babylonrat | 302e0dce67996f580c4700ffb331db4a31a472441627bcbff4936a279cd18256

General

Target

0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe
Size

355KB
MD5

0cd817392df0112a1f24c59bd8c9c22a
SHA1

e9b6860cb3780557824b9a939fa4a5272075649d
SHA256

302e0dce67996f580c4700ffb331db4a31a472441627bcbff4936a279cd18256
SHA512

c778bbcc9965b99db5c374bc5d679758bf1f182d7280ed025243414c4225fe423901ba5bdd859c2b33e3444b9a5291a9d905770ef0b51c26bdc6d52723655747
SSDEEP

6144:VL1ncfWwN0oc35jeRh8Xqfy/Ka1OHAH0tMrKCTEABG+Z9d3cQT/9nR4Ioy19I:VLdcfxaeM6fy/KaVUtgKkTZ73coNRJ

Score

10^/10

babylonrat persistence trojan upx

Malware Config

Extracted

Family

babylonrat

C2

156.67.251.153

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Executes dropped EXE 2 IoCs

pid	Process
2432	client.exe
2340	client.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4284-0-0x0000000000610000-0x00000000006D9000-memory.dmp	upx
behavioral2/files/0x000d000000023b90-4.dat	upx
behavioral2/memory/2432-7-0x0000000000E20000-0x0000000000EE9000-memory.dmp	upx
behavioral2/memory/4284-5-0x0000000000610000-0x00000000006D9000-memory.dmp	upx
behavioral2/memory/2340-9-0x0000000000E20000-0x0000000000EE9000-memory.dmp	upx
behavioral2/memory/2432-10-0x0000000000E20000-0x0000000000EE9000-memory.dmp	upx
behavioral2/memory/2340-11-0x0000000000E20000-0x0000000000EE9000-memory.dmp	upx
behavioral2/memory/2432-12-0x0000000000E20000-0x0000000000EE9000-memory.dmp	upx
behavioral2/memory/2432-18-0x0000000000E20000-0x0000000000EE9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2432	client.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4284	0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe
Token: SeDebugPrivilege	4284	0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe
Token: SeTcbPrivilege	4284	0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe
Token: SeShutdownPrivilege	2432	client.exe
Token: SeDebugPrivilege	2432	client.exe
Token: SeTcbPrivilege	2432	client.exe
Token: SeShutdownPrivilege	2340	client.exe
Token: SeDebugPrivilege	2340	client.exe
Token: SeTcbPrivilege	2340	client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2432	client.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 2432	4284	0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe	85
PID 4284 wrote to memory of 2432	4284	0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe	85
PID 4284 wrote to memory of 2432	4284	0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe	85
PID 2432 wrote to memory of 2340	2432	client.exe	86
PID 2432 wrote to memory of 2340	2432	client.exe	86
PID 2432 wrote to memory of 2340	2432	client.exe	86

C:\Users\Admin\AppData\Local\Temp\0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cd817392df0112a1f24c59bd8c9c22a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284
- C:\ProgramData\Babylon RAT\client.exe
  "C:\ProgramData\Babylon RAT\client.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\ProgramData\Babylon RAT\client.exe
    "C:\ProgramData\Babylon RAT\client.exe" 2432
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Babylon RAT\client.exe

Filesize
355KB

MD5
0cd817392df0112a1f24c59bd8c9c22a

SHA1
e9b6860cb3780557824b9a939fa4a5272075649d

SHA256
302e0dce67996f580c4700ffb331db4a31a472441627bcbff4936a279cd18256

SHA512
c778bbcc9965b99db5c374bc5d679758bf1f182d7280ed025243414c4225fe423901ba5bdd859c2b33e3444b9a5291a9d905770ef0b51c26bdc6d52723655747

Download Submit
memory/2340-9-0x0000000000E20000-0x0000000000EE9000-memory.dmp

Filesize
804KB

Download
memory/2340-11-0x0000000000E20000-0x0000000000EE9000-memory.dmp

Filesize
804KB

Download
memory/2432-7-0x0000000000E20000-0x0000000000EE9000-memory.dmp

Filesize
804KB

Download
memory/2432-10-0x0000000000E20000-0x0000000000EE9000-memory.dmp

Filesize
804KB

Download
memory/2432-12-0x0000000000E20000-0x0000000000EE9000-memory.dmp

Filesize
804KB

Download
memory/2432-18-0x0000000000E20000-0x0000000000EE9000-memory.dmp

Filesize
804KB

Download
memory/4284-0-0x0000000000610000-0x00000000006D9000-memory.dmp

Filesize
804KB

Download
memory/4284-5-0x0000000000610000-0x00000000006D9000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads