babylonrat | 12028366e44c4e772f26201af6920dbdf20adcec01d4f1d01b5c6058e5c190cb

General

Target

eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe
Size

604KB
MD5

eea523161809e39ee734d8deb02f9f98
SHA1

a563069349eb551da8121fbb1b84690cc60a1eb4
SHA256

12028366e44c4e772f26201af6920dbdf20adcec01d4f1d01b5c6058e5c190cb
SHA512

a1901ab67bb41d40f728f0329c42d948245fd6b1ae6c762b200f04f67918fcfd365d54214259a976bf3930069203d8e24dea5f1be5f7ae1ca842b9d88d98ff35
SSDEEP

12288:fWrrr46mYSAkuzMbGtHLkur085gLO3PzB9TxNLKvtzA9ey:CrrrSAkuoGtpoM6O/DTxtKvt6ey

Score

10^/10

babylonrat persistence trojan

Malware Config

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\lQJOSm2kytUFm5ER\\8RyCTOPzuYaX.exe\",explorer.exe"	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3128	tskmsgl.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2096 set thread context of 3128	2096	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe	88

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4664	3128	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2096	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe
2096	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe
Token: SeDebugPrivilege	2096	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 3128	2096	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe	88
PID 2096 wrote to memory of 3128	2096	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe	88
PID 2096 wrote to memory of 3128	2096	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe	88
PID 2096 wrote to memory of 3128	2096	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe	88
PID 2096 wrote to memory of 3128	2096	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe	88
PID 2096 wrote to memory of 3128	2096	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe	88
PID 2096 wrote to memory of 3128	2096	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe	88
PID 2096 wrote to memory of 3128	2096	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe	88
PID 2096 wrote to memory of 3128	2096	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe	88
PID 2096 wrote to memory of 3128	2096	eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eea523161809e39ee734d8deb02f9f98_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe
  "C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe"
  2⤵
  - Executes dropped EXE
  PID:3128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 536
    3⤵
    - Program crash
    PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3128 -ip 3128
1⤵
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe

Filesize
604KB

MD5
eea523161809e39ee734d8deb02f9f98

SHA1
a563069349eb551da8121fbb1b84690cc60a1eb4

SHA256
12028366e44c4e772f26201af6920dbdf20adcec01d4f1d01b5c6058e5c190cb

SHA512
a1901ab67bb41d40f728f0329c42d948245fd6b1ae6c762b200f04f67918fcfd365d54214259a976bf3930069203d8e24dea5f1be5f7ae1ca842b9d88d98ff35

Download Submit
memory/2096-0-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/2096-1-0x0000000001550000-0x0000000001560000-memory.dmp

Filesize
64KB

Download
memory/2096-2-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/2096-17-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/2096-18-0x0000000001550000-0x0000000001560000-memory.dmp

Filesize
64KB

Download
memory/2096-19-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3128-9-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3128-13-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3128-14-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3128-16-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads