Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
09-04-2024 06:57
Static task
static1
Behavioral task
behavioral1
Sample
e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
e967e5778bbce368c0786e990cda6417
-
SHA1
92c06f11f52865d2c05a091d92907cc446b150f3
-
SHA256
1012f81b764e19da221657cbf5c400063faef8f97d82ccc1c7b1bab0921aa85b
-
SHA512
098caaec0f9482e2b13d1460d3be95322fa564ff5490fe9c06cee735502edabf95804e9d42504bf3d60557b187ce798fa883e188e0c5307a3f33a291f360d8b5
-
SSDEEP
24576:rrfP1Tok9Kc87buCPiCH3pSkT4gN38kOW8qdM7o+N4Du7Ec:Pd9KcsbDiCwM4CsBTWMpN4OEc
Malware Config
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Executes dropped EXE 2 IoCs
pid Process 2728 client.exe 848 client.exe -
Loads dropped DLL 2 IoCs
pid Process 2648 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 2728 client.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Update = "C:\\ProgramData\\WMP UPDATE\\client.exe" e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1980 set thread context of 2648 1980 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 32 PID 2728 set thread context of 848 2728 client.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2924 powershell.exe 268 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeShutdownPrivilege 2648 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe Token: SeDebugPrivilege 2648 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe Token: SeTcbPrivilege 2648 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 268 powershell.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1980 wrote to memory of 2924 1980 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 30 PID 1980 wrote to memory of 2924 1980 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 30 PID 1980 wrote to memory of 2924 1980 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 30 PID 1980 wrote to memory of 2924 1980 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 30 PID 1980 wrote to memory of 2648 1980 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 32 PID 1980 wrote to memory of 2648 1980 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 32 PID 1980 wrote to memory of 2648 1980 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 32 PID 1980 wrote to memory of 2648 1980 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 32 PID 1980 wrote to memory of 2648 1980 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 32 PID 1980 wrote to memory of 2648 1980 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 32 PID 1980 wrote to memory of 2648 1980 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 32 PID 1980 wrote to memory of 2648 1980 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 32 PID 1980 wrote to memory of 2648 1980 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 32 PID 1980 wrote to memory of 2648 1980 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 32 PID 1980 wrote to memory of 2648 1980 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 32 PID 2648 wrote to memory of 2728 2648 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 33 PID 2648 wrote to memory of 2728 2648 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 33 PID 2648 wrote to memory of 2728 2648 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 33 PID 2648 wrote to memory of 2728 2648 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 33 PID 2728 wrote to memory of 268 2728 client.exe 34 PID 2728 wrote to memory of 268 2728 client.exe 34 PID 2728 wrote to memory of 268 2728 client.exe 34 PID 2728 wrote to memory of 268 2728 client.exe 34 PID 2728 wrote to memory of 848 2728 client.exe 36 PID 2728 wrote to memory of 848 2728 client.exe 36 PID 2728 wrote to memory of 848 2728 client.exe 36 PID 2728 wrote to memory of 848 2728 client.exe 36 PID 2728 wrote to memory of 848 2728 client.exe 36 PID 2728 wrote to memory of 848 2728 client.exe 36 PID 2728 wrote to memory of 848 2728 client.exe 36 PID 2728 wrote to memory of 848 2728 client.exe 36 PID 2728 wrote to memory of 848 2728 client.exe 36 PID 2728 wrote to memory of 848 2728 client.exe 36 PID 2728 wrote to memory of 848 2728 client.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Users\Admin\AppData\Local\Temp\e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\ProgramData\WMP UPDATE\client.exe"C:\ProgramData\WMP UPDATE\client.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\WMP UPDATE\client.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268
-
-
C:\ProgramData\WMP UPDATE\client.exe"C:\ProgramData\WMP UPDATE\client.exe"4⤵
- Executes dropped EXE
PID:848
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD58f6ca8e01da45ffe10f5695abdbb1a5a
SHA16a8e1bbb159fa86a698b4ae4b5742a9169ce34f0
SHA256e14cca5f6f2c214963996b8300428065985770c06d1ab04b41c5279496cc4a0e
SHA512d972906b6f25ff649fd16810ba207ad812009474c651f8e1e37a8b81551072627a5eb825424e7ab6df421ba7fa006a3510622fe685ed0c4b735c97b823bbabaa
-
Filesize
1.4MB
MD5e967e5778bbce368c0786e990cda6417
SHA192c06f11f52865d2c05a091d92907cc446b150f3
SHA2561012f81b764e19da221657cbf5c400063faef8f97d82ccc1c7b1bab0921aa85b
SHA512098caaec0f9482e2b13d1460d3be95322fa564ff5490fe9c06cee735502edabf95804e9d42504bf3d60557b187ce798fa883e188e0c5307a3f33a291f360d8b5