babylonrat | 6c90a79a689fe5e644eb84fa9841e651cc95ce72097d682782bf6a843cb74945

General

Target

2d025269f56867da66563db280ab6569_JaffaCakes118.exe
Size

2.7MB
MD5

2d025269f56867da66563db280ab6569
SHA1

460574ed62cbeee67e8040664dfd6a8f00759887
SHA256

6c90a79a689fe5e644eb84fa9841e651cc95ce72097d682782bf6a843cb74945
SHA512

c12ca5eb92a0044d0e26ce19fd7784449b0411ba478c867fefd0cfd342ef4813cb21de489ce8104b1a7d4f5b78bafed90a1db9a26e4f3a186eb14c30fc9b4d35
SSDEEP

49152:2vPpaKDtcIycoXEfCt3FVo8NuKkM6NdW95YVViwkT7a6SnaBZezx1UdAI:UFMXEKt3Fm8NyM6NdW95Rw6gnI

Score

10^/10

babylonrat persistence trojan upx

Malware Config

Extracted

Family

babylonrat

C2

185.82.216.57

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Executes dropped EXE 1 IoCs

pid	Process
2612	0.exe

Loads dropped DLL 2 IoCs

pid	Process
1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe
2612	0.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1976-0-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/1976-2-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2060-44-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2060-46-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2060-47-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2060-48-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2060-49-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2060-55-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\223-3304458921-12-5-1-S\\S-1-5-21-1298544033-322.exe"	2d025269f56867da66563db280ab6569_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 900	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	31
PID 1976 set thread context of 2060	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	32

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe
1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe
1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe
1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe
1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe
2060	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
900	vbc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	900	vbc.exe
Token: SeDebugPrivilege	900	vbc.exe
Token: SeTcbPrivilege	900	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
900	vbc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2612	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2612	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2612	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2612	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	30
PID 1976 wrote to memory of 900	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	31
PID 1976 wrote to memory of 900	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	31
PID 1976 wrote to memory of 900	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	31
PID 1976 wrote to memory of 900	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	31
PID 1976 wrote to memory of 900	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	31
PID 1976 wrote to memory of 900	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	31
PID 1976 wrote to memory of 2060	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	32
PID 1976 wrote to memory of 2060	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	32
PID 1976 wrote to memory of 2060	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	32
PID 1976 wrote to memory of 2060	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	32
PID 1976 wrote to memory of 2060	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	32
PID 1976 wrote to memory of 2060	1976	2d025269f56867da66563db280ab6569_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\2d025269f56867da66563db280ab6569_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d025269f56867da66563db280ab6569_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\0.exe
  C:\Users\Admin\AppData\Local\Temp\0.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:900
- C:\Windows\SysWOW64\explorer.exe
  persistencecmd 900 "C:\223-3304458921-12-5-1-S\S-1-5-21-1298544033-322.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\0.exe

Filesize
1.6MB

MD5
130c5d73a3b905c3fac420a38cd3fa2e

SHA1
bc2c7ef8e28a9e3f6fda450c332d305496b07ce7

SHA256
e12d2bd8e991ad1d5746ced8a8db8e13916f4fc04686ec8e599090b6ead411e0

SHA512
1b7b44bcec635c6ee4aa770833085de098d37f6cfe93473fd1dbe714f7d097d5cf9e1aab79a7c037012c8f9f59fe9d03ba54f118d6aa384a9e792e50e551b0bd

Download Submit
\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x86\SciLexer.dll

Filesize
943KB

MD5
2ff7acfa80647ee46cc3c0e446327108

SHA1
c994820d03af722c244b046d1ee0967f1b5bc478

SHA256
08f0cbbc5162f236c37166772be2c9b8ffd465d32df17ea9d45626c4ed2c911d

SHA512
50a9e20c5851d3a50f69651bc770885672ff4f97de32dfda55bf7488abd39a11e990525ec9152d250072acaad0c12a484155c31083d751668eb01addea5570cd

Download Submit
memory/900-20-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/900-38-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/900-52-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/900-39-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/900-50-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/900-41-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/900-43-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1976-0-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1976-2-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1976-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1976-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2060-48-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2060-46-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2060-44-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2060-47-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2060-49-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2060-55-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2612-19-0x0000000000940000-0x0000000000978000-memory.dmp

Filesize
224KB

Download
memory/2612-33-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-32-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-31-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/2612-28-0x00000000047B0000-0x0000000004838000-memory.dmp

Filesize
544KB

Download
memory/2612-24-0x0000000005D80000-0x0000000005ED6000-memory.dmp

Filesize
1.3MB

Download
memory/2612-23-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-22-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-21-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2612-18-0x0000000000F40000-0x00000000010DA000-memory.dmp

Filesize
1.6MB

Download
memory/2612-17-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads