asyncrat | 7e18d8d15774617c68ee110c9db48ede24e1a4a28c52fb8197dfc593ed2877b0

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe
Size

4.9MB
MD5

68e5cd49f6d77354d46b27a1e6e7763e
SHA1

c2cb1378e9ede29c9a96c46f8ea1c5aaeffa26f1
SHA256

7e18d8d15774617c68ee110c9db48ede24e1a4a28c52fb8197dfc593ed2877b0
SHA512

12bbd1ff695a6d91692970c6882e17a5493b27bd931168e619931af4c51c4f0621ed5ae5a53e605e26bbfedf0c8b812be6b39854209569af860090e61680031f
SSDEEP

98304:tZY+5StaPLB6cdAT88El9DkLry6Dgbe8AONOuLFP3TgFge:ttvBX+4PzkL5Dgi8AoDpTkge

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 pastebin.com
5 pastebin.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe

description pid process target process

PID 2916 set thread context of 2564 2916 68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe jsc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exejsc.exe

description pid process

Token: SeDebugPrivilege 2916 68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe
Token: SeDebugPrivilege 2564 jsc.exe

flow	ioc
4	pastebin.com
5	pastebin.com

description	pid	process	target process
PID 2916 set thread context of 2564	2916	68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe	jsc.exe

description	pid	process
Token: SeDebugPrivilege	2916	68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe
Token: SeDebugPrivilege	2564	jsc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe

description	pid	process	target process
PID 2916 wrote to memory of 2564	2916	68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe	jsc.exe
PID 2916 wrote to memory of 2564	2916	68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe	jsc.exe
PID 2916 wrote to memory of 2564	2916	68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe	jsc.exe
PID 2916 wrote to memory of 2564	2916	68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe	jsc.exe
PID 2916 wrote to memory of 2564	2916	68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe	jsc.exe
PID 2916 wrote to memory of 2564	2916	68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe	jsc.exe
PID 2916 wrote to memory of 2564	2916	68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe	jsc.exe
PID 2916 wrote to memory of 2564	2916	68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe	jsc.exe
PID 2916 wrote to memory of 2564	2916	68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe	jsc.exe

C:\Users\Admin\AppData\Local\Temp\68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68e5cd49f6d77354d46b27a1e6e7763e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2564-21-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-23-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2564-22-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2564-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2564-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2564-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2564-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2564-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2564-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2916-5-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-20-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-7-0x00000000007D0000-0x00000000007E4000-memory.dmp

Filesize
80KB

Download
memory/2916-6-0x00000000005F0000-0x000000000061E000-memory.dmp

Filesize
184KB

Download
memory/2916-0-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/2916-4-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-3-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-2-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2916-1-0x0000000000BB0000-0x0000000000C44000-memory.dmp

Filesize
592KB

Download