asyncrat | acdef12ec35b82f310c535d3cf08f81d60f1090a25e243772ac5086992104421

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
Size

201KB
MD5

8649b3ac9b90053ac5af0be11e65878b
SHA1

067abf2e195182fd9d69261f0076085712dad208
SHA256

acdef12ec35b82f310c535d3cf08f81d60f1090a25e243772ac5086992104421
SHA512

a338323ea66a858031ff043f02836686d4e1a6b196f1dea7155ad0ffe1dfa3d4c8b55476e01d93694c6361c02839bfa770bebdcc8e5cc7d0877a377eaf4c54b0
SSDEEP

3072:1QbYxbEV2AyO4slPqCM4saRROeFDcTZaASvPiyolAmJuLIKXlwXAMKhot8ZCzz:1QbGb6t7QSvKpgnl8o98z

Score

10^/10

asyncrat bless my hands lord persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

BLESS MY HANDS LORD

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/mQ1Zp6VA

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

dfgdjgettyjhmdtetyj.exeAddInProcess32.exe

pid process

4980 dfgdjgettyjhmdtetyj.exe
1356 AddInProcess32.exe
Loads dropped DLL 2 IoCs

Processes:

8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exedfgdjgettyjhmdtetyj.exe

pid process

736 8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
4980 dfgdjgettyjhmdtetyj.exe

pid	process
4980	dfgdjgettyjhmdtetyj.exe
1356	AddInProcess32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnbndgcdfkg = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\dfgdjgettyjhmdtetyj.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service
T1102

Processes:

flow ioc

73 pastebin.com
69 pastebin.com
71 pastebin.com
72 pastebin.com
70 pastebin.com
74 pastebin.com
64 pastebin.com
65 pastebin.com
68 pastebin.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

dfgdjgettyjhmdtetyj.exe

description pid process target process

PID 4980 set thread context of 1356 4980 dfgdjgettyjhmdtetyj.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
73	pastebin.com
69	pastebin.com
71	pastebin.com
72	pastebin.com
70	pastebin.com
74	pastebin.com
64	pastebin.com
65	pastebin.com
68	pastebin.com

description	pid	process	target process
PID 4980 set thread context of 1356	4980	dfgdjgettyjhmdtetyj.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exedfgdjgettyjhmdtetyj.exe

pid	process
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
4980	dfgdjgettyjhmdtetyj.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exedfgdjgettyjhmdtetyj.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
Token: SeDebugPrivilege	4980	dfgdjgettyjhmdtetyj.exe
Token: SeDebugPrivilege	1356	AddInProcess32.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.execmd.exedfgdjgettyjhmdtetyj.exe

description	pid	process	target process
PID 736 wrote to memory of 3400	736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe	cmd.exe
PID 736 wrote to memory of 3400	736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe	cmd.exe
PID 736 wrote to memory of 3400	736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe	cmd.exe
PID 3400 wrote to memory of 4372	3400	cmd.exe	reg.exe
PID 3400 wrote to memory of 4372	3400	cmd.exe	reg.exe
PID 3400 wrote to memory of 4372	3400	cmd.exe	reg.exe
PID 736 wrote to memory of 4980	736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe	dfgdjgettyjhmdtetyj.exe
PID 736 wrote to memory of 4980	736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe	dfgdjgettyjhmdtetyj.exe
PID 736 wrote to memory of 4980	736	8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe	dfgdjgettyjhmdtetyj.exe
PID 4980 wrote to memory of 1356	4980	dfgdjgettyjhmdtetyj.exe	AddInProcess32.exe
PID 4980 wrote to memory of 1356	4980	dfgdjgettyjhmdtetyj.exe	AddInProcess32.exe
PID 4980 wrote to memory of 1356	4980	dfgdjgettyjhmdtetyj.exe	AddInProcess32.exe
PID 4980 wrote to memory of 1356	4980	dfgdjgettyjhmdtetyj.exe	AddInProcess32.exe
PID 4980 wrote to memory of 1356	4980	dfgdjgettyjhmdtetyj.exe	AddInProcess32.exe
PID 4980 wrote to memory of 1356	4980	dfgdjgettyjhmdtetyj.exe	AddInProcess32.exe
PID 4980 wrote to memory of 1356	4980	dfgdjgettyjhmdtetyj.exe	AddInProcess32.exe
PID 4980 wrote to memory of 1356	4980	dfgdjgettyjhmdtetyj.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8649b3ac9b90053ac5af0be11e65878b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v cnbndgcdfkg /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\dfgdjgettyjhmdtetyj.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v cnbndgcdfkg /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\dfgdjgettyjhmdtetyj.exe"
    3⤵
    - Adds Run key to start application
    PID:4372
- C:\Users\Admin\AppData\Roaming\dfgdjgettyjhmdtetyj.exe
  "C:\Users\Admin\AppData\Roaming\dfgdjgettyjhmdtetyj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
C:\Users\Admin\AppData\Local\Temp\b438b2b2-a27d-417f-8ec9-625540b311a1\g.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Roaming\dfgdjgettyjhmdtetyj.exe

Filesize
201KB

MD5
8649b3ac9b90053ac5af0be11e65878b

SHA1
067abf2e195182fd9d69261f0076085712dad208

SHA256
acdef12ec35b82f310c535d3cf08f81d60f1090a25e243772ac5086992104421

SHA512
a338323ea66a858031ff043f02836686d4e1a6b196f1dea7155ad0ffe1dfa3d4c8b55476e01d93694c6361c02839bfa770bebdcc8e5cc7d0877a377eaf4c54b0

Download Submit
memory/736-0-0x00000000751FE000-0x00000000751FF000-memory.dmp

Filesize
4KB

Download
memory/736-1-0x0000000000510000-0x0000000000548000-memory.dmp

Filesize
224KB

Download
memory/736-2-0x0000000004E10000-0x0000000004E34000-memory.dmp

Filesize
144KB

Download
memory/736-65-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-73-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-71-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-67-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-63-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-61-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-57-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-55-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-53-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-49-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-47-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-45-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-41-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-39-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-37-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-33-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-31-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-30-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/736-28-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-24-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-22-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-20-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-18-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-16-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-14-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-59-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-51-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-26-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-12-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-11-0x0000000004E10000-0x0000000004E2F000-memory.dmp

Filesize
124KB

Download
memory/736-10-0x0000000073C00000-0x0000000073C89000-memory.dmp

Filesize
548KB

Download
memory/736-102-0x00000000751FE000-0x00000000751FF000-memory.dmp

Filesize
4KB

Download
memory/736-103-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/736-104-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/736-105-0x0000000005930000-0x00000000059C2000-memory.dmp

Filesize
584KB

Download
memory/736-106-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/736-107-0x00000000065B0000-0x00000000065F4000-memory.dmp

Filesize
272KB

Download
memory/736-110-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/736-122-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/1356-226-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4980-123-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/4980-217-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/4980-218-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/4980-219-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/4980-220-0x0000000005D50000-0x0000000005D5C000-memory.dmp

Filesize
48KB

Download
memory/4980-227-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download