Overview

overview

10

Static

static

3

6ef46b3ee7...18.exe

windows7-x64

10

6ef46b3ee7...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 15:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ef46b3ee72c052c845d51607af3f171_JaffaCakes118.exe

  • Size

    835KB

  • MD5

    6ef46b3ee72c052c845d51607af3f171

  • SHA1

    68734412ae23efc6143e422d440f0342cbbff870

  • SHA256

    b7170d09345e05d8147692c74b3b8790a943b5d062d4a6cea85b3fdbb8245624

  • SHA512

    adead4473234c090069c1f474602f9677e6c1fa201a6a963826fcaaa1745cdce134ac7392a63f3b1a60ba1a30de07bb16346ec65f8516600a6bced682ac73e24

  • SSDEEP

    12288:P/CNO27MmI+xURXPeXEquGIwlXoD5H5Lo5hNpa:P/ccnlRf3El6B5L

Score
10/10
babylonratagilenetpersistencetrojanupx

Malware Config

Signatures

  • Babylon RAT

    Babylon RAT is remote access trojan written in C++.

    trojanbabylonrat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ef46b3ee72c052c845d51607af3f171_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6ef46b3ee72c052c845d51607af3f171_JaffaCakes118.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\6ef46b3ee72c052c845d51607af3f171_JaffaCakes118.exe" "C:\Users\Admin\Documents\client33.exe"
      2⤵
        PID:2568
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\Documents\client33.exe"
        2⤵
          PID:2824
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2472
        • C:\Users\Admin\Documents\client33.exe
          "C:\Users\Admin\Documents\client33.exe"
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2372
          • C:\Users\Admin\Documents\client33.exe
            "C:\Users\Admin\Documents\client33.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:760
            • C:\ProgramData\Babylon RAT\client12.exe
              "C:\ProgramData\Babylon RAT\client12.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1016
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c copy "C:\ProgramData\Babylon RAT\client12.exe" "C:\Users\Admin\Documents\client33.exe"
                5⤵
                  PID:2916
                • C:\Windows\SysWOW64\explorer.exe
                  "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\Documents\client33.exe"
                  5⤵
                    PID:2304
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            PID:2704

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\Documents\client33.exe
            Filesize

            835KB

            MD5

            6ef46b3ee72c052c845d51607af3f171

            SHA1

            68734412ae23efc6143e422d440f0342cbbff870

            SHA256

            b7170d09345e05d8147692c74b3b8790a943b5d062d4a6cea85b3fdbb8245624

            SHA512

            adead4473234c090069c1f474602f9677e6c1fa201a6a963826fcaaa1745cdce134ac7392a63f3b1a60ba1a30de07bb16346ec65f8516600a6bced682ac73e24

            Download Submit
          • memory/760-13-0x0000000000400000-0x00000000004C9000-memory.dmp
            Filesize

            804KB

            Download
          • memory/760-11-0x0000000000400000-0x00000000004C9000-memory.dmp
            Filesize

            804KB

            Download
          • memory/760-14-0x0000000000400000-0x00000000004C9000-memory.dmp
            Filesize

            804KB

            Download
          • memory/1016-22-0x00000000011A0000-0x0000000001276000-memory.dmp
            Filesize

            856KB

            Download
          • memory/1644-2-0x0000000000950000-0x000000000097C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/1644-3-0x0000000074BA0000-0x000000007528E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1644-4-0x0000000074BA0000-0x000000007528E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1644-7-0x0000000074BA0000-0x000000007528E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1644-1-0x00000000010E0000-0x00000000011B6000-memory.dmp
            Filesize

            856KB

            Download
          • memory/1644-0-0x0000000074BAE000-0x0000000074BAF000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2372-10-0x0000000001070000-0x0000000001146000-memory.dmp
            Filesize

            856KB

            Download
          • memory/2704-23-0x0000000003D10000-0x0000000003D20000-memory.dmp
            Filesize

            64KB

            Download