General

  • Target

    7f8c68dc83369e4da501359183e53a47_JaffaCakes118

  • Size

    564KB

  • Sample

    241030-rsa3zawqgr

  • MD5

    7f8c68dc83369e4da501359183e53a47

  • SHA1

    044502e7191827a44a580c7665d7a013141f2774

  • SHA256

    31515fe26432d74840a3aa9766db44364e2f9a06a1cd4669cd3ef9a6dbfb9e0d

  • SHA512

    3775b9c65e33ba017993b46c08662d36cf04d25fa051473e6c96a6a92f8550f2532da75f5cdda441ff36a64d75799e16e84cad281bd9cf801787428abd98e2ff

  • SSDEEP

    6144:l8wczx37qSmnAOSratYcoNlnR6p8xdrQRytGbuPc8p1r1Awywx5T4H0bMeo/s3O:l8wEp705q8Yc2lnuqFNhPrJV50Ue

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04w

C2

societyf500.ddns.net:5490

Mutex

f4264bdc-b486-4a30-a042-2bcfb907b3c7

Attributes
  • encryption_key

    0204DFA093E27B72F1617CCEA6076BCCE5D0A482

  • install_name

    dwmq.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    dwmq

  • subdirectory

    explorer

Targets

    • Target

      7f8c68dc83369e4da501359183e53a47_JaffaCakes118

    • Size

      564KB

    • MD5

      7f8c68dc83369e4da501359183e53a47

    • SHA1

      044502e7191827a44a580c7665d7a013141f2774

    • SHA256

      31515fe26432d74840a3aa9766db44364e2f9a06a1cd4669cd3ef9a6dbfb9e0d

    • SHA512

      3775b9c65e33ba017993b46c08662d36cf04d25fa051473e6c96a6a92f8550f2532da75f5cdda441ff36a64d75799e16e84cad281bd9cf801787428abd98e2ff

    • SSDEEP

      6144:l8wczx37qSmnAOSratYcoNlnR6p8xdrQRytGbuPc8p1r1Awywx5T4H0bMeo/s3O:l8wEp705q8Yc2lnuqFNhPrJV50Ue

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks