quasar | 4a95103a4f893c6c17b66af8f872093b97d836f6277195e1c60339341da4f276

General

Target

4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
Size

711KB
MD5

4e0a39ab057a9e884255df35dbf240ca
SHA1

9f431640264b1cbf5d8a9666d33c868a1e6ebfd7
SHA256

4a95103a4f893c6c17b66af8f872093b97d836f6277195e1c60339341da4f276
SHA512

7963afa8b19329b53e2fb12751ea04cceba8f58401315b16f21b300c555f5a8c4473ec19aec694a7f32789fa243dc0f8edc3247463a6f3551bff99fe858069a4
SSDEEP

12288:B8JsIitBttf+zZa7oPNr3JfjLxEwvmcmsq43reb+z3vt4snmMszSN:CaBJeK0r5hVvlRqEreq7WbY

Score

10^/10

quasar 1805 spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

1805

C2

allahoyunda.duckdns.org:1604

Mutex

QSR_MUTEX_Fq5eq2CLhdcvCvtnCW

Attributes

encryption_key
35KaV9hUWCm5Me7Z03OO
install_name
svchosts.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java
subdirectory
svchost

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2004-9-0x0000000000400000-0x00000000004C9000-memory.dmp	family_quasar
behavioral1/memory/2004-12-0x0000000000400000-0x00000000004C9000-memory.dmp	family_quasar
behavioral1/memory/2004-11-0x0000000000530000-0x000000000058E000-memory.dmp	family_quasar
behavioral1/memory/2004-10-0x0000000000530000-0x000000000058E000-memory.dmp	family_quasar
behavioral1/memory/2004-8-0x0000000000400000-0x00000000004C9000-memory.dmp	family_quasar
behavioral1/memory/2004-24-0x0000000000400000-0x00000000004C9000-memory.dmp	family_quasar
behavioral1/memory/2004-23-0x0000000000400000-0x00000000004C9000-memory.dmp	family_quasar
behavioral1/memory/2004-25-0x0000000000400000-0x00000000004C9000-memory.dmp	family_quasar
behavioral1/memory/2632-43-0x0000000000380000-0x00000000003DE000-memory.dmp	family_quasar
behavioral1/memory/2632-54-0x0000000000400000-0x00000000004C9000-memory.dmp	family_quasar
behavioral1/memory/2004-57-0x0000000000400000-0x00000000004C9000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

svchosts.exesvchosts.exe

pid process

3004 svchosts.exe
2632 svchosts.exe
Loads dropped DLL 3 IoCs

Processes:

4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exesvchosts.exe

pid process

2004 4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
2004 4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
3004 svchosts.exe

pid	process
3004	svchosts.exe
2632	svchosts.exe

pid	process
2004	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
2004	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
3004	svchosts.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2004-9-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2004-12-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2004-8-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2004-7-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2004-6-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

svchosts.exe4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\svchost	svchosts.exe
File created	C:\Windows\SysWOW64\svchost\svchosts.exe	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchosts.exe	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchost\svchosts.exe	svchosts.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exesvchosts.exe

description	pid	process	target process
PID 3016 set thread context of 2004	3016	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
PID 3004 set thread context of 2632	3004	svchosts.exe	svchosts.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1464 schtasks.exe
2836 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exesvchosts.exe

pid process

3016 4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
3004 svchosts.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exesvchosts.exe

pid process

3016 4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
3004 svchosts.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exesvchosts.exe

description pid process

Token: SeDebugPrivilege 2004 4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
Token: SeDebugPrivilege 2632 svchosts.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchosts.exe

pid process

2632 svchosts.exe

pid	process
1464	schtasks.exe
2836	schtasks.exe

pid	process
3016	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
3004	svchosts.exe

pid	process
3016	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
3004	svchosts.exe

description	pid	process
Token: SeDebugPrivilege	2004	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
Token: SeDebugPrivilege	2632	svchosts.exe

pid	process
2632	svchosts.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exesvchosts.exesvchosts.exe

description	pid	process	target process
PID 3016 wrote to memory of 2004	3016	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
PID 3016 wrote to memory of 2004	3016	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
PID 3016 wrote to memory of 2004	3016	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
PID 3016 wrote to memory of 2004	3016	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
PID 2004 wrote to memory of 1464	2004	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe	schtasks.exe
PID 2004 wrote to memory of 1464	2004	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe	schtasks.exe
PID 2004 wrote to memory of 1464	2004	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe	schtasks.exe
PID 2004 wrote to memory of 1464	2004	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe	schtasks.exe
PID 2004 wrote to memory of 3004	2004	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe	svchosts.exe
PID 2004 wrote to memory of 3004	2004	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe	svchosts.exe
PID 2004 wrote to memory of 3004	2004	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe	svchosts.exe
PID 2004 wrote to memory of 3004	2004	4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe	svchosts.exe
PID 3004 wrote to memory of 2632	3004	svchosts.exe	svchosts.exe
PID 3004 wrote to memory of 2632	3004	svchosts.exe	svchosts.exe
PID 3004 wrote to memory of 2632	3004	svchosts.exe	svchosts.exe
PID 3004 wrote to memory of 2632	3004	svchosts.exe	svchosts.exe
PID 2632 wrote to memory of 2836	2632	svchosts.exe	schtasks.exe
PID 2632 wrote to memory of 2836	2632	svchosts.exe	schtasks.exe
PID 2632 wrote to memory of 2836	2632	svchosts.exe	schtasks.exe
PID 2632 wrote to memory of 2836	2632	svchosts.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "java" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\4e0a39ab057a9e884255df35dbf240ca_JaffaCakes118.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1464

C:\Windows\SysWOW64\svchost\svchosts.exe
"C:\Windows\SysWOW64\svchost\svchosts.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\svchost\svchosts.exe
"C:\Windows\SysWOW64\svchost\svchosts.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "java" /sc ONLOGON /tr "C:\Windows\SysWOW64\svchost\svchosts.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\svchost\svchosts.exe

Filesize
711KB

MD5
4e0a39ab057a9e884255df35dbf240ca

SHA1
9f431640264b1cbf5d8a9666d33c868a1e6ebfd7

SHA256
4a95103a4f893c6c17b66af8f872093b97d836f6277195e1c60339341da4f276

SHA512
7963afa8b19329b53e2fb12751ea04cceba8f58401315b16f21b300c555f5a8c4473ec19aec694a7f32789fa243dc0f8edc3247463a6f3551bff99fe858069a4

Download Submit
memory/2004-7-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2004-11-0x0000000000530000-0x000000000058E000-memory.dmp

Filesize
376KB

Download
memory/2004-6-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2004-12-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2004-24-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2004-10-0x0000000000530000-0x000000000058E000-memory.dmp

Filesize
376KB

Download
memory/2004-8-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2004-23-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2004-9-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2004-57-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2004-25-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2632-43-0x0000000000380000-0x00000000003DE000-memory.dmp

Filesize
376KB

Download
memory/2632-54-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3004-38-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3016-1-0x000000000045A000-0x0000000000461000-memory.dmp

Filesize
28KB

Download
memory/3016-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3016-2-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads