Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118

  • Size

    866KB

  • Sample

    240719-rw9qpswbrj

  • MD5

    5c59b700c7a1b43a2b8abfe9be0114d6

  • SHA1

    38466b8599e1776fd34bc89462dd9d7842165698

  • SHA256

    4be89ac76b9b5d45730a1c7fd1c23b9270c7e3f11e997608f13fe4ca7236bb95

  • SHA512

    9284e40b93b9906c956dccd32cb5f00acef958ff889386dad95da53104bce926160aee8511058c9732d7d86728e8d4a23d96fcb0da7b781c25f85df5a7a1eced

  • SSDEEP

    12288:tRZ+IoG/n9IQxW3OBse97Ium28XSeMIbI/+hl08NsZVsbbcd5e4JRRoEYmPxtovb:l2G/nvxW3WdZQ+Tm4W6HuERbum01t

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EMV

C2

manoftheyear-58512.portmap.io:58512

Mutex

QSR_MUTEX_OiWYJuvLVGz4wDjmfv

Attributes
  • encryption_key

    0oQZGEIAu1YEgqvO30Bu

  • install_name

    javaupdater.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    javaupdater

  • subdirectory

    SubDir

Targets

    • Target

      5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118

    • Size

      866KB

    • MD5

      5c59b700c7a1b43a2b8abfe9be0114d6

    • SHA1

      38466b8599e1776fd34bc89462dd9d7842165698

    • SHA256

      4be89ac76b9b5d45730a1c7fd1c23b9270c7e3f11e997608f13fe4ca7236bb95

    • SHA512

      9284e40b93b9906c956dccd32cb5f00acef958ff889386dad95da53104bce926160aee8511058c9732d7d86728e8d4a23d96fcb0da7b781c25f85df5a7a1eced

    • SSDEEP

      12288:tRZ+IoG/n9IQxW3OBse97Ium28XSeMIbI/+hl08NsZVsbbcd5e4JRRoEYmPxtovb:l2G/nvxW3WdZQ+Tm4W6HuERbum01t

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks