc9a758753a5d4e613322e00b288038f5e4fdf63ea2305ff86b30ed3c8432ad35bdbc27c69828130f254c729551fa25b34f0

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\windows64\skinchanger.exe

Filesize
658KB

MD5
45303daac5f89e133dd82a6e3daa6053

SHA1
cf18d75d69bbc8554ccdd32a9def207b6abb3fea

SHA256
ba5fad18ee46eddf4b5934ca3fe9468f3beda482c031c5c4c294d30fbc6717d3

SHA512
99ff552be6edded807101365e0b59eb9993290d611e791d02bc3cfcb4d80db51da64ae9b672b5b17d8839c6f5d9c5efe3ece60da18f2b5bc3aa0109fc9a88cd3

Download Submit
memory/1968-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/1968-1-0x0000000000C10000-0x0000000000CBA000-memory.dmp

Filesize
680KB

Download
memory/1968-2-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/1968-13-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2560-10-0x0000000000310000-0x00000000003BA000-memory.dmp

Filesize
680KB

Download
memory/2560-12-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2560-11-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2560-30-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads