quasar | 12415ec74ab9a1facbbda22b5618d4aaed954a880f7db45406060f2f252a015f

General

Target

8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe
Size

2.2MB
MD5

8aa12cb7cad072737aa9541b636a68bb
SHA1

45b5e9bfda12f5de1338ca330b08132317684737
SHA256

12415ec74ab9a1facbbda22b5618d4aaed954a880f7db45406060f2f252a015f
SHA512

fca92073ee608b8233fa26079a5f55b5b4b118a48029b943987037cea7302806eb2bb601f8ff5e3715e3d46ca5f27941667c241148314b194eedfc2dd7bb96c8
SSDEEP

49152:gz9oY5v/t14EmN0v8X4NbyhXers4a5ppHdKoCgzSZp6UzsGre245snxNX99AeP:KB5Hf4EmN0UXvia5vHcDgzSfB7iT0x

Score

10^/10

quasar office04 spyware trojan vmprotect

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

31.200.226.140:4782

Mutex

QSR_MUTEX_2PSnv6ikiCGVKIYz02

Attributes

encryption_key
YGysf4cKdIIApRvwDlWm
install_name
svchot.exe
log_directory
Logss
reconnect_delay
3000
startup_key
Microsoft Update
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\@0B.exe	family_quasar
behavioral2/memory/764-22-0x0000000000810000-0x000000000086E000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

Processes:

jesuscry.exe@0B.exesvchot.exe

pid process

4880 jesuscry.exe
764 @0B.exe
3932 svchot.exe

pid	process
4880	jesuscry.exe
764	@0B.exe
3932	svchot.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jesuscry.exe	vmprotect
behavioral2/memory/4880-27-0x00000000009A0000-0x0000000000D83000-memory.dmp	vmprotect
behavioral2/memory/4880-30-0x00000000009A0000-0x0000000000D83000-memory.dmp	vmprotect
behavioral2/memory/4880-33-0x00000000009A0000-0x0000000000D83000-memory.dmp	vmprotect

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

jesuscry.exe

pid process

4880 jesuscry.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3012 schtasks.exe
1376 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jesuscry.exe

pid process

4880 jesuscry.exe
4880 jesuscry.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

@0B.exesvchot.exe

description pid process

Token: SeDebugPrivilege 764 @0B.exe
Token: SeDebugPrivilege 3932 svchot.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchot.exe

pid process

3932 svchot.exe

flow	ioc
9	ip-api.com

pid	process
4880	jesuscry.exe

pid	process
3012	schtasks.exe
1376	schtasks.exe

pid	process
4880	jesuscry.exe
4880	jesuscry.exe

description	pid	process
Token: SeDebugPrivilege	764	@0B.exe
Token: SeDebugPrivilege	3932	svchot.exe

pid	process
3932	svchot.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe@0B.exesvchot.exe

description	pid	process	target process
PID 3408 wrote to memory of 4880	3408	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe	jesuscry.exe
PID 3408 wrote to memory of 4880	3408	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe	jesuscry.exe
PID 3408 wrote to memory of 4880	3408	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe	jesuscry.exe
PID 3408 wrote to memory of 764	3408	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe	@0B.exe
PID 3408 wrote to memory of 764	3408	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe	@0B.exe
PID 3408 wrote to memory of 764	3408	8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe	@0B.exe
PID 764 wrote to memory of 3012	764	@0B.exe	schtasks.exe
PID 764 wrote to memory of 3012	764	@0B.exe	schtasks.exe
PID 764 wrote to memory of 3012	764	@0B.exe	schtasks.exe
PID 764 wrote to memory of 3932	764	@0B.exe	svchot.exe
PID 764 wrote to memory of 3932	764	@0B.exe	svchot.exe
PID 764 wrote to memory of 3932	764	@0B.exe	svchot.exe
PID 3932 wrote to memory of 1376	3932	svchot.exe	schtasks.exe
PID 3932 wrote to memory of 1376	3932	svchot.exe	schtasks.exe
PID 3932 wrote to memory of 1376	3932	svchot.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Local\Temp\jesuscry.exe
"C:\Users\Admin\AppData\Local\Temp\jesuscry.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4880

C:\Users\Admin\AppData\Local\Temp\@0B.exe
"C:\Users\Admin\AppData\Local\Temp\@0B.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\@0B.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3012

C:\Users\Admin\AppData\Roaming\SubDir\svchot.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchot.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchot.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@0B.exe
Filesize
348KB

MD5
5ffeb1548caabe3c3bbf57449f160c08

SHA1
a42dd71c1b15eab4e0057ce7a46cbd1a8497a842

SHA256
1df5a83f7e23bf5302497d0486d71f2f401dcebb8e82a1e576677568bf3742a2

SHA512
7715cf5662e85ef4de108eae18b08bc96a14a3208567ed805691f34ccf0702a14bd41ded171c41098b4ac2d10d8f9808ee25651f0f728a9a4be4232a600ac268

Download Submit
C:\Users\Admin\AppData\Local\Temp\jesuscry.exe
Filesize
2.0MB

MD5
a1335432e7cd02e45ba2915849515736

SHA1
6d8fc3dd2509d0d5949e9459632a6692a11f44bf

SHA256
234c179d48175a46ed8985db10c4fed719c5c1f038ce60085b08869dcb393c66

SHA512
0f4f568e78d1476786b9382fac47c86b1f3eba463b86caa8fdac6da9a326e010f133044480309d61763e137bf21f87809ccd65aa820cf2b55935904641ae7daa

Download Submit
memory/764-34-0x0000000005360000-0x00000000053C6000-memory.dmp

Filesize
408KB

Download
memory/764-21-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/764-22-0x0000000000810000-0x000000000086E000-memory.dmp

Filesize
376KB

Download
memory/764-23-0x0000000005870000-0x0000000005E14000-memory.dmp

Filesize
5.6MB

Download
memory/764-24-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/764-25-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/764-43-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/764-36-0x00000000064E0000-0x000000000651C000-memory.dmp

Filesize
240KB

Download
memory/764-35-0x00000000057E0000-0x00000000057F2000-memory.dmp

Filesize
72KB

Download
memory/3932-45-0x0000000006530000-0x000000000653A000-memory.dmp

Filesize
40KB

Download
memory/4880-26-0x00000000009D3000-0x0000000000B97000-memory.dmp

Filesize
1.8MB

Download
memory/4880-28-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/4880-33-0x00000000009A0000-0x0000000000D83000-memory.dmp

Filesize
3.9MB

Download
memory/4880-29-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4880-30-0x00000000009A0000-0x0000000000D83000-memory.dmp

Filesize
3.9MB

Download
memory/4880-27-0x00000000009A0000-0x0000000000D83000-memory.dmp

Filesize
3.9MB

Download
memory/4880-46-0x00000000009D3000-0x0000000000B97000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads