quasar | 723a593dc06b41d05ff387de35103e61c0a7d3c08cb935b8698a4f926e17b435

General

Target

b09a68a8eaba5733bc3360d2af861b11_JaffaCakes118.exe
Size

410KB
MD5

b09a68a8eaba5733bc3360d2af861b11
SHA1

e0798d19c3def61bffb06825386bdfe4843f0eb5
SHA256

723a593dc06b41d05ff387de35103e61c0a7d3c08cb935b8698a4f926e17b435
SHA512

c24d1edeb4e8e0ff89cab31c4f014688682afc3e858d5a59f8bb3e642270160a78816283c5d5fd2aa885c158b4efb3a0d3d6c01e5ff450085238522baa81d1cc
SSDEEP

6144:Bhnz0kWRGSiPJJXzQ8+9uzvVBiZglHS7peiE+RN3XIZPHlANZ4Go8NVZW5nrdZf2:IkWRL9sRlHqp9SlpGtZW5rdtQk8

Score

10^/10

quasar net discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Net

C2

185.140.53.12:5050

Mutex

QSR_MUTEX_qThpUDzbQTJQxc6rvb

Attributes

encryption_key
Wbh6fP8OjxeH40BtVug7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4032-49-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	b09a68a8eaba5733bc3360d2af861b11_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
916	Xyhznc.exe
4716	Xyhznc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Aukqa = "C:\\Users\\Admin\\AppData\\Roaming\\Ynqebo\\Aukqa.url"	Xyhznc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
46	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 916 set thread context of 4032	916	Xyhznc.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b09a68a8eaba5733bc3360d2af861b11_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xyhznc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
916	Xyhznc.exe
916	Xyhznc.exe
916	Xyhznc.exe
916	Xyhznc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	Xyhznc.exe
Token: SeDebugPrivilege	4032	regasm.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3708	b09a68a8eaba5733bc3360d2af861b11_JaffaCakes118.exe
3708	b09a68a8eaba5733bc3360d2af861b11_JaffaCakes118.exe
916	Xyhznc.exe
916	Xyhznc.exe
4032	regasm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 916	3708	b09a68a8eaba5733bc3360d2af861b11_JaffaCakes118.exe	95
PID 3708 wrote to memory of 916	3708	b09a68a8eaba5733bc3360d2af861b11_JaffaCakes118.exe	95
PID 3708 wrote to memory of 916	3708	b09a68a8eaba5733bc3360d2af861b11_JaffaCakes118.exe	95
PID 916 wrote to memory of 4716	916	Xyhznc.exe	99
PID 916 wrote to memory of 4716	916	Xyhznc.exe	99
PID 916 wrote to memory of 4716	916	Xyhznc.exe	99
PID 916 wrote to memory of 4032	916	Xyhznc.exe	101
PID 916 wrote to memory of 4032	916	Xyhznc.exe	101
PID 916 wrote to memory of 4032	916	Xyhznc.exe	101
PID 916 wrote to memory of 4032	916	Xyhznc.exe	101
PID 916 wrote to memory of 4032	916	Xyhznc.exe	101
PID 916 wrote to memory of 4032	916	Xyhznc.exe	101
PID 916 wrote to memory of 4032	916	Xyhznc.exe	101
PID 916 wrote to memory of 4032	916	Xyhznc.exe	101

C:\Users\Admin\AppData\Local\Temp\b09a68a8eaba5733bc3360d2af861b11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b09a68a8eaba5733bc3360d2af861b11_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Users\Admin\AppData\Roaming\Ynqebo\Xyhznc.exe
  "C:\Users\Admin\AppData\Roaming\Ynqebo\Xyhznc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Users\Admin\AppData\Roaming\Ynqebo\Xyhznc.exe
    "C:\Users\Admin\AppData\Roaming\Ynqebo\Xyhznc.exe"
    3⤵
    - Executes dropped EXE
    PID:4716
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59D76868C250B3240414CE3EFBB12518_79A36C106B7AA4DC73C4413D796812C3

Filesize
471B

MD5
47f1eb598dce695ae85d77ebc232a938

SHA1
520908344b7a7ba6f8b11e7c223551136599e3e6

SHA256
854950bd0ab2123fc481ccee8a51e12b6ac64e29d54280d6df4202b6a695d598

SHA512
d0687c5803a24fb465b0f269e888ceb54a0e35f715e63548ff297b50168a4564ad16e3e7f0f5b4d4089995138ae0bf3f0ad20cebe3f7f5771cd380164ff9f84f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
74982cb40a222ec69cee2efda5a3890f

SHA1
b8c2b9baa07789334171236d976c55d94f95f7a8

SHA256
1089393ff6105c0fc3c34a562dd3d7c4fb6086b95b343e4a20bc114cff46d9a1

SHA512
52ed585ff6612564c5f46b6f396eca0cbfcf483b4bc5fdb9aae2fb909bb59e12ddbcffa64a1ad647e2d3a555ddd39437fd85f6c007ba6e8bf0600638867844d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59D76868C250B3240414CE3EFBB12518_79A36C106B7AA4DC73C4413D796812C3

Filesize
400B

MD5
08e821e835f309fc1550876ff391087c

SHA1
47c70b15f66e70bae53fb727dbf73c9149bf3aa9

SHA256
f448b49f4d84d6c98ea0a3cff54c36750fd3d1e3ba7dc2faca4fbc5fe457eab8

SHA512
f3fce7771a8e095669641cff6df64a1b1370906de161971a9c90b684b808011577330778a78e07151e645aefa833215ed017a38174b9302e2726e9f8f680f0cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
f9cd9f0a2b2246fa11eb7bf6c27f8642

SHA1
7619e4078d99b1fa91ac6fc26f4ea7ea0c642bc5

SHA256
2c18b6c22c3d94f9d503e0b4a7575a254220f00e61279c0b21992c6330a8be06

SHA512
1843009f0afa578abf3ad8ba1d14abc8b29626ff2395de1e33435e87d696ec8294145ac4159497d691337d3d4c0e25fca5df14608cc785336d491c9825a49455

Download Submit
C:\Users\Admin\AppData\Roaming\Ynqebo\Xyhznc.exe

Filesize
410KB

MD5
b09a68a8eaba5733bc3360d2af861b11

SHA1
e0798d19c3def61bffb06825386bdfe4843f0eb5

SHA256
723a593dc06b41d05ff387de35103e61c0a7d3c08cb935b8698a4f926e17b435

SHA512
c24d1edeb4e8e0ff89cab31c4f014688682afc3e858d5a59f8bb3e642270160a78816283c5d5fd2aa885c158b4efb3a0d3d6c01e5ff450085238522baa81d1cc

Download Submit
memory/916-35-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/916-46-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/916-45-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/916-37-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3708-36-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3708-4-0x0000000002900000-0x000000000290A000-memory.dmp

Filesize
40KB

Download
memory/3708-20-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3708-21-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3708-22-0x0000000004F00000-0x0000000004F0C000-memory.dmp

Filesize
48KB

Download
memory/3708-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/3708-5-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3708-18-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/3708-15-0x0000000007020000-0x000000000702A000-memory.dmp

Filesize
40KB

Download
memory/3708-19-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3708-3-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/3708-2-0x0000000005510000-0x0000000005AB4000-memory.dmp

Filesize
5.6MB

Download
memory/3708-1-0x0000000000330000-0x000000000039C000-memory.dmp

Filesize
432KB

Download
memory/3708-7-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3708-6-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4032-49-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4032-50-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/4032-51-0x0000000005960000-0x0000000005972000-memory.dmp

Filesize
72KB

Download
memory/4032-52-0x0000000006760000-0x000000000679C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads