babylonrat | f518273b14ab2b0e07cfa5b9ed5413c2a26b5f7e6a4e5d24c708d5b6394abc33

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe
Size

1.1MB
MD5

86cb9c73d746f1602cbe7e061dd7a8c7
SHA1

10dc3e0da4ecebea76a0365450f937ac62f172a6
SHA256

f518273b14ab2b0e07cfa5b9ed5413c2a26b5f7e6a4e5d24c708d5b6394abc33
SHA512

ca80644c1a819ed97d484b919a988d2b97b30d8536d7d68d12b40fc6b94dbf04d755a19b8a2d3087051ae9d513c5b66ef04316c6a443a4ef7179c676e465a620
SSDEEP

24576:qX513iwo/WpyCv14BLJ3BcGdW1y2Cp+PkhlSpIm:o5oCYLJu31zC+XS

Score

10^/10

babylonrat trojan

Malware Config

Extracted

Family

babylonrat

funguz.duckdns.org

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Executes dropped EXE 1 IoCs

pid	Process
2428	gering.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2116	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2428	gering.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2428	gering.exe
Token: SeDebugPrivilege	2428	gering.exe
Token: SeTcbPrivilege	2428	gering.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1548	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe
2428	gering.exe
2428	gering.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2428	gering.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2116	1548	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe	28
PID 1548 wrote to memory of 2116	1548	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe	28
PID 1548 wrote to memory of 2116	1548	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe	28
PID 1548 wrote to memory of 2116	1548	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe	28
PID 1548 wrote to memory of 2708	1548	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe	30
PID 1548 wrote to memory of 2708	1548	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe	30
PID 1548 wrote to memory of 2708	1548	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe	30
PID 1548 wrote to memory of 2708	1548	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe	30
PID 2576 wrote to memory of 2428	2576	taskeng.exe	33
PID 2576 wrote to memory of 2428	2576	taskeng.exe	33
PID 2576 wrote to memory of 2428	2576	taskeng.exe	33
PID 2576 wrote to memory of 2428	2576	taskeng.exe	33

C:\Users\Admin\AppData\Local\Temp\86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "schizophyta" /TR "C:\Users\Admin\AppData\Roaming\gering.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2116
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /run /tn "schizophyta"
  2⤵
  PID:2708

C:\Windows\system32\taskeng.exe
taskeng.exe {AF6C032D-D5E7-4BCD-BE69-E4F9D456C7F6} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Roaming\gering.exe
  C:\Users\Admin\AppData\Roaming\gering.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gering.exe

Filesize
1.1MB

MD5
0a7befe3f3a060206874b8a863df12ba

SHA1
557b8a035844556e191f9fbfcffe1a37f8e2961e

SHA256
9c53793c6ba4a87f71a1a4bbb743472da0e5e04bc7859a5e79d5b3489cd3c1d4

SHA512
4d31beb41aa9cb3cda3ff9c7f151f7c851ec59cc9bb9365e74725398d26885287158f67d5b5fce319d6c0ad5daf29dccf4e1ef530d717852c72182ef20d4568e

Download Submit
memory/1548-2-0x0000000077B80000-0x0000000077C56000-memory.dmp

Filesize
856KB

Download
memory/2428-8-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2428-11-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2428-10-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2428-9-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2428-12-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2428-14-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads