asyncrat | 28b714bdd63520294c6e4103bf377a89b2afadad3cdf4ef0c58ccb74b78d02c7

General

Target

94b87733c688eacc477a274c06047594_JaffaCakes118.exe
Size

949KB
MD5

94b87733c688eacc477a274c06047594
SHA1

73d02d5c6714a6c3c7afe628640eca6d035d268d
SHA256

28b714bdd63520294c6e4103bf377a89b2afadad3cdf4ef0c58ccb74b78d02c7
SHA512

32e55a6fdfac93016001b142120c1affb0f9c4abcdb27c8541780a5cff9298f067adfce011e1cf5ac7e89254b86f6d51a3b8a744e3fdbe73df3b750a5414cc17
SSDEEP

12288:AQ58Gd2jEp9VsyS1izvlm2ABNTIuae8d41E:AO1p9VsySWvlPA241

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

C2

peacelist.ignorelist.com:7707

peacelist.ignorelist.com:8808

peacelist.ignorelist.com:5505

Mutex

FTPgbnffd

Attributes

delay
10
install
true
install_file
shost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Executes dropped EXE 2 IoCs

Processes:

shost.exeshost.exe

pid process

1884 shost.exe
2164 shost.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2264 cmd.exe

pid	process
1884	shost.exe
2164	shost.exe

pid	process
2264	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

94b87733c688eacc477a274c06047594_JaffaCakes118.exeshost.exe

description	pid	process	target process
PID 2240 set thread context of 2028	2240	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 1884 set thread context of 2164	1884	shost.exe	shost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2756 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1212 timeout.exe

pid	process
2756	schtasks.exe

pid	process
1212	timeout.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

94b87733c688eacc477a274c06047594_JaffaCakes118.exe94b87733c688eacc477a274c06047594_JaffaCakes118.exeshost.exeshost.exe

pid	process
2240	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
2240	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
2240	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
2028	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
2028	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
1884	shost.exe
1884	shost.exe
1884	shost.exe
2164	shost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

94b87733c688eacc477a274c06047594_JaffaCakes118.exe94b87733c688eacc477a274c06047594_JaffaCakes118.exeshost.exeshost.exe

description	pid	process
Token: SeDebugPrivilege	2240	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
Token: SeDebugPrivilege	2028	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
Token: SeDebugPrivilege	1884	shost.exe
Token: SeDebugPrivilege	2164	shost.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

94b87733c688eacc477a274c06047594_JaffaCakes118.exe94b87733c688eacc477a274c06047594_JaffaCakes118.execmd.exeshost.exe

description	pid	process	target process
PID 2240 wrote to memory of 2028	2240	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2240 wrote to memory of 2028	2240	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2240 wrote to memory of 2028	2240	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2240 wrote to memory of 2028	2240	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2240 wrote to memory of 2028	2240	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2240 wrote to memory of 2028	2240	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2240 wrote to memory of 2028	2240	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2240 wrote to memory of 2028	2240	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2240 wrote to memory of 2028	2240	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2028 wrote to memory of 2756	2028	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	schtasks.exe
PID 2028 wrote to memory of 2756	2028	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	schtasks.exe
PID 2028 wrote to memory of 2756	2028	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	schtasks.exe
PID 2028 wrote to memory of 2756	2028	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	schtasks.exe
PID 2028 wrote to memory of 2264	2028	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	cmd.exe
PID 2028 wrote to memory of 2264	2028	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	cmd.exe
PID 2028 wrote to memory of 2264	2028	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	cmd.exe
PID 2028 wrote to memory of 2264	2028	94b87733c688eacc477a274c06047594_JaffaCakes118.exe	cmd.exe
PID 2264 wrote to memory of 1212	2264	cmd.exe	timeout.exe
PID 2264 wrote to memory of 1212	2264	cmd.exe	timeout.exe
PID 2264 wrote to memory of 1212	2264	cmd.exe	timeout.exe
PID 2264 wrote to memory of 1212	2264	cmd.exe	timeout.exe
PID 2264 wrote to memory of 1884	2264	cmd.exe	shost.exe
PID 2264 wrote to memory of 1884	2264	cmd.exe	shost.exe
PID 2264 wrote to memory of 1884	2264	cmd.exe	shost.exe
PID 2264 wrote to memory of 1884	2264	cmd.exe	shost.exe
PID 1884 wrote to memory of 2164	1884	shost.exe	shost.exe
PID 1884 wrote to memory of 2164	1884	shost.exe	shost.exe
PID 1884 wrote to memory of 2164	1884	shost.exe	shost.exe
PID 1884 wrote to memory of 2164	1884	shost.exe	shost.exe
PID 1884 wrote to memory of 2164	1884	shost.exe	shost.exe
PID 1884 wrote to memory of 2164	1884	shost.exe	shost.exe
PID 1884 wrote to memory of 2164	1884	shost.exe	shost.exe
PID 1884 wrote to memory of 2164	1884	shost.exe	shost.exe
PID 1884 wrote to memory of 2164	1884	shost.exe	shost.exe

C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'shost"' /tr "'C:\Users\Admin\AppData\Roaming\shost.exe"'
3⤵
- Creates scheduled task(s)
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp13EE.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1212

C:\Users\Admin\AppData\Roaming\shost.exe
"C:\Users\Admin\AppData\Roaming\shost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Roaming\shost.exe
"C:\Users\Admin\AppData\Roaming\shost.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp13EE.tmp.bat
Filesize
149B

MD5
acebd8c90a26d19d009e50c02fc9ecf7

SHA1
fd7bf8f73e24ff91ba5fe56e975cfc4afb7c9420

SHA256
3741d93740bfe659e911e0d1277ce2c68997ec27b76803c64e1a44935e154708

SHA512
366a473b02e0de83fbdf9c33ccc0ca4331af75239b886154bc5359b7cd420286e8cdbde8a064130307160bd459fcc6f16292fb998803d83bd8da058a51a6afe6

Download Submit
\Users\Admin\AppData\Roaming\shost.exe
Filesize
42.2MB

MD5
3433e524da36f061b28a3ff1caeea34d

SHA1
32c642c7b47196af2120d0ef1d6a085a214ae5f1

SHA256
d452caf37a0e32dba6e86dd9bb11da55d17945b77eec4dc09d347d5a70d101dd

SHA512
8ab1ab4ec630c67550f85255d18cc1d2db0bf68a68d78d983ae2586de7d9042843f4a1d1bccf00717733595b1e27786d44ab26f0e30825eeae8e8db4637ac328

Download Submit
memory/1884-34-0x0000000000FC0000-0x00000000010B4000-memory.dmp

Filesize
976KB

Download
memory/2028-14-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2028-18-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2028-30-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2028-6-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2028-7-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2028-8-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2028-9-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2028-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2028-12-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2028-20-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2028-17-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2164-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2164-53-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/2164-50-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/2164-46-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/2240-4-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/2240-19-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-0-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/2240-3-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-5-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-2-0x00000000001B0000-0x00000000001D4000-memory.dmp

Filesize
144KB

Download
memory/2240-1-0x0000000001340000-0x0000000001434000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads