Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 06:57
Static task
static1
Behavioral task
behavioral1
Sample
e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
e967e5778bbce368c0786e990cda6417
-
SHA1
92c06f11f52865d2c05a091d92907cc446b150f3
-
SHA256
1012f81b764e19da221657cbf5c400063faef8f97d82ccc1c7b1bab0921aa85b
-
SHA512
098caaec0f9482e2b13d1460d3be95322fa564ff5490fe9c06cee735502edabf95804e9d42504bf3d60557b187ce798fa883e188e0c5307a3f33a291f360d8b5
-
SSDEEP
24576:rrfP1Tok9Kc87buCPiCH3pSkT4gN38kOW8qdM7o+N4Du7Ec:Pd9KcsbDiCwM4CsBTWMpN4OEc
Malware Config
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation client.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation client.exe -
Executes dropped EXE 7 IoCs
pid Process 4440 client.exe 4976 client.exe 4080 client.exe 4656 client.exe 1060 client.exe 2060 client.exe 4896 client.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Update = "C:\\ProgramData\\WMP UPDATE\\client.exe" e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Update = "C:\\ProgramData\\WMP UPDATE\\client.exe" client.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Update = "C:\\ProgramData\\WMP UPDATE\\client.exe" client.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4528 set thread context of 1564 4528 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 97 PID 4440 set thread context of 4080 4440 client.exe 103 PID 4656 set thread context of 2060 4656 client.exe 108 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4908 powershell.exe 4908 powershell.exe 4440 client.exe 4440 client.exe 2680 powershell.exe 2680 powershell.exe 4656 client.exe 4656 client.exe 4068 powershell.exe 4068 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4080 client.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeShutdownPrivilege 1564 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe Token: SeDebugPrivilege 1564 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe Token: SeTcbPrivilege 1564 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe Token: SeDebugPrivilege 4908 powershell.exe Token: SeDebugPrivilege 4440 client.exe Token: SeShutdownPrivilege 4080 client.exe Token: SeDebugPrivilege 4080 client.exe Token: SeTcbPrivilege 4080 client.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 4656 client.exe Token: SeShutdownPrivilege 2060 client.exe Token: SeDebugPrivilege 2060 client.exe Token: SeTcbPrivilege 2060 client.exe Token: SeDebugPrivilege 4068 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4080 client.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 4528 wrote to memory of 4908 4528 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 96 PID 4528 wrote to memory of 4908 4528 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 96 PID 4528 wrote to memory of 4908 4528 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 96 PID 4528 wrote to memory of 1564 4528 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 97 PID 4528 wrote to memory of 1564 4528 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 97 PID 4528 wrote to memory of 1564 4528 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 97 PID 4528 wrote to memory of 1564 4528 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 97 PID 4528 wrote to memory of 1564 4528 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 97 PID 4528 wrote to memory of 1564 4528 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 97 PID 4528 wrote to memory of 1564 4528 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 97 PID 4528 wrote to memory of 1564 4528 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 97 PID 4528 wrote to memory of 1564 4528 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 97 PID 4528 wrote to memory of 1564 4528 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 97 PID 1564 wrote to memory of 4440 1564 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 99 PID 1564 wrote to memory of 4440 1564 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 99 PID 1564 wrote to memory of 4440 1564 e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe 99 PID 4440 wrote to memory of 2680 4440 client.exe 100 PID 4440 wrote to memory of 2680 4440 client.exe 100 PID 4440 wrote to memory of 2680 4440 client.exe 100 PID 4440 wrote to memory of 4976 4440 client.exe 102 PID 4440 wrote to memory of 4976 4440 client.exe 102 PID 4440 wrote to memory of 4976 4440 client.exe 102 PID 4440 wrote to memory of 4080 4440 client.exe 103 PID 4440 wrote to memory of 4080 4440 client.exe 103 PID 4440 wrote to memory of 4080 4440 client.exe 103 PID 4440 wrote to memory of 4080 4440 client.exe 103 PID 4440 wrote to memory of 4080 4440 client.exe 103 PID 4440 wrote to memory of 4080 4440 client.exe 103 PID 4440 wrote to memory of 4080 4440 client.exe 103 PID 4440 wrote to memory of 4080 4440 client.exe 103 PID 4440 wrote to memory of 4080 4440 client.exe 103 PID 4440 wrote to memory of 4080 4440 client.exe 103 PID 4080 wrote to memory of 4656 4080 client.exe 104 PID 4080 wrote to memory of 4656 4080 client.exe 104 PID 4080 wrote to memory of 4656 4080 client.exe 104 PID 4656 wrote to memory of 4068 4656 client.exe 105 PID 4656 wrote to memory of 4068 4656 client.exe 105 PID 4656 wrote to memory of 4068 4656 client.exe 105 PID 4656 wrote to memory of 1060 4656 client.exe 107 PID 4656 wrote to memory of 1060 4656 client.exe 107 PID 4656 wrote to memory of 1060 4656 client.exe 107 PID 4656 wrote to memory of 2060 4656 client.exe 108 PID 4656 wrote to memory of 2060 4656 client.exe 108 PID 4656 wrote to memory of 2060 4656 client.exe 108 PID 4656 wrote to memory of 2060 4656 client.exe 108 PID 4656 wrote to memory of 2060 4656 client.exe 108 PID 4656 wrote to memory of 2060 4656 client.exe 108 PID 4656 wrote to memory of 2060 4656 client.exe 108 PID 4656 wrote to memory of 2060 4656 client.exe 108 PID 4656 wrote to memory of 2060 4656 client.exe 108 PID 4656 wrote to memory of 2060 4656 client.exe 108 PID 4080 wrote to memory of 4896 4080 client.exe 109 PID 4080 wrote to memory of 4896 4080 client.exe 109 PID 4080 wrote to memory of 4896 4080 client.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Users\Admin\AppData\Local\Temp\e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e967e5778bbce368c0786e990cda6417_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\ProgramData\WMP UPDATE\client.exe"C:\ProgramData\WMP UPDATE\client.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\WMP UPDATE\client.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\ProgramData\WMP UPDATE\client.exe"C:\ProgramData\WMP UPDATE\client.exe"4⤵
- Executes dropped EXE
PID:4976
-
-
C:\ProgramData\WMP UPDATE\client.exe"C:\ProgramData\WMP UPDATE\client.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\ProgramData\WMP UPDATE\client.exe"C:\ProgramData\WMP UPDATE\client.exe" 40805⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\WMP UPDATE\client.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068
-
-
C:\ProgramData\WMP UPDATE\client.exe"C:\ProgramData\WMP UPDATE\client.exe"6⤵
- Executes dropped EXE
PID:1060
-
-
C:\ProgramData\WMP UPDATE\client.exe"C:\ProgramData\WMP UPDATE\client.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
-
C:\ProgramData\WMP UPDATE\client.exe"C:\ProgramData\WMP UPDATE\client.exe" 40805⤵
- Executes dropped EXE
PID:4896
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5e967e5778bbce368c0786e990cda6417
SHA192c06f11f52865d2c05a091d92907cc446b150f3
SHA2561012f81b764e19da221657cbf5c400063faef8f97d82ccc1c7b1bab0921aa85b
SHA512098caaec0f9482e2b13d1460d3be95322fa564ff5490fe9c06cee735502edabf95804e9d42504bf3d60557b187ce798fa883e188e0c5307a3f33a291f360d8b5
-
Filesize
1KB
MD517573558c4e714f606f997e5157afaac
SHA113e16e9415ceef429aaf124139671ebeca09ed23
SHA256c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc
-
Filesize
2KB
MD5e38cf80ccd733d12acd8ed657fa76a0f
SHA1580e49e1b482dcf0480cefe6d5bf8f0331732296
SHA25647996c1354ee704ef75a94ae2217033da52695ca164573023cda951bdec728be
SHA512ed7056b56d6cd0fd42f9bb716c647ed21f988231aa0817f28be7fceab199a274a479af4e7b77b86ed298b6734b39c2e6714d46bd6bd408d9862a77d97013bc12
-
Filesize
18KB
MD5087b82405d6019cefbdf61074e3c3de2
SHA1b53c28d70356f302a4d01776ab56b5cb36321bd2
SHA25601389ebef23a56d637038ce5b11c13565c5d990e230a84a4a3e58bf514225a3c
SHA5128438236f6efa383e0b57287dcd8b87d21d947d059766180608baca166dadc6f7531589102dc0329817d0ab2600f6744e1150ebe24beaa98baed3111e69d48c55
-
Filesize
18KB
MD5d16499c37046dbd701f8ae3081b9676a
SHA1f2de36a308c56ae7786944f9f2d45a8b5c255a84
SHA2560bc644775aef2f91b2bca481e2b505a40c46041bc3fc127de745108c36858d13
SHA51239f5208080b16ffff74987aa7fbbd4ef6ce7b773e76fbd793e1184a2b24bd7564149b298d7c8707df5a488aabc1f68eb23f0aba36bf79cb63c1f6e5ca3b59020
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82