Extracted

• • Target

    ad7376353773464755502b50dea5fabd_JaffaCakes118

  • Size

    2.6MB

  • MD5

    ad7376353773464755502b50dea5fabd

  • SHA1

    0d9d5e10885659ec3925db9cfb17cadf20e1293c

  • SHA256

    6f3e7496171fc07feb0c1dfecf7d6bb367c15836acb5571b2f9fc4f980db2a32

  • SHA512

    036e68309853dd2793bd95246243e85125c12bbb093a6572df8ff35b0ea189b81b44aa25f852432b40e393ede014bb6b7d25ef5df826fe30d642b609e7096afe

  • SSDEEP

    49152:UWSaaeEQcNm036hvpmIXUXg2z1qRJKvYG8OlA82MNg9/Et:NSaaeExE0ERUwe1aJKQhuND

  Score

  10^/10

  quasarpcbootkitdiscoveryevasionpersistencespywaretrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Checks whether UAC is enabled

    evasiontrojan

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2