arrowrat | 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c

Analysis

max time kernel
137s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-03-2023 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bJyy.exe
Size

138KB
MD5

bdc72c4851b8543f9f57215f1a3fc336
SHA1

b04f8b232040200d68a75400c5e160d0f61387f7
SHA256

59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c
SHA512

884be565c02616d79feea31aaa2d13926e9fe530ed656a31595d2f295c346867cf4f4c313350b695d3f8b30e56c625995e360e50820bccc605e915ab3cd68599
SSDEEP

3072:6bvu5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Y/:6bvqS7BqjjYHdrqkL/

Score

10^/10

arrowrat 0xu9g7 persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

0XU9G7

pandora2425.duckdns.org:2425

Mutex

JGLG6C

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1720	2020	WerFault.exe	27

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2020	bJyy.exe
2020	bJyy.exe
2020	bJyy.exe
2020	bJyy.exe
2020	bJyy.exe
2020	bJyy.exe
2020	bJyy.exe
2020	bJyy.exe
2020	bJyy.exe
2020	bJyy.exe
2020	bJyy.exe
2020	bJyy.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	bJyy.exe
Token: SeShutdownPrivilege	1196	explorer.exe
Token: SeShutdownPrivilege	1196	explorer.exe
Token: SeShutdownPrivilege	1196	explorer.exe
Token: SeShutdownPrivilege	1196	explorer.exe
Token: SeShutdownPrivilege	1196	explorer.exe
Token: SeShutdownPrivilege	1196	explorer.exe
Token: SeShutdownPrivilege	1196	explorer.exe
Token: SeShutdownPrivilege	1196	explorer.exe
Token: 33	1644	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1644	AUDIODG.EXE
Token: 33	1644	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1644	AUDIODG.EXE
Token: SeShutdownPrivilege	1196	explorer.exe
Token: SeShutdownPrivilege	1196	explorer.exe
Token: SeShutdownPrivilege	1196	explorer.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1196	2020	bJyy.exe	28
PID 2020 wrote to memory of 1196	2020	bJyy.exe	28
PID 2020 wrote to memory of 1196	2020	bJyy.exe	28
PID 2020 wrote to memory of 2032	2020	bJyy.exe	29
PID 2020 wrote to memory of 2032	2020	bJyy.exe	29
PID 2020 wrote to memory of 2032	2020	bJyy.exe	29
PID 2020 wrote to memory of 2032	2020	bJyy.exe	29
PID 2020 wrote to memory of 2036	2020	bJyy.exe	30
PID 2020 wrote to memory of 2036	2020	bJyy.exe	30
PID 2020 wrote to memory of 2036	2020	bJyy.exe	30
PID 2020 wrote to memory of 2036	2020	bJyy.exe	30
PID 2020 wrote to memory of 888	2020	bJyy.exe	31
PID 2020 wrote to memory of 888	2020	bJyy.exe	31
PID 2020 wrote to memory of 888	2020	bJyy.exe	31
PID 2020 wrote to memory of 888	2020	bJyy.exe	31
PID 2020 wrote to memory of 876	2020	bJyy.exe	32
PID 2020 wrote to memory of 876	2020	bJyy.exe	32
PID 2020 wrote to memory of 876	2020	bJyy.exe	32
PID 2020 wrote to memory of 876	2020	bJyy.exe	32
PID 2020 wrote to memory of 960	2020	bJyy.exe	33
PID 2020 wrote to memory of 960	2020	bJyy.exe	33
PID 2020 wrote to memory of 960	2020	bJyy.exe	33
PID 2020 wrote to memory of 960	2020	bJyy.exe	33
PID 2020 wrote to memory of 268	2020	bJyy.exe	34
PID 2020 wrote to memory of 268	2020	bJyy.exe	34
PID 2020 wrote to memory of 268	2020	bJyy.exe	34
PID 2020 wrote to memory of 268	2020	bJyy.exe	34
PID 2020 wrote to memory of 768	2020	bJyy.exe	35
PID 2020 wrote to memory of 768	2020	bJyy.exe	35
PID 2020 wrote to memory of 768	2020	bJyy.exe	35
PID 2020 wrote to memory of 768	2020	bJyy.exe	35
PID 2020 wrote to memory of 1476	2020	bJyy.exe	36
PID 2020 wrote to memory of 1476	2020	bJyy.exe	36
PID 2020 wrote to memory of 1476	2020	bJyy.exe	36
PID 2020 wrote to memory of 1476	2020	bJyy.exe	36
PID 2020 wrote to memory of 1472	2020	bJyy.exe	37
PID 2020 wrote to memory of 1472	2020	bJyy.exe	37
PID 2020 wrote to memory of 1472	2020	bJyy.exe	37
PID 2020 wrote to memory of 1472	2020	bJyy.exe	37
PID 2020 wrote to memory of 1916	2020	bJyy.exe	38
PID 2020 wrote to memory of 1916	2020	bJyy.exe	38
PID 2020 wrote to memory of 1916	2020	bJyy.exe	38
PID 2020 wrote to memory of 1916	2020	bJyy.exe	38
PID 1196 wrote to memory of 1488	1196	explorer.exe	39
PID 1196 wrote to memory of 1488	1196	explorer.exe	39
PID 1196 wrote to memory of 1488	1196	explorer.exe	39
PID 2020 wrote to memory of 1720	2020	bJyy.exe	40
PID 2020 wrote to memory of 1720	2020	bJyy.exe	40
PID 2020 wrote to memory of 1720	2020	bJyy.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bJyy.exe
"C:\Users\Admin\AppData\Local\Temp\bJyy.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C
  2⤵
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C
  2⤵
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C
  2⤵
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C
  2⤵
  PID:268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C
  2⤵
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C
  2⤵
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C
  2⤵
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C
  2⤵
  PID:1916
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2020 -s 668
  2⤵
  - Program crash
  PID:1720

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x54c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-55-0x0000000003EE0000-0x0000000003EE1000-memory.dmp

Filesize
4KB

Download
memory/1196-56-0x0000000003EE0000-0x0000000003EE1000-memory.dmp

Filesize
4KB

Download
memory/1196-60-0x0000000002B70000-0x0000000002B80000-memory.dmp

Filesize
64KB

Download
memory/2020-54-0x0000000001370000-0x0000000001398000-memory.dmp

Filesize
160KB

Download