Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
18-05-2024 09:38
General
-
Target
5419b68e892537e2f02ed14c671e315f_JaffaCakes118.exe
-
Size
2.3MB
-
MD5
5419b68e892537e2f02ed14c671e315f
-
SHA1
21c7e4899632b83776d1d86b406a76e60cc6f58d
-
SHA256
d0a1612ed72fa557c8dc8094b7536bf1e58c4dca0b0ee2dccd21f884644388a6
-
SHA512
e5929a4772821f39d30199d1af35a08ae3209445ef7203a617bec9ca48b8d71be2f2b8efb2315046a560d04c95d7d5b5029601d8d3cc89b4d4c8892af0f5f3ab
-
SSDEEP
49152:YTnwHus0g6cXW9DpUT3WzSmagomLoLWGwjlBLP72gbHYTno:8nwHu3ZeTGpaKsqvllP/4zo
Malware Config
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5419b68e892537e2f02ed14c671e315f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5419b68e892537e2f02ed14c671e315f_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\WindowsUpdate\svchost.exe"C:\ProgramData\WindowsUpdate\svchost.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\WindowsUpdate\svchost.exe"C:\ProgramData\WindowsUpdate\svchost.exe" 30283⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD55419b68e892537e2f02ed14c671e315f
SHA121c7e4899632b83776d1d86b406a76e60cc6f58d
SHA256d0a1612ed72fa557c8dc8094b7536bf1e58c4dca0b0ee2dccd21f884644388a6
SHA512e5929a4772821f39d30199d1af35a08ae3209445ef7203a617bec9ca48b8d71be2f2b8efb2315046a560d04c95d7d5b5029601d8d3cc89b4d4c8892af0f5f3ab
-
Filesize
5.5MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
404KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
5.5MB