quasar | 29b58aa0ac40523e606e3a10258de337d2e76815b279402babc18e2bb410aab9

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
26-06-2024 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe
Size

358KB
MD5

13ddb4c563aa5d65f2a9822d50e3b92f
SHA1

2e1ccddf584175c3bd62ac8d0173fdb6ae73ea10
SHA256

29b58aa0ac40523e606e3a10258de337d2e76815b279402babc18e2bb410aab9
SHA512

ad7f92b70e64b04c3dde1b9519d88c237c62dd74d6929e17e968ce6a969449fd79caa1dca658294234759d17d9f5545ebf6fec87f5aa0c45b469c7fd27598f96
SSDEEP

6144:rJqQ4i1FFiEKhtpoidubrUX5v7N/Vyfs5uI:Fpli3poidD5jN/sfs5uI

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

almammory.hopto.org:1177

Mutex

QSR_MUTEX_uvFpjg4C7Cxl60AUEGAUEGGMUTEOO

Attributes

encryption_key
WVQm2WP2iovscPfuELDp
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2372-1-0x0000000000C60000-0x0000000000CC0000-memory.dmp	family_quasar
\Program Files (x86)\SubDir\Client.exe	family_quasar
behavioral1/memory/2716-9-0x0000000000D70000-0x0000000000DD0000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Client.exeClient.exe

pid process

2716 Client.exe
2844 Client.exe
Loads dropped DLL 7 IoCs

Processes:

13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exeWerFault.execmd.exe

pid process

2372 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe
1676 WerFault.exe
1676 WerFault.exe
1676 WerFault.exe
1676 WerFault.exe
1676 WerFault.exe
2124 cmd.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

pid	process
2716	Client.exe
2844	Client.exe

pid	process
2372	13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
2124	cmd.exe

flow	ioc
2	ip-api.com

Drops file in Program Files directory 2 IoCs

Processes:

13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\SubDir\Client.exe	13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1676 2716 WerFault.exe Client.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2552 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exeClient.exe

description pid process

Token: SeDebugPrivilege 2372 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe
Token: SeDebugPrivilege 2716 Client.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

2716 Client.exe

pid	pid_target	process	target process
1676	2716	WerFault.exe	Client.exe

pid	process
2552	PING.EXE

description	pid	process
Token: SeDebugPrivilege	2372	13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe
Token: SeDebugPrivilege	2716	Client.exe

pid	process
2716	Client.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exeClient.execmd.exe

description	pid	process	target process
PID 2372 wrote to memory of 2716	2372	13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe	Client.exe
PID 2372 wrote to memory of 2716	2372	13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe	Client.exe
PID 2372 wrote to memory of 2716	2372	13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe	Client.exe
PID 2372 wrote to memory of 2716	2372	13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe	Client.exe
PID 2716 wrote to memory of 2124	2716	Client.exe	cmd.exe
PID 2716 wrote to memory of 2124	2716	Client.exe	cmd.exe
PID 2716 wrote to memory of 2124	2716	Client.exe	cmd.exe
PID 2716 wrote to memory of 2124	2716	Client.exe	cmd.exe
PID 2716 wrote to memory of 1676	2716	Client.exe	WerFault.exe
PID 2716 wrote to memory of 1676	2716	Client.exe	WerFault.exe
PID 2716 wrote to memory of 1676	2716	Client.exe	WerFault.exe
PID 2716 wrote to memory of 1676	2716	Client.exe	WerFault.exe
PID 2124 wrote to memory of 2576	2124	cmd.exe	chcp.com
PID 2124 wrote to memory of 2576	2124	cmd.exe	chcp.com
PID 2124 wrote to memory of 2576	2124	cmd.exe	chcp.com
PID 2124 wrote to memory of 2576	2124	cmd.exe	chcp.com
PID 2124 wrote to memory of 2552	2124	cmd.exe	PING.EXE
PID 2124 wrote to memory of 2552	2124	cmd.exe	PING.EXE
PID 2124 wrote to memory of 2552	2124	cmd.exe	PING.EXE
PID 2124 wrote to memory of 2552	2124	cmd.exe	PING.EXE
PID 2124 wrote to memory of 2844	2124	cmd.exe	Client.exe
PID 2124 wrote to memory of 2844	2124	cmd.exe	Client.exe
PID 2124 wrote to memory of 2844	2124	cmd.exe	Client.exe
PID 2124 wrote to memory of 2844	2124	cmd.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2fOAoehTy86w.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2576

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2552

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
4⤵
- Executes dropped EXE
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 1480
3⤵
- Loads dropped DLL
- Program crash
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2fOAoehTy86w.bat
Filesize
199B

MD5
9a3a47be9418f105717cb5a8d392e421

SHA1
4239eae814777e5b2ba4de3dba0e301b5d3bcd26

SHA256
cfe244207db25f35a6f097833c4666f5cb22f2215fb6f78e4097589cbc399708

SHA512
438b598bce135d5b8966964f4fe08a32cc620672a6569ae5b97b45665c85e99dc49e46136035d5faa3497e25c69fc94fe120d1eae672b9b07011c79e80c93983

Download Submit
\Program Files (x86)\SubDir\Client.exe
Filesize
358KB

MD5
13ddb4c563aa5d65f2a9822d50e3b92f

SHA1
2e1ccddf584175c3bd62ac8d0173fdb6ae73ea10

SHA256
29b58aa0ac40523e606e3a10258de337d2e76815b279402babc18e2bb410aab9

SHA512
ad7f92b70e64b04c3dde1b9519d88c237c62dd74d6929e17e968ce6a969449fd79caa1dca658294234759d17d9f5545ebf6fec87f5aa0c45b469c7fd27598f96

Download Submit
memory/2372-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

Filesize
4KB

Download
memory/2372-1-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2372-2-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-12-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-9-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2716-11-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-10-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-30-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download