quasar | bdbc5164ef806974456f579200541d7c84f643377c86b0bc3c1081ddd1317146

General

Target

JaffaCakes118_6f5376f20c7f474f5554222d01456849.exe
Size

2.6MB
MD5

6f5376f20c7f474f5554222d01456849
SHA1

4931b9dc0767c76dc31e3e6c4423a961c0f51d86
SHA256

bdbc5164ef806974456f579200541d7c84f643377c86b0bc3c1081ddd1317146
SHA512

3c0510afbd1b076889491f7e177e03cd7e73b1debd1c416765bf18890e916a504376af7b04923ee233d78e08124f0d89fc60ca4dcc256ca44adffa87b83a59e0
SSDEEP

49152:/wp1l+eJkrb/TmvO90dL3BmAFd4A64nsfJPbcgTR55IX9fz1:/w1xY9P

Score

10^/10

quasar com surrogate spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

COM Surrogate

C2

10.8.1.66:8869

Mutex

119b9028-5664-4725-b2c1-1e4eaf743d68

Attributes

encryption_key
B0092D1E1BA8BCBB825AA0760094E03D6D52E169
install_name
3388.exe
log_directory
COMLogs
reconnect_delay
5000
startup_key
COM Surrogate

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b78-2.dat	family_quasar
behavioral2/memory/3304-5-0x00000000008D0000-0x0000000000954000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
3304	go-memexec-4116074306.exe
1244	3388.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\3388.exe	go-memexec-4116074306.exe
File opened for modification	C:\Windows\system32\3388.exe	go-memexec-4116074306.exe
File opened for modification	C:\Windows\system32\3388.exe	3388.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1632	schtasks.exe
532	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3304	go-memexec-4116074306.exe
Token: SeDebugPrivilege	1244	3388.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1244	3388.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 3304	5072	JaffaCakes118_6f5376f20c7f474f5554222d01456849.exe	84
PID 5072 wrote to memory of 3304	5072	JaffaCakes118_6f5376f20c7f474f5554222d01456849.exe	84
PID 3304 wrote to memory of 1632	3304	go-memexec-4116074306.exe	85
PID 3304 wrote to memory of 1632	3304	go-memexec-4116074306.exe	85
PID 3304 wrote to memory of 1244	3304	go-memexec-4116074306.exe	87
PID 3304 wrote to memory of 1244	3304	go-memexec-4116074306.exe	87
PID 1244 wrote to memory of 532	1244	3388.exe	88
PID 1244 wrote to memory of 532	1244	3388.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f5376f20c7f474f5554222d01456849.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f5376f20c7f474f5554222d01456849.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\go-memexec-4116074306.exe
  C:\Users\Admin\AppData\Local\Temp\go-memexec-4116074306.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "COM Surrogate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\go-memexec-4116074306.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1632
- - C:\Windows\system32\3388.exe
    "C:\Windows\system32\3388.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "COM Surrogate" /sc ONLOGON /tr "C:\Windows\system32\3388.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\go-memexec-4116074306.exe

Filesize
502KB

MD5
e49e8745bb3748c02b6991155ef988f9

SHA1
13ce804a8d4dd951b5535ceb819be3f04372f375

SHA256
9e105120064cd753917b8f60a20dedc1d5c33156189afdcc514189b07d23587e

SHA512
f7b514a905ba52970f5c17bd91e12a07ebd3e3715d3b5c59284c8f09ea7e4da317fd3968a46b164e520757de9567bd0ef36f0b0bed79e7aacd412032322a416d

Download Submit
memory/1244-13-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/1244-14-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/1244-15-0x000000001C0E0000-0x000000001C130000-memory.dmp

Filesize
320KB

Download
memory/1244-16-0x000000001C1F0000-0x000000001C2A2000-memory.dmp

Filesize
712KB

Download
memory/1244-17-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/3304-4-0x00007FFEFB173000-0x00007FFEFB175000-memory.dmp

Filesize
8KB

Download
memory/3304-5-0x00000000008D0000-0x0000000000954000-memory.dmp

Filesize
528KB

Download
memory/3304-6-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/3304-12-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads