babylonrat | f518273b14ab2b0e07cfa5b9ed5413c2a26b5f7e6a4e5d24c708d5b6394abc33

General

Target

86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe
Size

1.1MB
MD5

86cb9c73d746f1602cbe7e061dd7a8c7
SHA1

10dc3e0da4ecebea76a0365450f937ac62f172a6
SHA256

f518273b14ab2b0e07cfa5b9ed5413c2a26b5f7e6a4e5d24c708d5b6394abc33
SHA512

ca80644c1a819ed97d484b919a988d2b97b30d8536d7d68d12b40fc6b94dbf04d755a19b8a2d3087051ae9d513c5b66ef04316c6a443a4ef7179c676e465a620
SSDEEP

24576:qX513iwo/WpyCv14BLJ3BcGdW1y2Cp+PkhlSpIm:o5oCYLJu31zC+XS

Score

10^/10

babylonrat trojan

Malware Config

Extracted

Family

babylonrat

C2

funguz.duckdns.org

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2100	gering.exe
2676	gering.exe
2644	gering.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
2856	2100	WerFault.exe	99
2156	2100	WerFault.exe	99
3444	2676	WerFault.exe	107
2576	2676	WerFault.exe	107
3044	2644	WerFault.exe	119
3288	2644	WerFault.exe	119

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2796	schtasks.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2100	gering.exe
Token: SeDebugPrivilege	2100	gering.exe
Token: SeTcbPrivilege	2100	gering.exe
Token: SeShutdownPrivilege	2676	gering.exe
Token: SeDebugPrivilege	2676	gering.exe
Token: SeTcbPrivilege	2676	gering.exe
Token: SeShutdownPrivilege	2644	gering.exe
Token: SeDebugPrivilege	2644	gering.exe
Token: SeTcbPrivilege	2644	gering.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2020	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe
2100	gering.exe
2100	gering.exe
2676	gering.exe
2676	gering.exe
2644	gering.exe
2644	gering.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2796	2020	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe	93
PID 2020 wrote to memory of 2796	2020	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe	93
PID 2020 wrote to memory of 2796	2020	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe	93
PID 2020 wrote to memory of 1556	2020	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe	97
PID 2020 wrote to memory of 1556	2020	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe	97
PID 2020 wrote to memory of 1556	2020	86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe	97

C:\Users\Admin\AppData\Local\Temp\86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\86cb9c73d746f1602cbe7e061dd7a8c7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "schizophyta" /TR "C:\Users\Admin\AppData\Roaming\gering.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2796
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /run /tn "schizophyta"
  2⤵
  PID:1556

C:\Users\Admin\AppData\Roaming\gering.exe
C:\Users\Admin\AppData\Roaming\gering.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1000
  2⤵
  - Program crash
  PID:2856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1008
  2⤵
  - Program crash
  PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2100 -ip 2100
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2100 -ip 2100
1⤵
PID:1036

C:\Users\Admin\AppData\Roaming\gering.exe
C:\Users\Admin\AppData\Roaming\gering.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 964
  2⤵
  - Program crash
  PID:3444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1068
  2⤵
  - Program crash
  PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2676 -ip 2676
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2676 -ip 2676
1⤵
PID:2228

C:\Users\Admin\AppData\Roaming\gering.exe
C:\Users\Admin\AppData\Roaming\gering.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 972
  2⤵
  - Program crash
  PID:3044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 980
  2⤵
  - Program crash
  PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2644 -ip 2644
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2644 -ip 2644
1⤵
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gering.exe

Filesize
1.1MB

MD5
0a7befe3f3a060206874b8a863df12ba

SHA1
557b8a035844556e191f9fbfcffe1a37f8e2961e

SHA256
9c53793c6ba4a87f71a1a4bbb743472da0e5e04bc7859a5e79d5b3489cd3c1d4

SHA512
4d31beb41aa9cb3cda3ff9c7f151f7c851ec59cc9bb9365e74725398d26885287158f67d5b5fce319d6c0ad5daf29dccf4e1ef530d717852c72182ef20d4568e

Download Submit
memory/2020-2-0x00000000777C1000-0x00000000778E1000-memory.dmp

Filesize
1.1MB

Download
memory/2100-15-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2100-12-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2100-14-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2100-13-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2100-10-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2100-9-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2100-11-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2644-36-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2644-39-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2644-38-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2644-37-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2644-35-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2676-23-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2676-27-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2676-26-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2676-24-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads