quasar | 6d6831eb5e141890de5963fdeb0444fadc89bf15d48aeccbc2c14f9ce72c47b2

Analysis

max time kernel
4s
max time network
6s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 06:02

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
Size

598KB
MD5

164cc91241694bba1ddee440c96530c1
SHA1

0354ca6a88e4e97d92366b119bb06c78ecb4f1d7
SHA256

6d6831eb5e141890de5963fdeb0444fadc89bf15d48aeccbc2c14f9ce72c47b2
SHA512

223294d6ccb00ef6a2c25d972729f3226eff96647ec769fa0364500f4d145750d4913df6b9d03ddb4a20a2252fb5fa84a4d88d42b4de1e664295f2015b867f0a
SSDEEP

12288:GBU27je2sGbV7LsAlhgLTj9BBnWobokcoyhUvqA2UdpT3:GBUYje21R0b9BBnWooXhQqANpr

Score

10^/10

quasar venomrat windows security evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows security

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_XaCO2YtLAsadylDHBP

Attributes

encryption_key
eKgGUbCubcSIafuOAN5V
install_name
windows security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
windows security
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource yara_rule

behavioral2/memory/4276-9-0x0000000000400000-0x000000000048C000-memory.dmp disable_win_def

resource	yara_rule
behavioral2/memory/4276-9-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/4276-9-0x0000000000400000-0x000000000048C000-memory.dmp family_quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Executes dropped EXE 2 IoCs

Processes:

windows security.exewindows security.exe

pid process

4308 windows security.exe
3936 windows security.exe

resource	yara_rule
behavioral2/memory/4276-9-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

pid	process
4308	windows security.exe
3936	windows security.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com

flow	ioc
11	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

164cc91241694bba1ddee440c96530c1_JaffaCakes118.exewindows security.exe

description	pid	process	target process
PID 708 set thread context of 4276	708	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
PID 4308 set thread context of 3936	4308	windows security.exe	windows security.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3652 3936 WerFault.exe windows security.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3892 schtasks.exe
1652 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4200 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2448 powershell.exe
2448 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

164cc91241694bba1ddee440c96530c1_JaffaCakes118.exepowershell.exewindows security.exe

description pid process

Token: SeDebugPrivilege 4276 164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
Token: SeDebugPrivilege 2448 powershell.exe
Token: SeDebugPrivilege 3936 windows security.exe

pid	pid_target	process	target process
3652	3936	WerFault.exe	windows security.exe

pid	process
3892	schtasks.exe
1652	schtasks.exe

pid	process
4200	PING.EXE

pid	process
2448	powershell.exe
2448	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4276	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	3936	windows security.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe164cc91241694bba1ddee440c96530c1_JaffaCakes118.exewindows security.exe

description	pid	process	target process
PID 708 wrote to memory of 4276	708	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
PID 708 wrote to memory of 4276	708	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
PID 708 wrote to memory of 4276	708	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
PID 708 wrote to memory of 4276	708	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
PID 708 wrote to memory of 4276	708	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
PID 708 wrote to memory of 4276	708	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
PID 708 wrote to memory of 4276	708	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
PID 708 wrote to memory of 4276	708	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
PID 4276 wrote to memory of 3892	4276	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	schtasks.exe
PID 4276 wrote to memory of 3892	4276	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	schtasks.exe
PID 4276 wrote to memory of 3892	4276	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	schtasks.exe
PID 4276 wrote to memory of 4308	4276	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	windows security.exe
PID 4276 wrote to memory of 4308	4276	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	windows security.exe
PID 4276 wrote to memory of 4308	4276	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	windows security.exe
PID 4276 wrote to memory of 2448	4276	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	powershell.exe
PID 4276 wrote to memory of 2448	4276	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	powershell.exe
PID 4276 wrote to memory of 2448	4276	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	powershell.exe
PID 4308 wrote to memory of 3936	4308	windows security.exe	windows security.exe
PID 4308 wrote to memory of 3936	4308	windows security.exe	windows security.exe
PID 4308 wrote to memory of 3936	4308	windows security.exe	windows security.exe
PID 4308 wrote to memory of 3936	4308	windows security.exe	windows security.exe
PID 4308 wrote to memory of 3936	4308	windows security.exe	windows security.exe
PID 4308 wrote to memory of 3936	4308	windows security.exe	windows security.exe
PID 4308 wrote to memory of 3936	4308	windows security.exe	windows security.exe
PID 4308 wrote to memory of 3936	4308	windows security.exe	windows security.exe

C:\Users\Admin\AppData\Local\Temp\164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:708

C:\Users\Admin\AppData\Local\Temp\164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "windows security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3892

C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
"C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4308

C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
"C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "windows security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q8MhMeRMcYF6.bat" "
5⤵
PID:4024

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4420

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 2232
5⤵
- Program crash
PID:3652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3936 -ip 3936
1⤵
PID:860

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2sru0l4i.wt3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\q8MhMeRMcYF6.bat
Filesize
217B

MD5
25182903e31e25e732eab906828e9aab

SHA1
f0b044dcaf768e55cccfb917166ec96c86df4a93

SHA256
6fd2d210d79be2387ea090f9d92b4b305e4d11a021cd79c4f966e5c69c992d92

SHA512
e38df410fbf0eae2bd6dd1c338b49241bf769a2bd452ff023fee5888aa7a3d3707c095452037dadcfaafe2ce69f5c49cba9c526218d13ccbe581b028ba8dfa5e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
Filesize
598KB

MD5
164cc91241694bba1ddee440c96530c1

SHA1
0354ca6a88e4e97d92366b119bb06c78ecb4f1d7

SHA256
6d6831eb5e141890de5963fdeb0444fadc89bf15d48aeccbc2c14f9ce72c47b2

SHA512
223294d6ccb00ef6a2c25d972729f3226eff96647ec769fa0364500f4d145750d4913df6b9d03ddb4a20a2252fb5fa84a4d88d42b4de1e664295f2015b867f0a

Download Submit
memory/708-1-0x0000000000900000-0x000000000099C000-memory.dmp

Filesize
624KB

Download
memory/708-3-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/708-2-0x00000000052D0000-0x00000000052D8000-memory.dmp

Filesize
32KB

Download
memory/708-4-0x00000000058A0000-0x0000000005E44000-memory.dmp

Filesize
5.6MB

Download
memory/708-5-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/708-6-0x0000000005550000-0x00000000055EC000-memory.dmp

Filesize
624KB

Download
memory/708-8-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/708-12-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/708-0-0x000000007507E000-0x000000007507F000-memory.dmp

Filesize
4KB

Download
memory/2448-29-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/2448-64-0x0000000007CF0000-0x0000000007CFA000-memory.dmp

Filesize
40KB

Download
memory/2448-70-0x0000000007F90000-0x0000000007F98000-memory.dmp

Filesize
32KB

Download
memory/2448-69-0x0000000007FB0000-0x0000000007FCA000-memory.dmp

Filesize
104KB

Download
memory/2448-22-0x0000000003040000-0x0000000003076000-memory.dmp

Filesize
216KB

Download
memory/2448-23-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/2448-24-0x0000000005AB0000-0x00000000060D8000-memory.dmp

Filesize
6.2MB

Download
memory/2448-25-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/2448-68-0x0000000007EB0000-0x0000000007EC4000-memory.dmp

Filesize
80KB

Download
memory/2448-28-0x0000000005980000-0x00000000059A2000-memory.dmp

Filesize
136KB

Download
memory/2448-31-0x0000000006380000-0x00000000066D4000-memory.dmp

Filesize
3.3MB

Download
memory/2448-67-0x0000000007EA0000-0x0000000007EAE000-memory.dmp

Filesize
56KB

Download
memory/2448-41-0x0000000006950000-0x000000000696E000-memory.dmp

Filesize
120KB

Download
memory/2448-42-0x0000000006EA0000-0x0000000006EEC000-memory.dmp

Filesize
304KB

Download
memory/2448-66-0x0000000007E70000-0x0000000007E81000-memory.dmp

Filesize
68KB

Download
memory/2448-46-0x0000000070510000-0x000000007055C000-memory.dmp

Filesize
304KB

Download
memory/2448-45-0x0000000007930000-0x0000000007962000-memory.dmp

Filesize
200KB

Download
memory/2448-56-0x0000000006EF0000-0x0000000006F0E000-memory.dmp

Filesize
120KB

Download
memory/2448-58-0x0000000007B70000-0x0000000007C13000-memory.dmp

Filesize
652KB

Download
memory/2448-61-0x00000000082C0000-0x000000000893A000-memory.dmp

Filesize
6.5MB

Download
memory/2448-62-0x0000000007C70000-0x0000000007C8A000-memory.dmp

Filesize
104KB

Download
memory/2448-65-0x0000000007EF0000-0x0000000007F86000-memory.dmp

Filesize
600KB

Download
memory/3936-44-0x0000000006BA0000-0x0000000006BAA000-memory.dmp

Filesize
40KB

Download
memory/4276-15-0x0000000006600000-0x0000000006612000-memory.dmp

Filesize
72KB

Download
memory/4276-9-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4276-11-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4276-13-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4276-14-0x00000000058B0000-0x0000000005916000-memory.dmp

Filesize
408KB

Download
memory/4276-16-0x0000000006C80000-0x0000000006CBC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads