quasar | 12415ec74ab9a1facbbda22b5618d4aaed954a880f7db45406060f2f252a015f

General

Target

8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe
Size

2.2MB
MD5

8aa12cb7cad072737aa9541b636a68bb
SHA1

45b5e9bfda12f5de1338ca330b08132317684737
SHA256

12415ec74ab9a1facbbda22b5618d4aaed954a880f7db45406060f2f252a015f
SHA512

fca92073ee608b8233fa26079a5f55b5b4b118a48029b943987037cea7302806eb2bb601f8ff5e3715e3d46ca5f27941667c241148314b194eedfc2dd7bb96c8
SSDEEP

49152:gz9oY5v/t14EmN0v8X4NbyhXers4a5ppHdKoCgzSZp6UzsGre245snxNX99AeP:KB5Hf4EmN0UXvia5vHcDgzSfB7iT0x

Score

10^/10

quasar office04 spyware trojan vmprotect

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

31.200.226.140:4782

Mutex

QSR_MUTEX_2PSnv6ikiCGVKIYz02

Attributes

encryption_key
YGysf4cKdIIApRvwDlWm
install_name
svchot.exe
log_directory
Logss
reconnect_delay
3000
startup_key
Microsoft Update
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\@0B.exe	family_quasar
behavioral1/memory/2976-17-0x00000000011A0000-0x00000000011FE000-memory.dmp	family_quasar
behavioral1/memory/2468-41-0x0000000000AB0000-0x0000000000B0E000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

Processes:

jesuscry.exe@0B.exesvchot.exe

pid process

1524 jesuscry.exe
2976 @0B.exe
2468 svchot.exe
Loads dropped DLL 3 IoCs

Processes:

8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe@0B.exe

pid process

2240 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe
2240 8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe
2976 @0B.exe

pid	process
1524	jesuscry.exe
2976	@0B.exe
2468	svchot.exe

pid	process
2240	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe
2240	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe
2976	@0B.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\jesuscry.exe	vmprotect
behavioral1/memory/1524-33-0x0000000000010000-0x00000000003F3000-memory.dmp	vmprotect
behavioral1/memory/1524-30-0x0000000000010000-0x00000000003F3000-memory.dmp	vmprotect
behavioral1/memory/1524-44-0x0000000000010000-0x00000000003F3000-memory.dmp	vmprotect

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

jesuscry.exe

pid process

1524 jesuscry.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2676 schtasks.exe
1892 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

jesuscry.exe

pid process

1524 jesuscry.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

@0B.exesvchot.exe

description pid process

Token: SeDebugPrivilege 2976 @0B.exe
Token: SeDebugPrivilege 2468 svchot.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchot.exe

pid process

2468 svchot.exe

flow	ioc
2	ip-api.com

pid	process
1524	jesuscry.exe

pid	process
2676	schtasks.exe
1892	schtasks.exe

pid	process
1524	jesuscry.exe

description	pid	process
Token: SeDebugPrivilege	2976	@0B.exe
Token: SeDebugPrivilege	2468	svchot.exe

pid	process
2468	svchot.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe@0B.exesvchot.exe

description	pid	process	target process
PID 2240 wrote to memory of 1524	2240	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe	jesuscry.exe
PID 2240 wrote to memory of 1524	2240	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe	jesuscry.exe
PID 2240 wrote to memory of 1524	2240	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe	jesuscry.exe
PID 2240 wrote to memory of 1524	2240	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe	jesuscry.exe
PID 2240 wrote to memory of 2976	2240	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe	@0B.exe
PID 2240 wrote to memory of 2976	2240	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe	@0B.exe
PID 2240 wrote to memory of 2976	2240	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe	@0B.exe
PID 2240 wrote to memory of 2976	2240	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe	@0B.exe
PID 2976 wrote to memory of 2676	2976	@0B.exe	schtasks.exe
PID 2976 wrote to memory of 2676	2976	@0B.exe	schtasks.exe
PID 2976 wrote to memory of 2676	2976	@0B.exe	schtasks.exe
PID 2976 wrote to memory of 2676	2976	@0B.exe	schtasks.exe
PID 2976 wrote to memory of 2468	2976	@0B.exe	svchot.exe
PID 2976 wrote to memory of 2468	2976	@0B.exe	svchot.exe
PID 2976 wrote to memory of 2468	2976	@0B.exe	svchot.exe
PID 2976 wrote to memory of 2468	2976	@0B.exe	svchot.exe
PID 2468 wrote to memory of 1892	2468	svchot.exe	schtasks.exe
PID 2468 wrote to memory of 1892	2468	svchot.exe	schtasks.exe
PID 2468 wrote to memory of 1892	2468	svchot.exe	schtasks.exe
PID 2468 wrote to memory of 1892	2468	svchot.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\jesuscry.exe
"C:\Users\Admin\AppData\Local\Temp\jesuscry.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1524

C:\Users\Admin\AppData\Local\Temp\@0B.exe
"C:\Users\Admin\AppData\Local\Temp\@0B.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\@0B.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2676

C:\Users\Admin\AppData\Roaming\SubDir\svchot.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchot.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchot.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@0B.exe
Filesize
348KB

MD5
5ffeb1548caabe3c3bbf57449f160c08

SHA1
a42dd71c1b15eab4e0057ce7a46cbd1a8497a842

SHA256
1df5a83f7e23bf5302497d0486d71f2f401dcebb8e82a1e576677568bf3742a2

SHA512
7715cf5662e85ef4de108eae18b08bc96a14a3208567ed805691f34ccf0702a14bd41ded171c41098b4ac2d10d8f9808ee25651f0f728a9a4be4232a600ac268

Download Submit
\Users\Admin\AppData\Local\Temp\jesuscry.exe
Filesize
2.0MB

MD5
a1335432e7cd02e45ba2915849515736

SHA1
6d8fc3dd2509d0d5949e9459632a6692a11f44bf

SHA256
234c179d48175a46ed8985db10c4fed719c5c1f038ce60085b08869dcb393c66

SHA512
0f4f568e78d1476786b9382fac47c86b1f3eba463b86caa8fdac6da9a326e010f133044480309d61763e137bf21f87809ccd65aa820cf2b55935904641ae7daa

Download Submit
memory/1524-27-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1524-25-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1524-19-0x0000000000011000-0x0000000000032000-memory.dmp

Filesize
132KB

Download
memory/1524-33-0x0000000000010000-0x00000000003F3000-memory.dmp

Filesize
3.9MB

Download
memory/1524-30-0x0000000000010000-0x00000000003F3000-memory.dmp

Filesize
3.9MB

Download
memory/1524-29-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1524-44-0x0000000000010000-0x00000000003F3000-memory.dmp

Filesize
3.9MB

Download
memory/1524-20-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1524-24-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1524-22-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2468-41-0x0000000000AB0000-0x0000000000B0E000-memory.dmp

Filesize
376KB

Download
memory/2976-17-0x00000000011A0000-0x00000000011FE000-memory.dmp

Filesize
376KB

Download
memory/2976-18-0x0000000073E60000-0x000000007454E000-memory.dmp

Filesize
6.9MB

Download
memory/2976-42-0x0000000073E60000-0x000000007454E000-memory.dmp

Filesize
6.9MB

Download
memory/2976-16-0x0000000073E6E000-0x0000000073E6F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads