asyncrat | 9b608fcfcff20713072deb68b58dd218cc10f880b5c85a7903aec99d9471f269

Analysis

max time kernel
137s
max time network
152s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42ffde5af3d66024c0699f14922bb1da_JaffaCakes118.exe
Size

315KB
MD5

42ffde5af3d66024c0699f14922bb1da
SHA1

b4019d8834f565877ead605a6930e5fdb1bdcfa1
SHA256

9b608fcfcff20713072deb68b58dd218cc10f880b5c85a7903aec99d9471f269
SHA512

cef54ced9dd019f24cd8619e3fd989a8ca146680ffb9b98217941068d79c26a38476d696d2a6c91c69fde70e3b8f25f05c18462682b26486f693c16badcd82fe
SSDEEP

6144:D6xqzHOWLMGBgPcpdrVVsqy3WmSNRbNqfWvC:OxqzHOM/HVVs/3WNbMfWvC

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

40.75.8.74:7707

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7A

Botnet

Default

23.102.129.234:7707

Mutex

uvkcjjugzqls

Attributes

delay
1
install
false
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000016cda-8.dat	family_asyncrat
behavioral1/files/0x0008000000016d07-15.dat	family_asyncrat

Executes dropped EXE 2 IoCs

pid	Process
2800	Cuubz.exe
1264	Izkemwkdhqej.exe

Loads dropped DLL 2 IoCs

pid	Process
2472	42ffde5af3d66024c0699f14922bb1da_JaffaCakes118.exe
2472	42ffde5af3d66024c0699f14922bb1da_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	42ffde5af3d66024c0699f14922bb1da_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2800	2472	42ffde5af3d66024c0699f14922bb1da_JaffaCakes118.exe	30
PID 2472 wrote to memory of 2800	2472	42ffde5af3d66024c0699f14922bb1da_JaffaCakes118.exe	30
PID 2472 wrote to memory of 2800	2472	42ffde5af3d66024c0699f14922bb1da_JaffaCakes118.exe	30
PID 2472 wrote to memory of 2800	2472	42ffde5af3d66024c0699f14922bb1da_JaffaCakes118.exe	30
PID 2472 wrote to memory of 1264	2472	42ffde5af3d66024c0699f14922bb1da_JaffaCakes118.exe	31
PID 2472 wrote to memory of 1264	2472	42ffde5af3d66024c0699f14922bb1da_JaffaCakes118.exe	31
PID 2472 wrote to memory of 1264	2472	42ffde5af3d66024c0699f14922bb1da_JaffaCakes118.exe	31
PID 2472 wrote to memory of 1264	2472	42ffde5af3d66024c0699f14922bb1da_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\42ffde5af3d66024c0699f14922bb1da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42ffde5af3d66024c0699f14922bb1da_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\Cuubz.exe
  "C:\Users\Admin\AppData\Local\Temp\Cuubz.exe"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\Izkemwkdhqej.exe
  "C:\Users\Admin\AppData\Local\Temp\Izkemwkdhqej.exe"
  2⤵
  - Executes dropped EXE
  PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Cuubz.exe

Filesize
47KB

MD5
96073281c86416ec2a530a8e21431cac

SHA1
3760599c3ad5c487fdd0d67feed2d3527769d2a0

SHA256
e2966044f7a5771d7cae9b568d50672be4067be8e547382dbec13edc94e1e994

SHA512
aab5c5dfc7a1b5115231cde88291a4e8873edc7f79d5278465e15e0ccb5b44adb18dfef06d34bd78f88200b8380fcb3eccc571a2c5db2a8924071745a8524317

Download Submit
\Users\Admin\AppData\Local\Temp\Izkemwkdhqej.exe

Filesize
49KB

MD5
955fec4f0483cf02565ceba73ca2456d

SHA1
93aa63dace4f41464b9fa7c2950635f2cd2bc4b4

SHA256
87db4d2962807c84b27c1c759abb7744e01685be2e7fdda54e95fc502057491e

SHA512
4db6d3ba9492fcdb74c276a3cb46c158a6bbb153532a25210a7d11166403a2aaf1127b6445768106821586f46934ac0a3e60894c554767fdf604cae25b63766d

Download Submit
memory/1264-21-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/2472-3-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/2472-4-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/2472-5-0x00000000007D0000-0x00000000007DE000-memory.dmp

Filesize
56KB

Download
memory/2472-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/2472-2-0x0000000000500000-0x0000000000514000-memory.dmp

Filesize
80KB

Download
memory/2472-1-0x0000000000F10000-0x0000000000F66000-memory.dmp

Filesize
344KB

Download
memory/2472-23-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/2800-17-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/2800-22-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/2800-24-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads