quasar | b42d3f4823819c1b7119774c52f89e62bfb6fec506e3530e681cf0ce0bc5557d

General

Target

95823524c56268909001597a81a398d5_JaffaCakes118.exe
Size

531KB
MD5

95823524c56268909001597a81a398d5
SHA1

f732527a57d11a9dd57b4b093144c60ffa38a173
SHA256

b42d3f4823819c1b7119774c52f89e62bfb6fec506e3530e681cf0ce0bc5557d
SHA512

75cf3848026d3d1589115471b3bacd96a378c36cc6991c51f292590998a2ed4df58fe0a0139cb34d1d9722a18c5f14af52f7412f57c67275f73062da1747449f
SSDEEP

6144:stlrXYao3Rvn9dYQ0kQiwwVoab4UYJI+OWjE:OpXvQ0kQF96Y6+xg

Score

10^/10

quasar usr spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

USR

C2

pv8stresser.xyz:45201

Mutex

yzyrfG0e0ojtGuJLLm

Attributes

encryption_key
0PxbjHekumnMpxMDOLOWYxcgvcGzNRtp
install_name
Client.exe
log_directory
Mozilla
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2748-1-0x00000000008D0000-0x000000000095C000-memory.dmp	family_quasar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2784 2748 WerFault.exe 95823524c56268909001597a81a398d5_JaffaCakes118.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2644 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

95823524c56268909001597a81a398d5_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2748 95823524c56268909001597a81a398d5_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

95823524c56268909001597a81a398d5_JaffaCakes118.exe

pid process

2748 95823524c56268909001597a81a398d5_JaffaCakes118.exe

flow	ioc
2	ip-api.com

pid	pid_target	process	target process
2784	2748	WerFault.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe

pid	process
2644	PING.EXE

description	pid	process
Token: SeDebugPrivilege	2748	95823524c56268909001597a81a398d5_JaffaCakes118.exe

pid	process
2748	95823524c56268909001597a81a398d5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

95823524c56268909001597a81a398d5_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2748 wrote to memory of 2744	2748	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 2748 wrote to memory of 2744	2748	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 2748 wrote to memory of 2744	2748	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 2748 wrote to memory of 2744	2748	95823524c56268909001597a81a398d5_JaffaCakes118.exe	cmd.exe
PID 2748 wrote to memory of 2784	2748	95823524c56268909001597a81a398d5_JaffaCakes118.exe	WerFault.exe
PID 2748 wrote to memory of 2784	2748	95823524c56268909001597a81a398d5_JaffaCakes118.exe	WerFault.exe
PID 2748 wrote to memory of 2784	2748	95823524c56268909001597a81a398d5_JaffaCakes118.exe	WerFault.exe
PID 2748 wrote to memory of 2784	2748	95823524c56268909001597a81a398d5_JaffaCakes118.exe	WerFault.exe
PID 2744 wrote to memory of 2704	2744	cmd.exe	chcp.com
PID 2744 wrote to memory of 2704	2744	cmd.exe	chcp.com
PID 2744 wrote to memory of 2704	2744	cmd.exe	chcp.com
PID 2744 wrote to memory of 2704	2744	cmd.exe	chcp.com
PID 2744 wrote to memory of 2644	2744	cmd.exe	PING.EXE
PID 2744 wrote to memory of 2644	2744	cmd.exe	PING.EXE
PID 2744 wrote to memory of 2644	2744	cmd.exe	PING.EXE
PID 2744 wrote to memory of 2644	2744	cmd.exe	PING.EXE
PID 2744 wrote to memory of 1880	2744	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 2744 wrote to memory of 1880	2744	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 2744 wrote to memory of 1880	2744	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe
PID 2744 wrote to memory of 1880	2744	cmd.exe	95823524c56268909001597a81a398d5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Fx0vqMPz7b82.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:2704

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:2644

C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95823524c56268909001597a81a398d5_JaffaCakes118.exe"
3⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1432
2⤵
- Program crash
PID:2784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Fx0vqMPz7b82.bat
Filesize
243B

MD5
778195c17b5ba6ca4fdd3ad6baf958f0

SHA1
4ff964559b1129a59b1635ec75b21a07d452aec5

SHA256
08dd4349a325a7a156809173b0284a2b3ea85e2331c0fa00d5d47b027bc679ec

SHA512
562cb368731998b302273cbbb9c3ce5e1dcabc12f978356e3a1bc71a1064198b05377afcf3b3533a50c3f668c271d5b71ac88489cbee207b9d516b5e05243c41

Download Submit
memory/2748-0-0x000000007403E000-0x000000007403F000-memory.dmp

Filesize
4KB

Download
memory/2748-1-0x00000000008D0000-0x000000000095C000-memory.dmp

Filesize
560KB

Download
memory/2748-2-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-13-0x000000007403E000-0x000000007403F000-memory.dmp

Filesize
4KB

Download
memory/2748-14-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing