General

  • Target

    6ef46b3ee72c052c845d51607af3f171_JaffaCakes118

  • Size

    835KB

  • Sample

    240524-sppmmaaf56

  • MD5

    6ef46b3ee72c052c845d51607af3f171

  • SHA1

    68734412ae23efc6143e422d440f0342cbbff870

  • SHA256

    b7170d09345e05d8147692c74b3b8790a943b5d062d4a6cea85b3fdbb8245624

  • SHA512

    adead4473234c090069c1f474602f9677e6c1fa201a6a963826fcaaa1745cdce134ac7392a63f3b1a60ba1a30de07bb16346ec65f8516600a6bced682ac73e24

  • SSDEEP

    12288:P/CNO27MmI+xURXPeXEquGIwlXoD5H5Lo5hNpa:P/ccnlRf3El6B5L

Malware Config

Targets

    • Target

      6ef46b3ee72c052c845d51607af3f171_JaffaCakes118

    • Size

      835KB

    • MD5

      6ef46b3ee72c052c845d51607af3f171

    • SHA1

      68734412ae23efc6143e422d440f0342cbbff870

    • SHA256

      b7170d09345e05d8147692c74b3b8790a943b5d062d4a6cea85b3fdbb8245624

    • SHA512

      adead4473234c090069c1f474602f9677e6c1fa201a6a963826fcaaa1745cdce134ac7392a63f3b1a60ba1a30de07bb16346ec65f8516600a6bced682ac73e24

    • SSDEEP

      12288:P/CNO27MmI+xURXPeXEquGIwlXoD5H5Lo5hNpa:P/ccnlRf3El6B5L

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks