babylonrat | 7dc909cd2f5c8bc69358416320010d634a0e123cf5ef5152cb6fac139b397e7e

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a8568882b188cb6262216906b127025_JaffaCakes118.exe
Size

590KB
MD5

7a8568882b188cb6262216906b127025
SHA1

bcf84768b4b9538554026da8a575a87304d4050b
SHA256

7dc909cd2f5c8bc69358416320010d634a0e123cf5ef5152cb6fac139b397e7e
SHA512

0647aa110c04718858ab06be0ef2ce03c3e8090c4b2cb8cdf55e0cf0ffe59fa9597d86de9887055a64394a38f8a8400aa30e87f379fc5e815d6551c24c7059f6
SSDEEP

12288:H24Cqbnp7/OP/6D54YQRTGkcx4v9csrXndd0:W4C8p+9f6nW1Hrw

Score

10^/10

babylonrat trojan upx

Malware Config

Extracted

Family

babylonrat

rdp.netpipe.xyz

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	7a8568882b188cb6262216906b127025_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	netprotocol.exe

Executes dropped EXE 1 IoCs

pid	Process
3868	netprotocol.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1612-28-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/1612-4975-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/1612-11867-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3868 set thread context of 1612	3868	netprotocol.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	7a8568882b188cb6262216906b127025_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	7a8568882b188cb6262216906b127025_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	7a8568882b188cb6262216906b127025_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe
3868	netprotocol.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1612	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3868	netprotocol.exe
Token: SeShutdownPrivilege	1612	RegAsm.exe
Token: SeDebugPrivilege	1612	RegAsm.exe
Token: SeTcbPrivilege	1612	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1612	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 3868	4760	7a8568882b188cb6262216906b127025_JaffaCakes118.exe	95
PID 4760 wrote to memory of 3868	4760	7a8568882b188cb6262216906b127025_JaffaCakes118.exe	95
PID 4760 wrote to memory of 3868	4760	7a8568882b188cb6262216906b127025_JaffaCakes118.exe	95
PID 3868 wrote to memory of 4480	3868	netprotocol.exe	96
PID 3868 wrote to memory of 4480	3868	netprotocol.exe	96
PID 3868 wrote to memory of 4480	3868	netprotocol.exe	96
PID 4480 wrote to memory of 556	4480	cmd.exe	98
PID 4480 wrote to memory of 556	4480	cmd.exe	98
PID 4480 wrote to memory of 556	4480	cmd.exe	98
PID 3868 wrote to memory of 1612	3868	netprotocol.exe	99
PID 3868 wrote to memory of 1612	3868	netprotocol.exe	99
PID 3868 wrote to memory of 1612	3868	netprotocol.exe	99
PID 3868 wrote to memory of 1612	3868	netprotocol.exe	99
PID 3868 wrote to memory of 1612	3868	netprotocol.exe	99
PID 3868 wrote to memory of 1612	3868	netprotocol.exe	99
PID 3868 wrote to memory of 1612	3868	netprotocol.exe	99

C:\Users\Admin\AppData\Local\Temp\7a8568882b188cb6262216906b127025_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7a8568882b188cb6262216906b127025_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
      4⤵
      PID:556
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4252,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:8
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_408BF57CFB22C8CE7202361683829F8C

Filesize
1KB

MD5
7759da265edb7cdb07f66657f7674bdf

SHA1
4dd6a84de3db8baf3a2fe7088881a7d0cd023bc1

SHA256
c50973d85493617126145635846a28f155a3a3571378ed6b5924eb8701b584b1

SHA512
bca66c19ba3c2f279dd985f816bc3ca20e33b59f153abc0924b131eaf6b9fed690fb3a86a7f34894ebaf2af0f0c2711755ea5941ab500e40fa055efc8e67f494

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_408BF57CFB22C8CE7202361683829F8C

Filesize
404B

MD5
7f477f9c2728aa68910f14dc91db87d2

SHA1
a309eb16fe38b83c7d82e2d6fb911bc59567f16c

SHA256
1f7029974c142efb188ef3f8f4e0b621da869d6b152fe605eea7688f159edfdb

SHA512
79bb1fa24fd18068ce14bbd9cc907ae5f0467635438144a47f48d2f387d3c14ecdfe4a2d5136c914ed09141f2148ec8d465338594ae435d08d4966493e10b3f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe

Filesize
590KB

MD5
7a8568882b188cb6262216906b127025

SHA1
bcf84768b4b9538554026da8a575a87304d4050b

SHA256
7dc909cd2f5c8bc69358416320010d634a0e123cf5ef5152cb6fac139b397e7e

SHA512
0647aa110c04718858ab06be0ef2ce03c3e8090c4b2cb8cdf55e0cf0ffe59fa9597d86de9887055a64394a38f8a8400aa30e87f379fc5e815d6551c24c7059f6

Download Submit
memory/1612-28-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1612-11867-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1612-4975-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3868-24-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/3868-26-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/3868-27-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/3868-9331-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/4760-25-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/4760-0-0x0000000075542000-0x0000000075543000-memory.dmp

Filesize
4KB

Download
memory/4760-2-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/4760-1-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download