quasar | 4be89ac76b9b5d45730a1c7fd1c23b9270c7e3f11e997608f13fe4ca7236bb95

Analysis

max time kernel
23s
max time network
74s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe
Size

866KB
MD5

5c59b700c7a1b43a2b8abfe9be0114d6
SHA1

38466b8599e1776fd34bc89462dd9d7842165698
SHA256

4be89ac76b9b5d45730a1c7fd1c23b9270c7e3f11e997608f13fe4ca7236bb95
SHA512

9284e40b93b9906c956dccd32cb5f00acef958ff889386dad95da53104bce926160aee8511058c9732d7d86728e8d4a23d96fcb0da7b781c25f85df5a7a1eced
SSDEEP

12288:tRZ+IoG/n9IQxW3OBse97Ium28XSeMIbI/+hl08NsZVsbbcd5e4JRRoEYmPxtovb:l2G/nvxW3WdZQ+Tm4W6HuERbum01t

Score

10^/10

quasar emv spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EMV

manoftheyear-58512.portmap.io:58512

Mutex

QSR_MUTEX_OiWYJuvLVGz4wDjmfv

Attributes

encryption_key
0oQZGEIAu1YEgqvO30Bu
install_name
javaupdater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
javaupdater
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00080000000177da-24.dat	family_quasar
behavioral1/memory/2856-32-0x0000000000350000-0x00000000003AE000-memory.dmp	family_quasar
behavioral1/memory/2616-40-0x0000000000F20000-0x0000000000F7E000-memory.dmp	family_quasar

Executes dropped EXE 4 IoCs

pid	Process
2780	emvstudio.sfx.exe
2856	emvstudio.exe
2616	javaupdater.exe
2148	javaupdater.exe

Loads dropped DLL 7 IoCs

pid	Process
2856	emvstudio.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1296	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1880	2616	WerFault.exe	37

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2948	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2160	schtasks.exe
2572	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	emvstudio.exe
Token: SeDebugPrivilege	2616	javaupdater.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2616	javaupdater.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 2776	624	5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe	30
PID 624 wrote to memory of 2776	624	5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe	30
PID 624 wrote to memory of 2776	624	5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe	30
PID 624 wrote to memory of 2776	624	5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2780	2776	cmd.exe	32
PID 2776 wrote to memory of 2780	2776	cmd.exe	32
PID 2776 wrote to memory of 2780	2776	cmd.exe	32
PID 2776 wrote to memory of 2780	2776	cmd.exe	32
PID 2780 wrote to memory of 2856	2780	emvstudio.sfx.exe	33
PID 2780 wrote to memory of 2856	2780	emvstudio.sfx.exe	33
PID 2780 wrote to memory of 2856	2780	emvstudio.sfx.exe	33
PID 2780 wrote to memory of 2856	2780	emvstudio.sfx.exe	33
PID 2856 wrote to memory of 2160	2856	emvstudio.exe	35
PID 2856 wrote to memory of 2160	2856	emvstudio.exe	35
PID 2856 wrote to memory of 2160	2856	emvstudio.exe	35
PID 2856 wrote to memory of 2160	2856	emvstudio.exe	35
PID 2856 wrote to memory of 2616	2856	emvstudio.exe	37
PID 2856 wrote to memory of 2616	2856	emvstudio.exe	37
PID 2856 wrote to memory of 2616	2856	emvstudio.exe	37
PID 2856 wrote to memory of 2616	2856	emvstudio.exe	37
PID 2856 wrote to memory of 2616	2856	emvstudio.exe	37
PID 2856 wrote to memory of 2616	2856	emvstudio.exe	37
PID 2856 wrote to memory of 2616	2856	emvstudio.exe	37
PID 2616 wrote to memory of 2572	2616	javaupdater.exe	38
PID 2616 wrote to memory of 2572	2616	javaupdater.exe	38
PID 2616 wrote to memory of 2572	2616	javaupdater.exe	38
PID 2616 wrote to memory of 2572	2616	javaupdater.exe	38
PID 2616 wrote to memory of 1296	2616	javaupdater.exe	40
PID 2616 wrote to memory of 1296	2616	javaupdater.exe	40
PID 2616 wrote to memory of 1296	2616	javaupdater.exe	40
PID 2616 wrote to memory of 1296	2616	javaupdater.exe	40
PID 2616 wrote to memory of 1880	2616	javaupdater.exe	42
PID 2616 wrote to memory of 1880	2616	javaupdater.exe	42
PID 2616 wrote to memory of 1880	2616	javaupdater.exe	42
PID 2616 wrote to memory of 1880	2616	javaupdater.exe	42
PID 1296 wrote to memory of 332	1296	cmd.exe	43
PID 1296 wrote to memory of 332	1296	cmd.exe	43
PID 1296 wrote to memory of 332	1296	cmd.exe	43
PID 1296 wrote to memory of 332	1296	cmd.exe	43
PID 1296 wrote to memory of 2948	1296	cmd.exe	44
PID 1296 wrote to memory of 2948	1296	cmd.exe	44
PID 1296 wrote to memory of 2948	1296	cmd.exe	44
PID 1296 wrote to memory of 2948	1296	cmd.exe	44
PID 1296 wrote to memory of 2148	1296	cmd.exe	45
PID 1296 wrote to memory of 2148	1296	cmd.exe	45
PID 1296 wrote to memory of 2148	1296	cmd.exe	45
PID 1296 wrote to memory of 2148	1296	cmd.exe	45
PID 1296 wrote to memory of 2148	1296	cmd.exe	45
PID 1296 wrote to memory of 2148	1296	cmd.exe	45
PID 1296 wrote to memory of 2148	1296	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\emvstudio.sfx.exe
    emvstudio.sfx.exe -p123 -dc:\
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\emvstudio.exe
      "C:\emvstudio.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\emvstudio.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2160
    - - C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2572
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CDy8BuHs2oKn.bat" "
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:332
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe"
        7⤵
        Executes dropped EXE
        
        PID:2148
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 1488
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1.bat

Filesize
29B

MD5
07eb59abff55bf3dc69e7bac86101bb4

SHA1
62d6ef99f8670ed5b7d5e303ed56cc75e53bf778

SHA256
9b02897fd3ae01ea3308243ba60d7418f5bcb91694e68ed1c445d140ee311f22

SHA512
14e0f42bc147425377df5cc1d9378f2bdae80ddb38b4e47993716033ff7e925d75f2b381ea5e2f09a2b3fb40c6b48f9466660df9d010f8030f496c9b08732ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDy8BuHs2oKn.bat

Filesize
212B

MD5
82a6e32e805147b4717912db295640ad

SHA1
c64f4d1605c63fb8760d8c17ab08e92636313304

SHA256
4c76bbf03060d2948fccacb4a9e12022815799314cc5e4d1445e0e6334047221

SHA512
f1087185eb0a72c7fa7b269e009f1a5666449ebb76de8b81c655ab844c11de7df247c0ce2331dbd3dfda30deca0051dd3c79dc66f45579209323cc3dd2a71c6d

Download Submit
C:\emvstudio.exe

Filesize
347KB

MD5
f8c316c51d682b0d3285915c331db8c9

SHA1
78ebd0d34009d0093846f0d1abdc17f63984c99c

SHA256
e10b5ae07ddbf7e905afd77a5cfb4c85f5d3dcda3badba0214e36680c411974c

SHA512
08ada00d0b02805c7f81652a1ce4c2f2fa9d8920953afd74b34e976204e3419249d1be7acc6ca859ab988dc20c6b1df216c0ebd232eedc53e53e4191ed25de8e

Download Submit
C:\emvstudio.sfx.exe

Filesize
476KB

MD5
6ed4536f971c072f89d07b72a420bb0e

SHA1
6d2717fffcb247ef00d4b7870bcb174a754c0907

SHA256
8f9f39eb54739a856e1295c8756bddf88ab35eda48038c3ae6d86fbd3965a41d

SHA512
df8f7e6eb967999199f0c7b4b030dc3e414d8aef9fadaf7a0ef312ae22fd0681ac5cd0184230e24c9166ada3c41e0cf9644bd91d376a0eb4f4c33e7de2b3f748

Download Submit
memory/2616-40-0x0000000000F20000-0x0000000000F7E000-memory.dmp

Filesize
376KB

Download
memory/2856-32-0x0000000000350000-0x00000000003AE000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads