quasar | 8860dd0f1793f1585f0862dad7c6c1aad2f6f20352620ffbd85acbec37274e65

General

Target

6f0e102a9b5a459f182e5b0501ab2315_JaffaCakes118.exe
Size

844KB
MD5

6f0e102a9b5a459f182e5b0501ab2315
SHA1

f121b12f1ee6d672ff1a44eb88fe4669ff8f308c
SHA256

8860dd0f1793f1585f0862dad7c6c1aad2f6f20352620ffbd85acbec37274e65
SHA512

773fae77ebf65ae8c44cfd122047c693b2da95af5456a4e9f72bbc85e17fabc37200e96fc793c30dee871048769501fe9b01bbf4b338a515cc5fd526316c5047
SSDEEP

24576:aSW6SIhZbWsv+6szFB8hxe9KXGIY2rT9UmViIGS/SJOqLc9:a9aMfHD9KXd7rTWC/MOqLc9

Score

10^/10

quasar qua2 spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

qua2

C2

79.134.225.77:1973

Mutex

QSR_MUTEX_rVn0OUE8f1tzJgSd1f

Attributes

encryption_key
lOSR71Cu22ACEpzOi042
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2368-42-0x00000000004D0000-0x000000000052E000-memory.dmp	family_quasar
behavioral1/memory/2368-43-0x0000000000400000-0x00000000004C9000-memory.dmp	family_quasar
behavioral1/memory/2368-41-0x00000000004D0000-0x000000000052E000-memory.dmp	family_quasar
behavioral1/memory/2368-40-0x0000000000400000-0x00000000004C9000-memory.dmp	family_quasar
behavioral1/memory/2368-39-0x0000000000400000-0x00000000004C9000-memory.dmp	family_quasar
behavioral1/memory/2368-54-0x0000000000400000-0x00000000004C9000-memory.dmp	family_quasar
behavioral1/memory/2368-55-0x0000000000400000-0x00000000004C9000-memory.dmp	family_quasar

Drops startup file 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvbgfQ.vbs notepad.exe
Executes dropped EXE 2 IoCs

Processes:

SQdfgh5f.exeSQdfgh5f.exe

pid process

2476 SQdfgh5f.exe
2368 SQdfgh5f.exe
Loads dropped DLL 2 IoCs

Processes:

notepad.exe

pid process

2740 notepad.exe
2740 notepad.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvbgfQ.vbs	notepad.exe

pid	process
2476	SQdfgh5f.exe
2368	SQdfgh5f.exe

pid	process
2740	notepad.exe
2740	notepad.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2368-37-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2368-43-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2368-40-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2368-39-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2368-34-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

SQdfgh5f.exe

description pid process target process

PID 2476 set thread context of 2368 2476 SQdfgh5f.exe SQdfgh5f.exe
NTFS ADS 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\AsdfgQ\SQdfgh5f.exe:ZoneIdentifier notepad.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6f0e102a9b5a459f182e5b0501ab2315_JaffaCakes118.exeSQdfgh5f.exe

pid process

3000 6f0e102a9b5a459f182e5b0501ab2315_JaffaCakes118.exe
2476 SQdfgh5f.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

SQdfgh5f.exe

pid process

2476 SQdfgh5f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SQdfgh5f.exe

description pid process

Token: SeDebugPrivilege 2368 SQdfgh5f.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SQdfgh5f.exe

pid process

2368 SQdfgh5f.exe

flow	ioc
2	ip-api.com

description	pid	process	target process
PID 2476 set thread context of 2368	2476	SQdfgh5f.exe	SQdfgh5f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\AsdfgQ\SQdfgh5f.exe:ZoneIdentifier	notepad.exe

pid	process
3000	6f0e102a9b5a459f182e5b0501ab2315_JaffaCakes118.exe
2476	SQdfgh5f.exe

pid	process
2476	SQdfgh5f.exe

description	pid	process
Token: SeDebugPrivilege	2368	SQdfgh5f.exe

pid	process
2368	SQdfgh5f.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

6f0e102a9b5a459f182e5b0501ab2315_JaffaCakes118.exenotepad.exeSQdfgh5f.exe

description	pid	process	target process
PID 3000 wrote to memory of 2740	3000	6f0e102a9b5a459f182e5b0501ab2315_JaffaCakes118.exe	notepad.exe
PID 3000 wrote to memory of 2740	3000	6f0e102a9b5a459f182e5b0501ab2315_JaffaCakes118.exe	notepad.exe
PID 3000 wrote to memory of 2740	3000	6f0e102a9b5a459f182e5b0501ab2315_JaffaCakes118.exe	notepad.exe
PID 3000 wrote to memory of 2740	3000	6f0e102a9b5a459f182e5b0501ab2315_JaffaCakes118.exe	notepad.exe
PID 3000 wrote to memory of 2740	3000	6f0e102a9b5a459f182e5b0501ab2315_JaffaCakes118.exe	notepad.exe
PID 3000 wrote to memory of 2740	3000	6f0e102a9b5a459f182e5b0501ab2315_JaffaCakes118.exe	notepad.exe
PID 2740 wrote to memory of 2476	2740	notepad.exe	SQdfgh5f.exe
PID 2740 wrote to memory of 2476	2740	notepad.exe	SQdfgh5f.exe
PID 2740 wrote to memory of 2476	2740	notepad.exe	SQdfgh5f.exe
PID 2740 wrote to memory of 2476	2740	notepad.exe	SQdfgh5f.exe
PID 2476 wrote to memory of 2368	2476	SQdfgh5f.exe	SQdfgh5f.exe
PID 2476 wrote to memory of 2368	2476	SQdfgh5f.exe	SQdfgh5f.exe
PID 2476 wrote to memory of 2368	2476	SQdfgh5f.exe	SQdfgh5f.exe
PID 2476 wrote to memory of 2368	2476	SQdfgh5f.exe	SQdfgh5f.exe

C:\Users\Admin\AppData\Local\Temp\6f0e102a9b5a459f182e5b0501ab2315_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f0e102a9b5a459f182e5b0501ab2315_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Roaming\AsdfgQ\SQdfgh5f.exe
"C:\Users\Admin\AppData\Roaming\AsdfgQ\SQdfgh5f.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Admin\AppData\Roaming\AsdfgQ\SQdfgh5f.exe
"C:\Users\Admin\AppData\Roaming\AsdfgQ\SQdfgh5f.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\AsdfgQ\SQdfgh5f.exe
Filesize
844KB

MD5
6f0e102a9b5a459f182e5b0501ab2315

SHA1
f121b12f1ee6d672ff1a44eb88fe4669ff8f308c

SHA256
8860dd0f1793f1585f0862dad7c6c1aad2f6f20352620ffbd85acbec37274e65

SHA512
773fae77ebf65ae8c44cfd122047c693b2da95af5456a4e9f72bbc85e17fabc37200e96fc793c30dee871048769501fe9b01bbf4b338a515cc5fd526316c5047

Download Submit
memory/2368-37-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2368-55-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2368-54-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2368-34-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2368-39-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2368-40-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2368-41-0x00000000004D0000-0x000000000052E000-memory.dmp

Filesize
376KB

Download
memory/2368-43-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2368-42-0x00000000004D0000-0x000000000052E000-memory.dmp

Filesize
376KB

Download
memory/2476-27-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2476-29-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2476-26-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2476-23-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2740-12-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2740-9-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3000-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3000-4-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3000-3-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/3000-2-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/3000-1-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads