asyncrat | ea3d22065961b55c82ad89a5003ba6904e04598bfd6987bc847b68196e333c94

General

Target

4bc1e15a3b8ccbed4ed88a298d737ee5_JaffaCakes118.exe
Size

52KB
MD5

4bc1e15a3b8ccbed4ed88a298d737ee5
SHA1

f1d9f3ba07924492ce6640d7e4de08d36e3485d4
SHA256

ea3d22065961b55c82ad89a5003ba6904e04598bfd6987bc847b68196e333c94
SHA512

5ba27276832f8d57ae58c340a8d4837980c65444f5fab6cb912d23ca50d9ff46767ea9894de0fba12c1ef2485b5ff7e5e97dc803b240261e6d62517493b53b10
SSDEEP

1536:Uui3NTdBR27R515q2r3bSCubG+QSl6qzQgfmd7x:UuidTdBR2V51U2r3FubG+oRgfmhx

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1212

91.151.94.60:6606

91.151.94.60:7707

91.151.94.60:8808

91.151.94.60:1212

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000017041-13.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2772	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2652	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2660	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1940	4bc1e15a3b8ccbed4ed88a298d737ee5_JaffaCakes118.exe
1940	4bc1e15a3b8ccbed4ed88a298d737ee5_JaffaCakes118.exe
1940	4bc1e15a3b8ccbed4ed88a298d737ee5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	4bc1e15a3b8ccbed4ed88a298d737ee5_JaffaCakes118.exe
Token: SeDebugPrivilege	2772	svchost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2092	1940	4bc1e15a3b8ccbed4ed88a298d737ee5_JaffaCakes118.exe	31
PID 1940 wrote to memory of 2092	1940	4bc1e15a3b8ccbed4ed88a298d737ee5_JaffaCakes118.exe	31
PID 1940 wrote to memory of 2092	1940	4bc1e15a3b8ccbed4ed88a298d737ee5_JaffaCakes118.exe	31
PID 1940 wrote to memory of 2092	1940	4bc1e15a3b8ccbed4ed88a298d737ee5_JaffaCakes118.exe	31
PID 1940 wrote to memory of 2652	1940	4bc1e15a3b8ccbed4ed88a298d737ee5_JaffaCakes118.exe	33
PID 1940 wrote to memory of 2652	1940	4bc1e15a3b8ccbed4ed88a298d737ee5_JaffaCakes118.exe	33
PID 1940 wrote to memory of 2652	1940	4bc1e15a3b8ccbed4ed88a298d737ee5_JaffaCakes118.exe	33
PID 1940 wrote to memory of 2652	1940	4bc1e15a3b8ccbed4ed88a298d737ee5_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2752	2092	cmd.exe	35
PID 2092 wrote to memory of 2752	2092	cmd.exe	35
PID 2092 wrote to memory of 2752	2092	cmd.exe	35
PID 2092 wrote to memory of 2752	2092	cmd.exe	35
PID 2652 wrote to memory of 2660	2652	cmd.exe	36
PID 2652 wrote to memory of 2660	2652	cmd.exe	36
PID 2652 wrote to memory of 2660	2652	cmd.exe	36
PID 2652 wrote to memory of 2660	2652	cmd.exe	36
PID 2652 wrote to memory of 2772	2652	cmd.exe	37
PID 2652 wrote to memory of 2772	2652	cmd.exe	37
PID 2652 wrote to memory of 2772	2652	cmd.exe	37
PID 2652 wrote to memory of 2772	2652	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\4bc1e15a3b8ccbed4ed88a298d737ee5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4bc1e15a3b8ccbed4ed88a298d737ee5_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2660
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp.bat

Filesize
151B

MD5
0a11c5b92c76b50062ac51d9c9a3b0c8

SHA1
f5564aec3131312de91c91648b90860527e5cb65

SHA256
0d90db15fecf6a9456daf4866239cd339327e4b1f94becef064f827e470132e3

SHA512
af6dba2e82993ed722aeeddc4a2438f341fac66b0447e17122e7de3a89cde190ae7f825e3108ab851c0a5d2c8475b1fd639313693f0ee4327e1ca7b4b2d39a64

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
52KB

MD5
4bc1e15a3b8ccbed4ed88a298d737ee5

SHA1
f1d9f3ba07924492ce6640d7e4de08d36e3485d4

SHA256
ea3d22065961b55c82ad89a5003ba6904e04598bfd6987bc847b68196e333c94

SHA512
5ba27276832f8d57ae58c340a8d4837980c65444f5fab6cb912d23ca50d9ff46767ea9894de0fba12c1ef2485b5ff7e5e97dc803b240261e6d62517493b53b10

Download Submit
memory/1940-0-0x000000007427E000-0x000000007427F000-memory.dmp

Filesize
4KB

Download
memory/1940-1-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

Filesize
72KB

Download
memory/1940-2-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/1940-11-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2772-16-0x0000000000810000-0x0000000000822000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads