quasar | 53e3ef743e60a3c4b56e9184d4262918e69ea64e9642aead36eab8b6771f0e4a

General

Target

90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe
Size

477KB
MD5

90bced8d18a24d6d148eb5225c66760e
SHA1

4feba0e911d90cfc1467907c09a0f7ce89e184e2
SHA256

53e3ef743e60a3c4b56e9184d4262918e69ea64e9642aead36eab8b6771f0e4a
SHA512

8ff7b113eb6140906f0220c22930e70f6cd14e219bb3d8f5ff0e75d0f33b262e9ecd05316ece994561870aa7c140b83cd91146ef12c1dddfb6afd1f8d0230583
SSDEEP

12288:+VVVibrHQHGvLvB1eUmWAP7r9r/+ppppppppppppppppppppppppppppp0GO:+ZibrHxzO1qO

Score

10^/10

quasar mamaup spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

MAMAup

C2

eyasdz.ddns.net:1052

Mutex

QSR_MUTEX_FjemAK95X9OiydAcHT

Attributes

encryption_key
l1K4RtgBHYiqfNoqq3QV
install_name
microcp.exe
log_directory
wincps
reconnect_delay
3000
startup_key
wincp
subdirectory
MicrosoftCP

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2824-2-0x00000000006E0000-0x0000000000770000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

microcp.exemicrocp.exe

pid process

2792 microcp.exe
1032 microcp.exe
Loads dropped DLL 6 IoCs

Processes:

90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exeWerFault.exe

pid process

2824 90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe
2952 WerFault.exe
2952 WerFault.exe
2952 WerFault.exe
2952 WerFault.exe
2952 WerFault.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2952 2792 WerFault.exe microcp.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2644 schtasks.exe
2688 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

548 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exemicrocp.exe

description pid process

Token: SeDebugPrivilege 2824 90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe
Token: SeDebugPrivilege 2792 microcp.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

microcp.exe

pid process

2792 microcp.exe

pid	process
2792	microcp.exe
1032	microcp.exe

pid	process
2824	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe
2952	WerFault.exe
2952	WerFault.exe
2952	WerFault.exe
2952	WerFault.exe
2952	WerFault.exe

flow	ioc
2	ip-api.com

pid	pid_target	process	target process
2952	2792	WerFault.exe	microcp.exe

pid	process
2644	schtasks.exe
2688	schtasks.exe

pid	process
548	PING.EXE

description	pid	process
Token: SeDebugPrivilege	2824	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe
Token: SeDebugPrivilege	2792	microcp.exe

pid	process
2792	microcp.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exemicrocp.execmd.exe

description	pid	process	target process
PID 2824 wrote to memory of 2644	2824	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe	schtasks.exe
PID 2824 wrote to memory of 2644	2824	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe	schtasks.exe
PID 2824 wrote to memory of 2644	2824	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe	schtasks.exe
PID 2824 wrote to memory of 2644	2824	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe	schtasks.exe
PID 2824 wrote to memory of 2792	2824	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe	microcp.exe
PID 2824 wrote to memory of 2792	2824	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe	microcp.exe
PID 2824 wrote to memory of 2792	2824	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe	microcp.exe
PID 2824 wrote to memory of 2792	2824	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe	microcp.exe
PID 2792 wrote to memory of 2688	2792	microcp.exe	schtasks.exe
PID 2792 wrote to memory of 2688	2792	microcp.exe	schtasks.exe
PID 2792 wrote to memory of 2688	2792	microcp.exe	schtasks.exe
PID 2792 wrote to memory of 2688	2792	microcp.exe	schtasks.exe
PID 2792 wrote to memory of 2028	2792	microcp.exe	cmd.exe
PID 2792 wrote to memory of 2028	2792	microcp.exe	cmd.exe
PID 2792 wrote to memory of 2028	2792	microcp.exe	cmd.exe
PID 2792 wrote to memory of 2028	2792	microcp.exe	cmd.exe
PID 2792 wrote to memory of 2952	2792	microcp.exe	WerFault.exe
PID 2792 wrote to memory of 2952	2792	microcp.exe	WerFault.exe
PID 2792 wrote to memory of 2952	2792	microcp.exe	WerFault.exe
PID 2792 wrote to memory of 2952	2792	microcp.exe	WerFault.exe
PID 2028 wrote to memory of 2136	2028	cmd.exe	chcp.com
PID 2028 wrote to memory of 2136	2028	cmd.exe	chcp.com
PID 2028 wrote to memory of 2136	2028	cmd.exe	chcp.com
PID 2028 wrote to memory of 2136	2028	cmd.exe	chcp.com
PID 2028 wrote to memory of 548	2028	cmd.exe	PING.EXE
PID 2028 wrote to memory of 548	2028	cmd.exe	PING.EXE
PID 2028 wrote to memory of 548	2028	cmd.exe	PING.EXE
PID 2028 wrote to memory of 548	2028	cmd.exe	PING.EXE
PID 2028 wrote to memory of 1032	2028	cmd.exe	microcp.exe
PID 2028 wrote to memory of 1032	2028	cmd.exe	microcp.exe
PID 2028 wrote to memory of 1032	2028	cmd.exe	microcp.exe
PID 2028 wrote to memory of 1032	2028	cmd.exe	microcp.exe

C:\Users\Admin\AppData\Local\Temp\90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2644

C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bY9PSkmXnO5r.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2136

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:548

C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe"
4⤵
- Executes dropped EXE
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1496
3⤵
- Loads dropped DLL
- Program crash
PID:2952

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bY9PSkmXnO5r.bat
Filesize
213B

MD5
a7ee070ce4746e422229e9bf7075f093

SHA1
123610e447f3773ffa408091667d43474f57be3c

SHA256
2be4fca6a570a07206e05711092cf7589293922e6b55bd5a5df0ee46a93e8cda

SHA512
b0c3664fc47c67477c49b1bafe6de11dfb0a0dd52672726f77282d8ae6312706cf067539fdcb9d411c74a27e494f60a2114aa11194283760abe8ec1c17449e25

Download Submit
\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
Filesize
477KB

MD5
90bced8d18a24d6d148eb5225c66760e

SHA1
4feba0e911d90cfc1467907c09a0f7ce89e184e2

SHA256
53e3ef743e60a3c4b56e9184d4262918e69ea64e9642aead36eab8b6771f0e4a

SHA512
8ff7b113eb6140906f0220c22930e70f6cd14e219bb3d8f5ff0e75d0f33b262e9ecd05316ece994561870aa7c140b83cd91146ef12c1dddfb6afd1f8d0230583

Download Submit
memory/2792-12-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-11-0x00000000013A0000-0x000000000141C000-memory.dmp

Filesize
496KB

Download
memory/2792-14-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-31-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-0-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/2824-1-0x0000000000BC0000-0x0000000000C3C000-memory.dmp

Filesize
496KB

Download
memory/2824-2-0x00000000006E0000-0x0000000000770000-memory.dmp

Filesize
576KB

Download
memory/2824-3-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-13-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads