quasar | ab5ac2f957bb8b1f6a9091d6da58f1afb57a15553bad1434020f3ef26b1063af

General

Target

666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
Size

604KB
MD5

666fbcded6f5f768d1c433710bdfb97a
SHA1

05f5c8ae533b83759c44563e4ec9bd5f352ba52b
SHA256

ab5ac2f957bb8b1f6a9091d6da58f1afb57a15553bad1434020f3ef26b1063af
SHA512

b2a7b1a6637fd974decb7c31362084c2ded234cec2301dfc5275b295802f98ac77c1e64c1eedaf9acce2168795b4f5cfc7da899734f57ef38bbcf688a295424b
SSDEEP

12288:nX7OBZwbZsAiaFyzppofiZu5+5urMBgkS9UOIK:mZw1B8zpYiw5wOMCkSuOIK

Score

10^/10

quasar office04 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

192.168.0.35:6969

Mutex

QSR_MUTEX_A682BosRnRdjNjsQHf

Attributes

encryption_key
kmHPXJ9zDF9KCDBwlFlP
install_name
hello.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowStartup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2648-9-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/2648-13-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/2648-17-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/2648-15-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/2648-7-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

Processes:

hello.exehello.exehello.exe

pid process

2604 hello.exe
2984 hello.exe
2136 hello.exe
Loads dropped DLL 1 IoCs

Processes:

666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe

pid process

2648 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe

pid	process
2604	hello.exe
2984	hello.exe
2136	hello.exe

pid	process
2648	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exehello.exe

description	pid	process	target process
PID 2908 set thread context of 2648	2908	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2604 set thread context of 2136	2604	hello.exe	hello.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2496 schtasks.exe
1824 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

hello.exe

pid process

2604 hello.exe

pid	process
2496	schtasks.exe
1824	schtasks.exe

pid	process
2604	hello.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exehello.exehello.exe

description	pid	process
Token: SeDebugPrivilege	2648	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
Token: SeDebugPrivilege	2604	hello.exe
Token: SeDebugPrivilege	2136	hello.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

hello.exe

pid process

2136 hello.exe

pid	process
2136	hello.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exehello.exehello.exe

description	pid	process	target process
PID 2908 wrote to memory of 2648	2908	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2908 wrote to memory of 2648	2908	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2908 wrote to memory of 2648	2908	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2908 wrote to memory of 2648	2908	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2908 wrote to memory of 2648	2908	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2908 wrote to memory of 2648	2908	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2908 wrote to memory of 2648	2908	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2908 wrote to memory of 2648	2908	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2908 wrote to memory of 2648	2908	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2648 wrote to memory of 2496	2648	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	schtasks.exe
PID 2648 wrote to memory of 2496	2648	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	schtasks.exe
PID 2648 wrote to memory of 2496	2648	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	schtasks.exe
PID 2648 wrote to memory of 2496	2648	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	schtasks.exe
PID 2648 wrote to memory of 2604	2648	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	hello.exe
PID 2648 wrote to memory of 2604	2648	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	hello.exe
PID 2648 wrote to memory of 2604	2648	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	hello.exe
PID 2648 wrote to memory of 2604	2648	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	hello.exe
PID 2604 wrote to memory of 2984	2604	hello.exe	hello.exe
PID 2604 wrote to memory of 2984	2604	hello.exe	hello.exe
PID 2604 wrote to memory of 2984	2604	hello.exe	hello.exe
PID 2604 wrote to memory of 2984	2604	hello.exe	hello.exe
PID 2604 wrote to memory of 2136	2604	hello.exe	hello.exe
PID 2604 wrote to memory of 2136	2604	hello.exe	hello.exe
PID 2604 wrote to memory of 2136	2604	hello.exe	hello.exe
PID 2604 wrote to memory of 2136	2604	hello.exe	hello.exe
PID 2604 wrote to memory of 2136	2604	hello.exe	hello.exe
PID 2604 wrote to memory of 2136	2604	hello.exe	hello.exe
PID 2604 wrote to memory of 2136	2604	hello.exe	hello.exe
PID 2604 wrote to memory of 2136	2604	hello.exe	hello.exe
PID 2604 wrote to memory of 2136	2604	hello.exe	hello.exe
PID 2136 wrote to memory of 1824	2136	hello.exe	schtasks.exe
PID 2136 wrote to memory of 1824	2136	hello.exe	schtasks.exe
PID 2136 wrote to memory of 1824	2136	hello.exe	schtasks.exe
PID 2136 wrote to memory of 1824	2136	hello.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2908

C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "WindowStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2496

C:\Users\Admin\AppData\Roaming\SubDir\hello.exe
"C:\Users\Admin\AppData\Roaming\SubDir\hello.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Roaming\SubDir\hello.exe
"C:\Users\Admin\AppData\Roaming\SubDir\hello.exe"
4⤵
- Executes dropped EXE
PID:2984

C:\Users\Admin\AppData\Roaming\SubDir\hello.exe
"C:\Users\Admin\AppData\Roaming\SubDir\hello.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "WindowStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\hello.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1824

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\SubDir\hello.exe
Filesize
604KB

MD5
666fbcded6f5f768d1c433710bdfb97a

SHA1
05f5c8ae533b83759c44563e4ec9bd5f352ba52b

SHA256
ab5ac2f957bb8b1f6a9091d6da58f1afb57a15553bad1434020f3ef26b1063af

SHA512
b2a7b1a6637fd974decb7c31362084c2ded234cec2301dfc5275b295802f98ac77c1e64c1eedaf9acce2168795b4f5cfc7da899734f57ef38bbcf688a295424b

Download Submit
memory/2136-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2604-27-0x00000000000E0000-0x000000000017C000-memory.dmp

Filesize
624KB

Download
memory/2648-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2648-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2648-13-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2648-17-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2648-15-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2648-28-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2648-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2648-9-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2648-19-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2648-18-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2648-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2908-3-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/2908-0-0x000000007420E000-0x000000007420F000-memory.dmp

Filesize
4KB

Download
memory/2908-1-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads