quasar | a410d04d919c39d5f6be80f4a8a6eb61dafbd57f1b867cdc48c213d37d2f5786

General

Target

JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe
Size

844KB
MD5

ecba252daf2e1fb8b65b0af04bb6385d
SHA1

18956962cf9c921f8b86a9f21bb6c2de8202f344
SHA256

a410d04d919c39d5f6be80f4a8a6eb61dafbd57f1b867cdc48c213d37d2f5786
SHA512

3b131ee7b34280932cd1a1cbb1712c3a294a145974fd5d4f58a0fde3dad30c1686693eee3b4793d0af41162ad74c9064ef96b62c4edd5bc8b86b809aa4bcac3e
SSDEEP

12288:NDL6oxYlzaD69WuBq1C6MHCssAJ/S/YT4n2WwL1Sk4bZAGFqNWuKFhUOyUbWN5l:tGvEAttsw/SI4n2HSkOgN+Vy3l

Score

10^/10

quasar client discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

client

C2

10.0.2.2:4782

192.168.0.1:4782

10.0.2.15:4782

255.255.255.0:4782

Mutex

e2e2f510-9470-421c-8417-98939f923438

Attributes

encryption_key
2885B7A815B031474D6AA741214082E2BC1A0DBD
install_name
meme.exe
log_directory
Logs
reconnect_delay
1500
startup_key
Windows Defender
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral1/memory/2480-5-0x0000000000400000-0x000000000048D000-memory.dmp	family_quasar
behavioral1/memory/2480-7-0x0000000000400000-0x000000000048D000-memory.dmp	family_quasar
behavioral1/memory/2480-8-0x0000000000400000-0x000000000048D000-memory.dmp	family_quasar
behavioral1/memory/2480-2-0x0000000000400000-0x000000000048D000-memory.dmp	family_quasar
behavioral1/files/0x000e00000001418b-13.dat	family_quasar
behavioral1/memory/2128-21-0x0000000001040000-0x00000000010C4000-memory.dmp	family_quasar
behavioral1/memory/2480-22-0x0000000000400000-0x000000000048D000-memory.dmp	family_quasar
behavioral1/memory/2592-28-0x0000000000B60000-0x0000000000BE4000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
2128	kaas.exe
2592	meme.exe

Loads dropped DLL 1 IoCs

pid	Process
2480	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2328 set thread context of 2480	2328	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1088	schtasks.exe
2612	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	kaas.exe
Token: SeDebugPrivilege	2592	meme.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2748	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2480	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe
2592	meme.exe
2748	DllHost.exe
2748	DllHost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2480	2328	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe	31
PID 2328 wrote to memory of 2480	2328	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe	31
PID 2328 wrote to memory of 2480	2328	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe	31
PID 2328 wrote to memory of 2480	2328	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe	31
PID 2328 wrote to memory of 2480	2328	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe	31
PID 2328 wrote to memory of 2480	2328	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe	31
PID 2328 wrote to memory of 2480	2328	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe	31
PID 2328 wrote to memory of 2480	2328	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe	31
PID 2480 wrote to memory of 2128	2480	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe	32
PID 2480 wrote to memory of 2128	2480	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe	32
PID 2480 wrote to memory of 2128	2480	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe	32
PID 2480 wrote to memory of 2128	2480	JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe	32
PID 2128 wrote to memory of 1088	2128	kaas.exe	34
PID 2128 wrote to memory of 1088	2128	kaas.exe	34
PID 2128 wrote to memory of 1088	2128	kaas.exe	34
PID 2128 wrote to memory of 2592	2128	kaas.exe	36
PID 2128 wrote to memory of 2592	2128	kaas.exe	36
PID 2128 wrote to memory of 2592	2128	kaas.exe	36
PID 2592 wrote to memory of 2612	2592	meme.exe	37
PID 2592 wrote to memory of 2612	2592	meme.exe	37
PID 2592 wrote to memory of 2612	2592	meme.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ecba252daf2e1fb8b65b0af04bb6385d.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\kaas.exe
    "C:\Users\Admin\AppData\Local\Temp\kaas.exe" 0
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\kaas.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1088
  - - C:\Users\Admin\AppData\Roaming\SubDir\meme.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\meme.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\meme.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2612

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\meme.jpg

Filesize
39KB

MD5
27b8358bd6c37a16b2847d4870e08c3b

SHA1
ee3cd30808fcee5c59150257d848dad5da3672b2

SHA256
01bfa4816d1d2718577ebbd0c1ccd56ba862d1b087b19e1416ec7067f77f2fe6

SHA512
69a4705207570c47ca91fa5fc7baef20b198dfd4700d01df74ac0273e77825ef532fc46b7e9c0b2f3efc26ae43c0f05f50afbd443feea1fd0134c17d4486e177

Download Submit
\Users\Admin\AppData\Local\Temp\kaas.exe

Filesize
502KB

MD5
d5481fd49d0cbcb94c2523991eaaed5c

SHA1
be21a3c0d6da8d61ad7feb8b971fa3fec67bc141

SHA256
3c4cbf7b95a1bb4b6ec3986f20ad2b44b9fb19b6cda7eaca115c2efac458b1aa

SHA512
737e76fec2ab9c4faa6623af98146426bc8c15e4bd72b37db535db47efd5671e0e438b98b17d6f673283b2aa6f6a4ef063e3a923532eb894ede98ee63d167b09

Download Submit
memory/2128-21-0x0000000001040000-0x00000000010C4000-memory.dmp

Filesize
528KB

Download
memory/2128-18-0x000007FEF6063000-0x000007FEF6064000-memory.dmp

Filesize
4KB

Download
memory/2480-2-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2480-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2480-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2480-8-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2480-7-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2480-19-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2480-5-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2480-22-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2480-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2592-28-0x0000000000B60000-0x0000000000BE4000-memory.dmp

Filesize
528KB

Download
memory/2748-20-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads