babylonrat | 7d0b4123925f27b39f6fa807c5cbe5503a7076d44402f9a1ced682e4b9007c52

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

676468f314fed40a1151d580e98226c7_JaffaCakes118.exe
Size

566KB
MD5

676468f314fed40a1151d580e98226c7
SHA1

65d7707909da6e4d2f7aca130e273613efc2e121
SHA256

7d0b4123925f27b39f6fa807c5cbe5503a7076d44402f9a1ced682e4b9007c52
SHA512

33ca83d85f9e692707d9225af75115c71cc286eaebf3289af5b88ad2c6f79873785e42d8575628389b9f9a11dbeda4649755cd44a4b046bae66a6b5076b8c470
SSDEEP

6144:ZP5sIpfoSB6e/uwxkWaXYikTEuj81k1K4np8c2tcQjvyBW9UCZY1geSgX3RrEOuX:ZOIpfZmbXYiLqk4Sc2R6BRxcAEYj8n1X

Score

10^/10

babylonrat trojan upx

Malware Config

Extracted

Family

babylonrat

rdp.netpipe.xyz

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	netprotocol.exe

Executes dropped EXE 2 IoCs

pid	Process
4356	netprotocol.exe
4308	netprotocol.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4308-27-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4308-33-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4308-314-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4308-328-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4356 set thread context of 4308	4356	netprotocol.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe
4356	netprotocol.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4308	netprotocol.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4356	netprotocol.exe
Token: SeShutdownPrivilege	4308	netprotocol.exe
Token: SeDebugPrivilege	4308	netprotocol.exe
Token: SeTcbPrivilege	4308	netprotocol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4308	netprotocol.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 4356	3596	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe	94
PID 3596 wrote to memory of 4356	3596	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe	94
PID 3596 wrote to memory of 4356	3596	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe	94
PID 4356 wrote to memory of 2764	4356	netprotocol.exe	98
PID 4356 wrote to memory of 2764	4356	netprotocol.exe	98
PID 4356 wrote to memory of 2764	4356	netprotocol.exe	98
PID 2764 wrote to memory of 4488	2764	cmd.exe	100
PID 2764 wrote to memory of 4488	2764	cmd.exe	100
PID 2764 wrote to memory of 4488	2764	cmd.exe	100
PID 4356 wrote to memory of 4308	4356	netprotocol.exe	101
PID 4356 wrote to memory of 4308	4356	netprotocol.exe	101
PID 4356 wrote to memory of 4308	4356	netprotocol.exe	101
PID 4356 wrote to memory of 4308	4356	netprotocol.exe	101
PID 4356 wrote to memory of 4308	4356	netprotocol.exe	101
PID 4356 wrote to memory of 4308	4356	netprotocol.exe	101
PID 4356 wrote to memory of 4308	4356	netprotocol.exe	101

C:\Users\Admin\AppData\Local\Temp\676468f314fed40a1151d580e98226c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\676468f314fed40a1151d580e98226c7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
      4⤵
      PID:4488
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_408BF57CFB22C8CE7202361683829F8C

Filesize
1KB

MD5
b6a068593e0aefcec1ac11570a345e4d

SHA1
bf91ee7b84937e0af592599cb60c564d35a83b47

SHA256
15eadffeaa41d852b46f9cc2d1ae65ae17fcf190cb3211319cdb98016825e7d3

SHA512
a717b414d1aea61f84d47c48c6f62dce75f5cc2667c2332d3a86832336bbdb3edf3449649f21a8c670e695c6a69dc8546e39826b359b872aba1e6e28bc257cf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_408BF57CFB22C8CE7202361683829F8C

Filesize
404B

MD5
eb1a7089acb30d530db4d7c440241047

SHA1
ed7588650ef38546612c16faba34105c98b4a41c

SHA256
3f7256696c667bec06a27cf8e683b954d0502bca24483462d8a3a047363b9a3d

SHA512
340291d7763753e304444e0681d788d7500d1e8a7da88b4fc08b2338e336342b3435d794b50ce41e16f4db12b694b4e6632cc23a610583889053148b043dc7c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe

Filesize
566KB

MD5
676468f314fed40a1151d580e98226c7

SHA1
65d7707909da6e4d2f7aca130e273613efc2e121

SHA256
7d0b4123925f27b39f6fa807c5cbe5503a7076d44402f9a1ced682e4b9007c52

SHA512
33ca83d85f9e692707d9225af75115c71cc286eaebf3289af5b88ad2c6f79873785e42d8575628389b9f9a11dbeda4649755cd44a4b046bae66a6b5076b8c470

Download Submit
memory/3596-0-0x0000000075092000-0x0000000075093000-memory.dmp

Filesize
4KB

Download
memory/3596-22-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/3596-2-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/3596-1-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4308-27-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4308-33-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4308-314-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4308-328-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4356-25-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4356-26-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4356-323-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download