asyncrat | 8013f920a224f6e3af1563d04210866aef0b22c145d827274befc3b4b17cecf8

General

Target

2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
Size

475KB
MD5

2d3046668e4316eb38dfa44dd953a486
SHA1

deb76018ba4d8c1f700486804c383901923fe80c
SHA256

8013f920a224f6e3af1563d04210866aef0b22c145d827274befc3b4b17cecf8
SHA512

47fb64623c8a3488d5387edc5843a5f193a55d3310a4902bf45dc476f2bfa2473e0b675cc5aaecb90db3e67ca5fdad7d4344d81f38fadd61c5b20ea42a4e5904
SSDEEP

12288:cvwm+4SEmenH6nlLwbJUsz6hGSSt28JYivK+PAsTwChfQ:o+V4an1OWvHi3Is

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

severdops.ddns.net:6204

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
adobes.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3404	adobes.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4292 set thread context of 8	4292	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4468	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4292	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
4292	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
4292	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
3404	adobes.exe
3404	adobes.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4292	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
Token: SeDebugPrivilege	8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
Token: SeDebugPrivilege	3404	adobes.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 8	4292	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe	89
PID 4292 wrote to memory of 8	4292	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe	89
PID 4292 wrote to memory of 8	4292	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe	89
PID 4292 wrote to memory of 8	4292	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe	89
PID 4292 wrote to memory of 8	4292	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe	89
PID 4292 wrote to memory of 8	4292	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe	89
PID 4292 wrote to memory of 8	4292	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe	89
PID 4292 wrote to memory of 8	4292	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe	89
PID 8 wrote to memory of 1512	8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe	90
PID 8 wrote to memory of 1512	8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe	90
PID 8 wrote to memory of 1512	8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe	90
PID 8 wrote to memory of 4144	8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe	92
PID 8 wrote to memory of 4144	8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe	92
PID 8 wrote to memory of 4144	8	2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe	92
PID 1512 wrote to memory of 644	1512	cmd.exe	94
PID 1512 wrote to memory of 644	1512	cmd.exe	94
PID 1512 wrote to memory of 644	1512	cmd.exe	94
PID 4144 wrote to memory of 4468	4144	cmd.exe	95
PID 4144 wrote to memory of 4468	4144	cmd.exe	95
PID 4144 wrote to memory of 4468	4144	cmd.exe	95
PID 4144 wrote to memory of 3404	4144	cmd.exe	96
PID 4144 wrote to memory of 3404	4144	cmd.exe	96
PID 4144 wrote to memory of 3404	4144	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Users\Admin\AppData\Local\Temp\2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "adobes" /tr '"C:\Users\Admin\AppData\Roaming\adobes.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "adobes" /tr '"C:\Users\Admin\AppData\Roaming\adobes.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAA6F.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4468
  - - C:\Users\Admin\AppData\Roaming\adobes.exe
      "C:\Users\Admin\AppData\Roaming\adobes.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2d3046668e4316eb38dfa44dd953a486_JaffaCakes118.exe.log

Filesize
1KB

MD5
e7473990edf901c1e1bef76f6095f55b

SHA1
f03b370492bbcc5280982886f9688eb8da762c8f

SHA256
5fea4747d97c0dbc097902818ae754eaca7214913a52d3bb1372a6274ce0292a

SHA512
ab93f14371dfae858bbad7d98c95055186f60b30937057f71b3d1ad17ab08b5ab7820a33bc5b3e74c485ec38e6b7a1772077add591d313175c10b4ff94bcb689

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA6F.tmp.bat

Filesize
150B

MD5
d57d507b1dda789e06c13c8caa68a30a

SHA1
1e6ef6e15166537ab0dd92549e7cbdd8ca55fecd

SHA256
6a3822cc2e0b8a7c5dd6f4f30ae2a0cd59966438a8e172cac7ca4c7e13fb43ef

SHA512
85d63f6e7bbe21d628a1fcb0a1d139d1537e52c11434d08307d09f293b1e46ef81817cd804f9b08d963ff899e3950afe7064d51d8435a608945d9c398a8f166a

Download Submit
C:\Users\Admin\AppData\Roaming\adobes.exe

Filesize
475KB

MD5
2d3046668e4316eb38dfa44dd953a486

SHA1
deb76018ba4d8c1f700486804c383901923fe80c

SHA256
8013f920a224f6e3af1563d04210866aef0b22c145d827274befc3b4b17cecf8

SHA512
47fb64623c8a3488d5387edc5843a5f193a55d3310a4902bf45dc476f2bfa2473e0b675cc5aaecb90db3e67ca5fdad7d4344d81f38fadd61c5b20ea42a4e5904

Download Submit
memory/8-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/8-21-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/8-17-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/8-15-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4292-10-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4292-8-0x00000000080F0000-0x00000000080FA000-memory.dmp

Filesize
40KB

Download
memory/4292-9-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

Filesize
4KB

Download
memory/4292-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

Filesize
4KB

Download
memory/4292-11-0x00000000014D0000-0x000000000150A000-memory.dmp

Filesize
232KB

Download
memory/4292-6-0x0000000005040000-0x000000000504A000-memory.dmp

Filesize
40KB

Download
memory/4292-7-0x0000000008020000-0x0000000008076000-memory.dmp

Filesize
344KB

Download
memory/4292-4-0x0000000007E90000-0x0000000007F22000-memory.dmp

Filesize
584KB

Download
memory/4292-16-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4292-5-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4292-3-0x00000000083A0000-0x0000000008944000-memory.dmp

Filesize
5.6MB

Download
memory/4292-2-0x0000000007D50000-0x0000000007DEC000-memory.dmp

Filesize
624KB

Download
memory/4292-1-0x0000000000C40000-0x0000000000CBC000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads