asyncrat | ae8c18c319de226008fab8d1dc2d45e0f1adc17740eede53009239af79d65d68

General

Target

fd751c3d6ffbea6efdf57f746181d443_JaffaCakes118.ps1
Size

103KB
MD5

fd751c3d6ffbea6efdf57f746181d443
SHA1

287dc753c8c37bc5343677d10cb3d59068cc07f1
SHA256

ae8c18c319de226008fab8d1dc2d45e0f1adc17740eede53009239af79d65d68
SHA512

381f482e279bfbb84dcbb99b67e32f9220938befe84f2d5c9a7c53c985f7af4c243fac93bd81cbeced88442ebaeb8079e97b285e102cec4207ef17c75187b62d
SSDEEP

1536:EUIo1viUnh3sd8nlvEGWOfxWfgdtykOj45gocCFII2tsG:NTG

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

elliotgateway.ddns.net:5555

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4168 set thread context of 2256	4168	powershell.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4168	powershell.exe
4168	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4168	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 4352	4168	powershell.exe	89
PID 4168 wrote to memory of 4352	4168	powershell.exe	89
PID 4352 wrote to memory of 2072	4352	csc.exe	90
PID 4352 wrote to memory of 2072	4352	csc.exe	90
PID 4168 wrote to memory of 2256	4168	powershell.exe	91
PID 4168 wrote to memory of 2256	4168	powershell.exe	91
PID 4168 wrote to memory of 2256	4168	powershell.exe	91
PID 4168 wrote to memory of 2256	4168	powershell.exe	91
PID 4168 wrote to memory of 2256	4168	powershell.exe	91
PID 4168 wrote to memory of 2256	4168	powershell.exe	91
PID 4168 wrote to memory of 2256	4168	powershell.exe	91
PID 4168 wrote to memory of 2256	4168	powershell.exe	91

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\fd751c3d6ffbea6efdf57f746181d443_JaffaCakes118.ps1
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wurf1vqh\wurf1vqh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4631.tmp" "c:\Users\Admin\AppData\Local\Temp\wurf1vqh\CSC9D4816C4F301496F88B3ABA2A8D1E876.TMP"
    3⤵
    PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4631.tmp

Filesize
1KB

MD5
b8e5cbebdf37e0351f1952b819d8a0c4

SHA1
ab069486e7200649b2e3ed661b0c2fe8e881b69f

SHA256
e58bd47e7e8f6a6b30b0ba3c4330174d3c58e437dedfe4da87a335234ae00cf6

SHA512
10209f050dc87dd2cba9b83e673e86a19d4e9329e52b286b311160d1f1ff8d5d8e3f7f925d9c3cdc44093353e075fc4ad8c09372c66514dcafe2679237af3e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_clftigil.ap3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wurf1vqh\wurf1vqh.dll

Filesize
13KB

MD5
1b36627136920671529a8775cddb77bd

SHA1
47fc90b12803e4883da0aea05bef8b08c116e589

SHA256
bd34b9522ed8ce886c97d47b14d40d5af0cae61c7540181a39d7b539af7dcbf5

SHA512
b33be977e81a6d10fe60cff8736be2b2d322ff1631cfb37abd3afb71b884b8137d4a4c1e5d46726ff12c58d01800658977ae5d5a0e42c69eb5d62de2365326d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wurf1vqh\CSC9D4816C4F301496F88B3ABA2A8D1E876.TMP

Filesize
652B

MD5
cf6e2cb0786c5629b34d88451cb119e8

SHA1
30c3cf950c3470d091f074415b6efaee4815bbe2

SHA256
699d57d501517dc43e07be6839f6c78942d15704316df3853abddc974530a792

SHA512
5fe7c3f9fb5b9beeb5c4982a91b6d17bac334329481be84eefb142d95757f2f021f055137c9d5c301269311d957617fb74a98917adea9e35e310a97da2cc03a9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wurf1vqh\wurf1vqh.0.cs

Filesize
13KB

MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wurf1vqh\wurf1vqh.cmdline

Filesize
327B

MD5
7a29cd5335279857b35f3fdb9403d1da

SHA1
3baf444c4e6a6e65b24f270e73b8aa02bcb3eb6c

SHA256
e88d819885a484ac23d1fa1ce56ef41e475be22d2584aff6b32d7d6e40ee53a5

SHA512
10b177cb2e1059af996b9556b015bc266cb7fc5bf0110949d8577fc14a35952813d1c2006988e2abf4d733d1b7af810d6fdbe02b68ddeccbd68cfefed2fc9854

Download Submit
memory/2256-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2256-34-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/2256-33-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/2256-32-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/2256-31-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4168-12-0x000001EBDA510000-0x000001EBDA586000-memory.dmp

Filesize
472KB

Download
memory/4168-30-0x00007FFE359F0000-0x00007FFE364B1000-memory.dmp

Filesize
10.8MB

Download
memory/4168-25-0x000001EBDA4D0000-0x000001EBDA4DA000-memory.dmp

Filesize
40KB

Download
memory/4168-6-0x000001EBDA000000-0x000001EBDA022000-memory.dmp

Filesize
136KB

Download
memory/4168-11-0x000001EBC1250000-0x000001EBC1260000-memory.dmp

Filesize
64KB

Download
memory/4168-10-0x00007FFE359F0000-0x00007FFE364B1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing