quasar | 23395541d41a67c4e3c3649aed1039f042500781428a5afab1c3ebb3ebca56a4

General

Target

JaffaCakes118_7305b95f9a46c2bcbe1ae7c093406f30.exe
Size

420KB
MD5

7305b95f9a46c2bcbe1ae7c093406f30
SHA1

64aa5d9d9f7547b8d36472709d98acfa754a4a42
SHA256

23395541d41a67c4e3c3649aed1039f042500781428a5afab1c3ebb3ebca56a4
SHA512

55dd25e5693841779158492fabe6a489683993fa62ff306081437d13447c5a0d2d1d7f86b0ea43d4abb7b1cd7bbfaa18d721797c787cc3a5ce9ef6e7fd0f8c20
SSDEEP

6144:si8drdA114CJkuvY4+bEXxxJIc+Zgnz8uJ72kY2GL4rO:yrGOekuaIvJIc+OnbGE

Score

10^/10

quasar persistence spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2688-5-0x000000001ADE0000-0x000000001AE1E000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2864	windows.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quasar Client Startup = "C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\windows.exe"	JaffaCakes118_7305b95f9a46c2bcbe1ae7c093406f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quasar Client Startup = "C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\windows.exe"	windows.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2688	JaffaCakes118_7305b95f9a46c2bcbe1ae7c093406f30.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe
2864	windows.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	JaffaCakes118_7305b95f9a46c2bcbe1ae7c093406f30.exe
Token: SeDebugPrivilege	2864	windows.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2864	windows.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2864	2688	JaffaCakes118_7305b95f9a46c2bcbe1ae7c093406f30.exe	32
PID 2688 wrote to memory of 2864	2688	JaffaCakes118_7305b95f9a46c2bcbe1ae7c093406f30.exe	32
PID 2688 wrote to memory of 2864	2688	JaffaCakes118_7305b95f9a46c2bcbe1ae7c093406f30.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7305b95f9a46c2bcbe1ae7c093406f30.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7305b95f9a46c2bcbe1ae7c093406f30.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Roaming\SubDir\windows.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\windows.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\windows.exe

Filesize
420KB

MD5
7305b95f9a46c2bcbe1ae7c093406f30

SHA1
64aa5d9d9f7547b8d36472709d98acfa754a4a42

SHA256
23395541d41a67c4e3c3649aed1039f042500781428a5afab1c3ebb3ebca56a4

SHA512
55dd25e5693841779158492fabe6a489683993fa62ff306081437d13447c5a0d2d1d7f86b0ea43d4abb7b1cd7bbfaa18d721797c787cc3a5ce9ef6e7fd0f8c20

Download Submit
memory/2688-0-0x000007FEF5A2E000-0x000007FEF5A2F000-memory.dmp

Filesize
4KB

Download
memory/2688-1-0x000000001ADA0000-0x000000001ADC2000-memory.dmp

Filesize
136KB

Download
memory/2688-2-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-3-0x000000001ADC0000-0x000000001ADE2000-memory.dmp

Filesize
136KB

Download
memory/2688-4-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-5-0x000000001ADE0000-0x000000001AE1E000-memory.dmp

Filesize
248KB

Download
memory/2688-6-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-17-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-16-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-15-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-14-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-18-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-19-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-21-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-22-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-23-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-24-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-25-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-26-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads