quasar | 036ccf870c0c626dfab5ff245db67b961d6669af26c3694992b56271a4e979ea

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
Size

6.3MB
MD5

4c2035a0494f1e280a9383677f2501fd
SHA1

ce190f82c9bdf2652906cafba1a6727e276fd540
SHA256

036ccf870c0c626dfab5ff245db67b961d6669af26c3694992b56271a4e979ea
SHA512

39206b5b9c00ce04bd1e710f0af7f76f4c522d019f55f7c32c62f9973ec12123fd7dd03897e6de3ed925519dcd263f4981ed7d34ee01304642440fbe2a7e0108
SSDEEP

98304:awAwD+xPQPHGGHtWUolKiTQSLQ+NIv9xEDginRBnyecCkyzyNjk:awBAPoHtBoFTQSLQ9VxyyecCLz7

Score

10^/10

quasar syscmd spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

SyScmd

91.211.251.108:4782

Mutex

QSR_MUTEX_qwefagr3235weasfefwwef

Attributes

encryption_key
nWKoI3fOkpyNHoDWEE4y
install_name
Update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
syswow
subdirectory
Microsoft\Windows\Update

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1192-90-0x0000000000400000-0x0000000000754000-memory.dmp	family_quasar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com

flow	ioc
5	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe

pid	process
1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe

description	pid	process
Token: 33	1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
Token: 33	1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
Token: 33	1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
Token: SeDebugPrivilege	1192	4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe

pid process

1192 4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4c2035a0494f1e280a9383677f2501fd_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-7-0x0000000077433000-0x0000000077434000-memory.dmp

Filesize
4KB

Download
memory/1192-6-0x0000000077432000-0x0000000077433000-memory.dmp

Filesize
4KB

Download
memory/1192-5-0x0000000000EC0000-0x000000000120A000-memory.dmp

Filesize
3.3MB

Download
memory/1192-8-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1192-11-0x0000000000EC0000-0x000000000120A000-memory.dmp

Filesize
3.3MB

Download
memory/1192-12-0x0000000000EC0000-0x000000000120A000-memory.dmp

Filesize
3.3MB

Download
memory/1192-10-0x0000000000EC0000-0x000000000120A000-memory.dmp

Filesize
3.3MB

Download
memory/1192-9-0x0000000000EC0000-0x000000000120A000-memory.dmp

Filesize
3.3MB

Download
memory/1192-13-0x0000000000EC0000-0x000000000120A000-memory.dmp

Filesize
3.3MB

Download
memory/1192-16-0x0000000000EC0000-0x000000000120A000-memory.dmp

Filesize
3.3MB

Download
memory/1192-19-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1192-27-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-26-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1192-42-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-52-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-54-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1192-50-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-48-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-44-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-46-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-25-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1192-24-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1192-15-0x0000000000EC0000-0x000000000120A000-memory.dmp

Filesize
3.3MB

Download
memory/1192-14-0x0000000000EC0000-0x000000000120A000-memory.dmp

Filesize
3.3MB

Download
memory/1192-18-0x0000000000EC0000-0x000000000120A000-memory.dmp

Filesize
3.3MB

Download
memory/1192-55-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-56-0x00000000740E0000-0x0000000074132000-memory.dmp

Filesize
328KB

Download
memory/1192-58-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-71-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-72-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-79-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1192-78-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1192-77-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1192-76-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1192-75-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1192-74-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1192-91-0x00000000071B0000-0x0000000007754000-memory.dmp

Filesize
5.6MB

Download
memory/1192-92-0x0000000007760000-0x00000000077F2000-memory.dmp

Filesize
584KB

Download
memory/1192-90-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-73-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-70-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-68-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-67-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-66-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-65-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-63-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-62-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-60-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-93-0x0000000007800000-0x0000000007866000-memory.dmp

Filesize
408KB

Download
memory/1192-59-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-103-0x0000000007AD0000-0x0000000007AE2000-memory.dmp

Filesize
72KB

Download
memory/1192-69-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-64-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-61-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1192-104-0x0000000007DA0000-0x0000000007DDC000-memory.dmp

Filesize
240KB

Download
memory/1192-105-0x0000000000EC0000-0x000000000120A000-memory.dmp

Filesize
3.3MB

Download
memory/1192-106-0x0000000077432000-0x0000000077433000-memory.dmp

Filesize
4KB

Download
memory/1192-107-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1192-108-0x00000000081A0000-0x00000000081AA000-memory.dmp

Filesize
40KB

Download