Overview

overview

10

Static

static

3

8c48c8c45d...18.exe

windows7-x64

10

8c48c8c45d...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118

  • Size

    718KB

  • Sample

    240602-ak621acf42

  • MD5

    8c48c8c45d7f3bdd3c888a1c75fa9b27

  • SHA1

    1d212ea492feb0c4695745d51ac0ac2e9fb7b2b5

  • SHA256

    9aab35f222f2953738e83432940f14af4e12e72a741f80fa5dec7d0197ed6e7a

  • SHA512

    f2a4a77bdb4a3ce39eda27121dfe01f71f91cd3d89b52098c71140fa89b3b89259a9c5e3323953ac332d42af2df1ef0eebe9801a25749b4965bf635c1a841deb

  • SSDEEP

    12288:XEv8FVujUpVTWgThfJ614X5p/iYHI0Oq8M0oko8ZiFhDF8KSpTTj/XL817n3WGhs:XEEbuQ9WmD1HITPTnXL81LDhhWeOqJEx

Score
10/10
quasarsvchostspywaretrojanupx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

svchost

C2

scvhosts.duckdns.org:1604

Mutex

QSR_MUTEX_InsAUB54MmLlzTys9a

Attributes
  • encryption_key

    pOXtQTNjkHXEe8G4lu1f

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Svchost

  • subdirectory

    svchost

Targets

    • Target

      8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118

    • Size

      718KB

    • MD5

      8c48c8c45d7f3bdd3c888a1c75fa9b27

    • SHA1

      1d212ea492feb0c4695745d51ac0ac2e9fb7b2b5

    • SHA256

      9aab35f222f2953738e83432940f14af4e12e72a741f80fa5dec7d0197ed6e7a

    • SHA512

      f2a4a77bdb4a3ce39eda27121dfe01f71f91cd3d89b52098c71140fa89b3b89259a9c5e3323953ac332d42af2df1ef0eebe9801a25749b4965bf635c1a841deb

    • SSDEEP

      12288:XEv8FVujUpVTWgThfJ614X5p/iYHI0Oq8M0oko8ZiFhDF8KSpTTj/XL817n3WGhs:XEEbuQ9WmD1HITPTnXL81LDhhWeOqJEx

    Score
    10/10
    quasarsvchostspywaretrojanupx

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks