babylonrat | 05de0b178f4283cf6e4d16fd8a7db1f20703df56159dbd1f4ca64862e4c58391

General

Target

660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe
Size

3.0MB
MD5

660c9f6423af0b5904795c35918bfc1d
SHA1

db76ca668d99446d6893713e94f87ceda9c719ea
SHA256

05de0b178f4283cf6e4d16fd8a7db1f20703df56159dbd1f4ca64862e4c58391
SHA512

eb69f2a49352a389a534fbe3250881201db228bad62f23f0bc466106bb09eaf09353137019e5dfc9b99c033dc1542f529c5313dcd368e2e5e4aa369e37a23968
SSDEEP

49152:8P8B7enbJ4PpaKDtcIycoXEfCt3FVo8NuKkM6NdW95YVViwkT7a6SnaBZezx1Udj:8P+ebIFMXEKt3Fm8NyM6NdW95Rw6gnI

Score

10^/10

babylonrat persistence trojan

Malware Config

Extracted

Family

babylonrat

C2

185.82.216.57

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Executes dropped EXE 1 IoCs

pid	Process
1640	0.exe

Loads dropped DLL 2 IoCs

pid	Process
1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe
1640	0.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\141-145049033-12-5-1-S\\S-1-5-21-330940541-141.exe"	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1524 set thread context of 2056	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	31
PID 1524 set thread context of 1820	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	33

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe
1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe
1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe
1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe
1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe
1820	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2056	vbc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2056	vbc.exe
Token: SeDebugPrivilege	2056	vbc.exe
Token: SeTcbPrivilege	2056	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2056	vbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1640	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	30
PID 1524 wrote to memory of 1640	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	30
PID 1524 wrote to memory of 1640	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	30
PID 1524 wrote to memory of 1640	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	30
PID 1524 wrote to memory of 2056	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	31
PID 1524 wrote to memory of 2056	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	31
PID 1524 wrote to memory of 2056	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	31
PID 1524 wrote to memory of 2056	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	31
PID 1524 wrote to memory of 2056	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	31
PID 1524 wrote to memory of 2056	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	31
PID 1524 wrote to memory of 2168	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	32
PID 1524 wrote to memory of 2168	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	32
PID 1524 wrote to memory of 2168	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	32
PID 1524 wrote to memory of 2168	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	32
PID 1524 wrote to memory of 1820	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	33
PID 1524 wrote to memory of 1820	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	33
PID 1524 wrote to memory of 1820	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	33
PID 1524 wrote to memory of 1820	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	33
PID 1524 wrote to memory of 1820	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	33
PID 1524 wrote to memory of 1820	1524	660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\660c9f6423af0b5904795c35918bfc1d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\0.exe
  C:\Users\Admin\AppData\Local\Temp\0.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2056
- C:\Windows\SysWOW64\explorer.exe
  persistencecmd 2056 "C:\141-145049033-12-5-1-S\S-1-5-21-330940541-141.exe"
  2⤵
  PID:2168
- C:\Windows\SysWOW64\explorer.exe
  persistencecmd 2056 "C:\141-145049033-12-5-1-S\S-1-5-21-330940541-141.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\0.exe

Filesize
1.6MB

MD5
130c5d73a3b905c3fac420a38cd3fa2e

SHA1
bc2c7ef8e28a9e3f6fda450c332d305496b07ce7

SHA256
e12d2bd8e991ad1d5746ced8a8db8e13916f4fc04686ec8e599090b6ead411e0

SHA512
1b7b44bcec635c6ee4aa770833085de098d37f6cfe93473fd1dbe714f7d097d5cf9e1aab79a7c037012c8f9f59fe9d03ba54f118d6aa384a9e792e50e551b0bd

Download Submit
\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x86\SciLexer.dll

Filesize
943KB

MD5
2ff7acfa80647ee46cc3c0e446327108

SHA1
c994820d03af722c244b046d1ee0967f1b5bc478

SHA256
08f0cbbc5162f236c37166772be2c9b8ffd465d32df17ea9d45626c4ed2c911d

SHA512
50a9e20c5851d3a50f69651bc770885672ff4f97de32dfda55bf7488abd39a11e990525ec9152d250072acaad0c12a484155c31083d751668eb01addea5570cd

Download Submit
memory/1524-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1524-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1524-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1640-30-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/1640-33-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/1640-19-0x0000000000320000-0x0000000000358000-memory.dmp

Filesize
224KB

Download
memory/1640-20-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/1640-21-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/1640-22-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/1640-23-0x0000000006E40000-0x0000000006F96000-memory.dmp

Filesize
1.3MB

Download
memory/1640-18-0x00000000012C0000-0x000000000145A000-memory.dmp

Filesize
1.6MB

Download
memory/1640-27-0x00000000076B0000-0x0000000007738000-memory.dmp

Filesize
544KB

Download
memory/1640-16-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/1640-31-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/1820-50-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1820-55-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1820-43-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1820-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1820-47-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2056-39-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2056-49-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2056-42-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2056-40-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2056-17-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2056-38-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2056-53-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2056-37-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads