babylonrat | 302e0dce67996f580c4700ffb331db4a31a472441627bcbff4936a279cd18256

General

Target

0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe
Size

355KB
MD5

0cd817392df0112a1f24c59bd8c9c22a
SHA1

e9b6860cb3780557824b9a939fa4a5272075649d
SHA256

302e0dce67996f580c4700ffb331db4a31a472441627bcbff4936a279cd18256
SHA512

c778bbcc9965b99db5c374bc5d679758bf1f182d7280ed025243414c4225fe423901ba5bdd859c2b33e3444b9a5291a9d905770ef0b51c26bdc6d52723655747
SSDEEP

6144:VL1ncfWwN0oc35jeRh8Xqfy/Ka1OHAH0tMrKCTEABG+Z9d3cQT/9nR4Ioy19I:VLdcfxaeM6fy/KaVUtgKkTZ73coNRJ

Score

10^/10

babylonrat persistence trojan upx

Malware Config

Extracted

Family

babylonrat

C2

156.67.251.153

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Executes dropped EXE 2 IoCs

pid	Process
2944	client.exe
2972	client.exe

Loads dropped DLL 2 IoCs

pid	Process
2868	0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe
2944	client.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2868-0-0x00000000011B0000-0x0000000001279000-memory.dmp	upx
behavioral1/files/0x0036000000015ca5-3.dat	upx
behavioral1/memory/2868-5-0x00000000004E0000-0x00000000005A9000-memory.dmp	upx
behavioral1/memory/2868-9-0x00000000011B0000-0x0000000001279000-memory.dmp	upx
behavioral1/memory/2944-10-0x0000000000380000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2972-14-0x0000000000380000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2944-15-0x0000000000380000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2972-16-0x0000000000380000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2944-19-0x0000000000380000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2944-22-0x0000000000380000-0x0000000000449000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2944	client.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2868	0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe
Token: SeDebugPrivilege	2868	0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe
Token: SeTcbPrivilege	2868	0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe
Token: SeShutdownPrivilege	2944	client.exe
Token: SeDebugPrivilege	2944	client.exe
Token: SeTcbPrivilege	2944	client.exe
Token: SeShutdownPrivilege	2972	client.exe
Token: SeDebugPrivilege	2972	client.exe
Token: SeTcbPrivilege	2972	client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2944	client.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2944	2868	0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2944	2868	0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2944	2868	0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2944	2868	0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe	28
PID 2944 wrote to memory of 2972	2944	client.exe	29
PID 2944 wrote to memory of 2972	2944	client.exe	29
PID 2944 wrote to memory of 2972	2944	client.exe	29
PID 2944 wrote to memory of 2972	2944	client.exe	29

C:\Users\Admin\AppData\Local\Temp\0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\ProgramData\Babylon RAT\client.exe
  "C:\ProgramData\Babylon RAT\client.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\ProgramData\Babylon RAT\client.exe
    "C:\ProgramData\Babylon RAT\client.exe" 2944
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Babylon RAT\client.exe

Filesize
355KB

MD5
0cd817392df0112a1f24c59bd8c9c22a

SHA1
e9b6860cb3780557824b9a939fa4a5272075649d

SHA256
302e0dce67996f580c4700ffb331db4a31a472441627bcbff4936a279cd18256

SHA512
c778bbcc9965b99db5c374bc5d679758bf1f182d7280ed025243414c4225fe423901ba5bdd859c2b33e3444b9a5291a9d905770ef0b51c26bdc6d52723655747

Download Submit
memory/2868-0-0x00000000011B0000-0x0000000001279000-memory.dmp

Filesize
804KB

Download
memory/2868-5-0x00000000004E0000-0x00000000005A9000-memory.dmp

Filesize
804KB

Download
memory/2868-9-0x00000000011B0000-0x0000000001279000-memory.dmp

Filesize
804KB

Download
memory/2944-10-0x0000000000380000-0x0000000000449000-memory.dmp

Filesize
804KB

Download
memory/2944-15-0x0000000000380000-0x0000000000449000-memory.dmp

Filesize
804KB

Download
memory/2944-19-0x0000000000380000-0x0000000000449000-memory.dmp

Filesize
804KB

Download
memory/2944-22-0x0000000000380000-0x0000000000449000-memory.dmp

Filesize
804KB

Download
memory/2972-14-0x0000000000380000-0x0000000000449000-memory.dmp

Filesize
804KB

Download
memory/2972-16-0x0000000000380000-0x0000000000449000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads