quasar | ab5ac2f957bb8b1f6a9091d6da58f1afb57a15553bad1434020f3ef26b1063af

General

Target

666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
Size

604KB
MD5

666fbcded6f5f768d1c433710bdfb97a
SHA1

05f5c8ae533b83759c44563e4ec9bd5f352ba52b
SHA256

ab5ac2f957bb8b1f6a9091d6da58f1afb57a15553bad1434020f3ef26b1063af
SHA512

b2a7b1a6637fd974decb7c31362084c2ded234cec2301dfc5275b295802f98ac77c1e64c1eedaf9acce2168795b4f5cfc7da899734f57ef38bbcf688a295424b
SSDEEP

12288:nX7OBZwbZsAiaFyzppofiZu5+5urMBgkS9UOIK:mZw1B8zpYiw5wOMCkSuOIK

Score

10^/10

quasar office04 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

192.168.0.35:6969

Mutex

QSR_MUTEX_A682BosRnRdjNjsQHf

Attributes

encryption_key
kmHPXJ9zDF9KCDBwlFlP
install_name
hello.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowStartup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2588-7-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

hello.exehello.exe

pid process

4352 hello.exe
3872 hello.exe

pid	process
4352	hello.exe
3872	hello.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 ip-api.com

flow	ioc
30	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exehello.exe

description	pid	process	target process
PID 2540 set thread context of 2588	2540	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 4352 set thread context of 3872	4352	hello.exe	hello.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4780 schtasks.exe
4940 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe

pid process

2540 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
2540 666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe

pid	process
4780	schtasks.exe
4940	schtasks.exe

pid	process
2540	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
2540	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exehello.exe

description	pid	process
Token: SeDebugPrivilege	2540	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
Token: SeDebugPrivilege	2588	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
Token: SeDebugPrivilege	3872	hello.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

hello.exe

pid process

3872 hello.exe

pid	process
3872	hello.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exehello.exehello.exe

description	pid	process	target process
PID 2540 wrote to memory of 116	2540	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2540 wrote to memory of 116	2540	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2540 wrote to memory of 116	2540	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2540 wrote to memory of 2588	2540	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2540 wrote to memory of 2588	2540	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2540 wrote to memory of 2588	2540	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2540 wrote to memory of 2588	2540	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2540 wrote to memory of 2588	2540	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2540 wrote to memory of 2588	2540	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2540 wrote to memory of 2588	2540	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2540 wrote to memory of 2588	2540	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
PID 2588 wrote to memory of 4780	2588	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	schtasks.exe
PID 2588 wrote to memory of 4780	2588	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	schtasks.exe
PID 2588 wrote to memory of 4780	2588	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	schtasks.exe
PID 2588 wrote to memory of 4352	2588	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	hello.exe
PID 2588 wrote to memory of 4352	2588	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	hello.exe
PID 2588 wrote to memory of 4352	2588	666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe	hello.exe
PID 4352 wrote to memory of 3872	4352	hello.exe	hello.exe
PID 4352 wrote to memory of 3872	4352	hello.exe	hello.exe
PID 4352 wrote to memory of 3872	4352	hello.exe	hello.exe
PID 4352 wrote to memory of 3872	4352	hello.exe	hello.exe
PID 4352 wrote to memory of 3872	4352	hello.exe	hello.exe
PID 4352 wrote to memory of 3872	4352	hello.exe	hello.exe
PID 4352 wrote to memory of 3872	4352	hello.exe	hello.exe
PID 4352 wrote to memory of 3872	4352	hello.exe	hello.exe
PID 3872 wrote to memory of 4940	3872	hello.exe	schtasks.exe
PID 3872 wrote to memory of 4940	3872	hello.exe	schtasks.exe
PID 3872 wrote to memory of 4940	3872	hello.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe"
2⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "WindowStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4780

C:\Users\Admin\AppData\Roaming\SubDir\hello.exe
"C:\Users\Admin\AppData\Roaming\SubDir\hello.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4352

C:\Users\Admin\AppData\Roaming\SubDir\hello.exe
"C:\Users\Admin\AppData\Roaming\SubDir\hello.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "WindowStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\hello.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118.exe.log
Filesize
507B

MD5
fb442fe9c1c8bf5b9c592f3a47de9378

SHA1
7e750cd93798d9be6ba84c5611b705c92fc2e785

SHA256
73ab1def1d89e8a56ef5e99f46460901b40e5724d4b650885bfd8af03d2a4066

SHA512
cde0afc04934b89ed0c3de9729d1213f231b9d9ec2aebffc11a1f1287c24efbf12b1056cca1fab384f1d217c4ce73478e8dbb067612817e742c20db1430f946c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\hello.exe
Filesize
604KB

MD5
666fbcded6f5f768d1c433710bdfb97a

SHA1
05f5c8ae533b83759c44563e4ec9bd5f352ba52b

SHA256
ab5ac2f957bb8b1f6a9091d6da58f1afb57a15553bad1434020f3ef26b1063af

SHA512
b2a7b1a6637fd974decb7c31362084c2ded234cec2301dfc5275b295802f98ac77c1e64c1eedaf9acce2168795b4f5cfc7da899734f57ef38bbcf688a295424b

Download Submit
memory/2540-0-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/2540-1-0x0000000000260000-0x00000000002FC000-memory.dmp

Filesize
624KB

Download
memory/2540-2-0x00000000051C0000-0x0000000005764000-memory.dmp

Filesize
5.6MB

Download
memory/2540-3-0x0000000004CB0000-0x0000000004D42000-memory.dmp

Filesize
584KB

Download
memory/2540-4-0x0000000005110000-0x00000000051AC000-memory.dmp

Filesize
624KB

Download
memory/2540-6-0x0000000005080000-0x000000000508A000-memory.dmp

Filesize
40KB

Download
memory/2540-30-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/2540-10-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/2588-12-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/2588-13-0x0000000004E50000-0x0000000004EB6000-memory.dmp

Filesize
408KB

Download
memory/2588-14-0x0000000005B70000-0x0000000005B82000-memory.dmp

Filesize
72KB

Download
memory/2588-15-0x00000000061F0000-0x000000000622C000-memory.dmp

Filesize
240KB

Download
memory/2588-11-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/2588-22-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/2588-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3872-29-0x0000000006BB0000-0x0000000006BBA000-memory.dmp

Filesize
40KB

Download
memory/4352-21-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4352-27-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads