babylonrat | ea8c4a6d9e6d8e9c9ed430f8a29760264dd7e4a438189a66d47c319b6c180981

General

Target

KENAPA_UMNO_BERSAMA_KERAJAAN_PERPADUAN.lnk
Size

3KB
MD5

67919ac65f71daac11a70f8d9e9b75d3
SHA1

0ce2c4fe931dc3e711ea4af9913476a4e08fc7b2
SHA256

2c202c8fb88c907867f43a1d3c82a15b3b67204799efaed9e5cca2e150cdaacc
SHA512

c235a6a0913da127b70a46491e51d47813a3a7edcfcae6e1bcf1a06ccc418eb304ed05062fd6c84215533f8b30aea4e6dd3f59ad7c2b4ff2f9aab1a93914c533

Score

10^/10

babylonrat persistence trojan upx

Malware Config

Extracted

Family

babylonrat

C2

149.28.19.207

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Executes dropped EXE 1 IoCs

pid	Process
2672	DriverDiagnoseTool.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/1072-116-0x0000000000310000-0x00000000003DA000-memory.dmp	upx
behavioral3/memory/1072-117-0x0000000000310000-0x00000000003DA000-memory.dmp	upx
behavioral3/memory/1072-118-0x0000000000310000-0x00000000003DA000-memory.dmp	upx
behavioral3/memory/1072-119-0x0000000000310000-0x00000000003DA000-memory.dmp	upx
behavioral3/memory/1072-121-0x0000000000310000-0x00000000003DA000-memory.dmp	upx
behavioral3/memory/1072-123-0x0000000000310000-0x00000000003DA000-memory.dmp	upx
behavioral3/memory/1072-128-0x0000000000310000-0x00000000003DA000-memory.dmp	upx
behavioral3/memory/2672-132-0x00000000000F0000-0x00000000001BA000-memory.dmp	upx
behavioral3/memory/2672-133-0x00000000000F0000-0x00000000001BA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Windows\CurrentVersion\Run\DriverDiagnoseTool = "C:\\Users\\Admin\\AppData\\Roaming\\DriverDiagnoseTool.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
280	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1072	DriverDiagnoseTool.exe
1260	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	280	powershell.exe
Token: SeShutdownPrivilege	1072	DriverDiagnoseTool.exe
Token: SeDebugPrivilege	1072	DriverDiagnoseTool.exe
Token: SeTcbPrivilege	1072	DriverDiagnoseTool.exe
Token: SeShutdownPrivilege	2672	DriverDiagnoseTool.exe
Token: SeDebugPrivilege	2672	DriverDiagnoseTool.exe
Token: SeTcbPrivilege	2672	DriverDiagnoseTool.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1260	AcroRd32.exe
1072	DriverDiagnoseTool.exe
1260	AcroRd32.exe
1260	AcroRd32.exe
1260	AcroRd32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 576	2228	cmd.exe	29
PID 2228 wrote to memory of 576	2228	cmd.exe	29
PID 2228 wrote to memory of 576	2228	cmd.exe	29
PID 576 wrote to memory of 280	576	cmd.exe	30
PID 576 wrote to memory of 280	576	cmd.exe	30
PID 576 wrote to memory of 280	576	cmd.exe	30
PID 280 wrote to memory of 1260	280	powershell.exe	31
PID 280 wrote to memory of 1260	280	powershell.exe	31
PID 280 wrote to memory of 1260	280	powershell.exe	31
PID 280 wrote to memory of 1260	280	powershell.exe	31
PID 280 wrote to memory of 1072	280	powershell.exe	32
PID 280 wrote to memory of 1072	280	powershell.exe	32
PID 280 wrote to memory of 1072	280	powershell.exe	32
PID 280 wrote to memory of 1072	280	powershell.exe	32
PID 280 wrote to memory of 2672	280	powershell.exe	34
PID 280 wrote to memory of 2672	280	powershell.exe	34
PID 280 wrote to memory of 2672	280	powershell.exe	34
PID 280 wrote to memory of 2672	280	powershell.exe	34

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\KENAPA_UMNO_BERSAMA_KERAJAAN_PERPADUAN.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -WindowStyle hidden -nologo -executionpolicy bypass -File "KENAPA_UMNO_BERSAMA_KERAJAAN_PERPADUAN.ps1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle hidden -nologo -executionpolicy bypass -File "KENAPA_UMNO_BERSAMA_KERAJAAN_PERPADUAN.ps1"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:280
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\KENAPA_UMNO_BERSAMA_KERAJAAN_PERPADUAN.pdf"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\DriverDiagnoseTool.exe
      "C:\Users\Admin\AppData\Local\Temp\DriverDiagnoseTool.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1072
  - - C:\Users\Admin\AppData\Roaming\DriverDiagnoseTool.exe
      "C:\Users\Admin\AppData\Roaming\DriverDiagnoseTool.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
0eec77ef94e120c77f2a5548cb803c6a

SHA1
2d0e346bbc81ce19ed76e8e0333142dd62c3a500

SHA256
8281764c6977e80d9ceeabe8eda8b7ca733922b51cec213acead698b9612de38

SHA512
63852dade6b9e2f9182ef673b553486c354ffc165dad7cfeefde1e8b87fff5c6d85059ec4fe03493688a97f2ef268292ac1324862c2ff935da37d968aaf82ca8

Download Submit
C:\Users\Admin\AppData\Roaming\DriverDiagnoseTool.exe

Filesize
300.9MB

MD5
d70de5a533c758bcba7ff16d204cdbe6

SHA1
38d9f39f8c3699c04c4e4ba3e33afbed745e3e8f

SHA256
40d348783300d039d969f27a22433a8cba8d31c28e2e8d542c10a5792d34c1d3

SHA512
a9355532ad9310a61f1b07926a64d48669ebf3e15e45c18a28a7b16c3e94d66037752d45b36e26c2dbb247b2d9fdcedc18f00fb4229daece372f44af418c07f1

Download Submit
C:\Users\Admin\AppData\Roaming\DriverDiagnoseTool.exe

Filesize
300.9MB

MD5
d70de5a533c758bcba7ff16d204cdbe6

SHA1
38d9f39f8c3699c04c4e4ba3e33afbed745e3e8f

SHA256
40d348783300d039d969f27a22433a8cba8d31c28e2e8d542c10a5792d34c1d3

SHA512
a9355532ad9310a61f1b07926a64d48669ebf3e15e45c18a28a7b16c3e94d66037752d45b36e26c2dbb247b2d9fdcedc18f00fb4229daece372f44af418c07f1

Download Submit
memory/280-129-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/280-115-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/280-112-0x0000000001D40000-0x0000000001D48000-memory.dmp

Filesize
32KB

Download
memory/280-113-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/280-111-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/280-114-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1072-123-0x0000000000310000-0x00000000003DA000-memory.dmp

Filesize
808KB

Download
memory/1072-121-0x0000000000310000-0x00000000003DA000-memory.dmp

Filesize
808KB

Download
memory/1072-119-0x0000000000310000-0x00000000003DA000-memory.dmp

Filesize
808KB

Download
memory/1072-118-0x0000000000310000-0x00000000003DA000-memory.dmp

Filesize
808KB

Download
memory/1072-128-0x0000000000310000-0x00000000003DA000-memory.dmp

Filesize
808KB

Download
memory/1072-117-0x0000000000310000-0x00000000003DA000-memory.dmp

Filesize
808KB

Download
memory/1072-116-0x0000000000310000-0x00000000003DA000-memory.dmp

Filesize
808KB

Download
memory/2672-132-0x00000000000F0000-0x00000000001BA000-memory.dmp

Filesize
808KB

Download
memory/2672-133-0x00000000000F0000-0x00000000001BA000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing