babylonrat | 30f309b4912eea977732ec38083cf4e363ff4f757df1b2a5170d9033fa831655

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/07/2024, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe
Size

2.0MB
MD5

477f9071a2494106f3bab9d866bf491e
SHA1

5bdbec0b011c60945154742de74c75cf11a6e8c7
SHA256

30f309b4912eea977732ec38083cf4e363ff4f757df1b2a5170d9033fa831655
SHA512

d1efe71ff34b986b72e4ca13210a019efe12fb6f08728a56350ce7ce5dcab566035db26429e104f2524dfe4774e77b4845863f3350971fc79ddae69b062e74f3
SSDEEP

49152:5n2CWZeY24D4n8pKd7IXuZzKRQ54ZxrC/ccha5FzGNUbWkt9:J2CWZess8pAsu8y5qxrmhaTvbWu9

Score

10^/10

babylonrat pony collection credential_access discovery persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

babylonrat

cryfreeman042.ddns.net

Extracted

Family

pony

http://www.mytonnymaxltd.com/wp-content/Panel/gate.php

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Deletes itself 1 IoCs

pid	Process
1288	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2104	Babylon .exe
2908	soft.exe
2292	Pony.exe
2760	yduxa.exe
2988	Babylon .exe
2332	raod.exe
1484	soft.exe
344	Pony.exe
376	yduxa.exe

Loads dropped DLL 17 IoCs

pid	Process
2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe
2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe
2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe
2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe
2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe
2920	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe
2760	yduxa.exe
2908	soft.exe
2908	soft.exe
2760	yduxa.exe
2760	yduxa.exe
2760	yduxa.exe
2760	yduxa.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012286-5.dat	upx
behavioral1/memory/2104-11-0x0000000000C90000-0x0000000000D59000-memory.dmp	upx
behavioral1/memory/2676-24-0x0000000002200000-0x000000000221D000-memory.dmp	upx
behavioral1/files/0x00080000000162e3-27.dat	upx
behavioral1/memory/2292-31-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2988-83-0x00000000010C0000-0x0000000001189000-memory.dmp	upx
behavioral1/memory/2988-82-0x00000000010C0000-0x0000000001189000-memory.dmp	upx
behavioral1/memory/344-124-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/344-535-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2292-2628-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2104-2887-0x0000000000C90000-0x0000000000D59000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Pony.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Pony.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Pony.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Pony.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ryluam = "C:\\Users\\Admin\\AppData\\Roaming\\Fitooh\\raod.exe"	raod.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 2920	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	33
PID 2760 set thread context of 376	2760	yduxa.exe	39
PID 2908 set thread context of 2868	2908	soft.exe	47
PID 2908 set thread context of 2868	2908	soft.exe	47
PID 1484 set thread context of 2388	1484	soft.exe	48
PID 1484 set thread context of 2388	1484	soft.exe	48
PID 2292 set thread context of 2256	2292	Pony.exe	51
PID 2292 set thread context of 2256	2292	Pony.exe	51

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yduxa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babylon .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yduxa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babylon .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pony.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pony.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy	Babylon .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	Babylon .exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\5A55533C-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2332	raod.exe
376	yduxa.exe
376	yduxa.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe
2332	raod.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2104	Babylon .exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2104	Babylon .exe
Token: SeDebugPrivilege	2104	Babylon .exe
Token: SeTcbPrivilege	2104	Babylon .exe
Token: SeSecurityPrivilege	2908	soft.exe
Token: SeSecurityPrivilege	2908	soft.exe
Token: SeSecurityPrivilege	2920	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2292	Pony.exe
Token: SeTcbPrivilege	2292	Pony.exe
Token: SeChangeNotifyPrivilege	2292	Pony.exe
Token: SeCreateTokenPrivilege	2292	Pony.exe
Token: SeBackupPrivilege	2292	Pony.exe
Token: SeRestorePrivilege	2292	Pony.exe
Token: SeIncreaseQuotaPrivilege	2292	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	2292	Pony.exe
Token: SeShutdownPrivilege	2988	Babylon .exe
Token: SeDebugPrivilege	2988	Babylon .exe
Token: SeTcbPrivilege	2988	Babylon .exe
Token: SeSecurityPrivilege	2104	Babylon .exe
Token: SeSecurityPrivilege	2104	Babylon .exe
Token: SeImpersonatePrivilege	344	Pony.exe
Token: SeTcbPrivilege	344	Pony.exe
Token: SeChangeNotifyPrivilege	344	Pony.exe
Token: SeCreateTokenPrivilege	344	Pony.exe
Token: SeBackupPrivilege	344	Pony.exe
Token: SeRestorePrivilege	344	Pony.exe
Token: SeIncreaseQuotaPrivilege	344	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	344	Pony.exe
Token: SeSecurityPrivilege	2104	Babylon .exe
Token: SeSecurityPrivilege	2104	Babylon .exe
Token: SeImpersonatePrivilege	344	Pony.exe
Token: SeTcbPrivilege	344	Pony.exe
Token: SeChangeNotifyPrivilege	344	Pony.exe
Token: SeCreateTokenPrivilege	344	Pony.exe
Token: SeBackupPrivilege	344	Pony.exe
Token: SeRestorePrivilege	344	Pony.exe
Token: SeIncreaseQuotaPrivilege	344	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	344	Pony.exe
Token: SeSecurityPrivilege	2104	Babylon .exe
Token: SeSecurityPrivilege	2104	Babylon .exe
Token: SeSecurityPrivilege	2104	Babylon .exe
Token: SeSecurityPrivilege	2104	Babylon .exe
Token: SeImpersonatePrivilege	344	Pony.exe
Token: SeTcbPrivilege	344	Pony.exe
Token: SeChangeNotifyPrivilege	344	Pony.exe
Token: SeCreateTokenPrivilege	344	Pony.exe
Token: SeBackupPrivilege	344	Pony.exe
Token: SeRestorePrivilege	344	Pony.exe
Token: SeIncreaseQuotaPrivilege	344	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	344	Pony.exe
Token: SeImpersonatePrivilege	344	Pony.exe
Token: SeTcbPrivilege	344	Pony.exe
Token: SeChangeNotifyPrivilege	344	Pony.exe
Token: SeCreateTokenPrivilege	344	Pony.exe
Token: SeBackupPrivilege	344	Pony.exe
Token: SeRestorePrivilege	344	Pony.exe
Token: SeIncreaseQuotaPrivilege	344	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	344	Pony.exe
Token: SeManageVolumePrivilege	1884	WinMail.exe
Token: SeImpersonatePrivilege	2292	Pony.exe
Token: SeTcbPrivilege	2292	Pony.exe
Token: SeChangeNotifyPrivilege	2292	Pony.exe
Token: SeCreateTokenPrivilege	2292	Pony.exe
Token: SeBackupPrivilege	2292	Pony.exe
Token: SeRestorePrivilege	2292	Pony.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1884	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1884	WinMail.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2104	Babylon .exe
1884	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2104	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2104	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2104	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2104	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2908	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2908	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2908	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2908	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2292	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	32
PID 2676 wrote to memory of 2292	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	32
PID 2676 wrote to memory of 2292	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	32
PID 2676 wrote to memory of 2292	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	32
PID 2676 wrote to memory of 2920	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	33
PID 2676 wrote to memory of 2920	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	33
PID 2676 wrote to memory of 2920	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	33
PID 2676 wrote to memory of 2920	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	33
PID 2676 wrote to memory of 2920	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	33
PID 2676 wrote to memory of 2920	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	33
PID 2676 wrote to memory of 2920	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	33
PID 2676 wrote to memory of 2920	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	33
PID 2676 wrote to memory of 2920	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	33
PID 2676 wrote to memory of 2920	2676	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	33
PID 2920 wrote to memory of 2760	2920	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	34
PID 2920 wrote to memory of 2760	2920	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	34
PID 2920 wrote to memory of 2760	2920	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	34
PID 2920 wrote to memory of 2760	2920	477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe	34
PID 2760 wrote to memory of 2988	2760	yduxa.exe	35
PID 2760 wrote to memory of 2988	2760	yduxa.exe	35
PID 2760 wrote to memory of 2988	2760	yduxa.exe	35
PID 2760 wrote to memory of 2988	2760	yduxa.exe	35
PID 2908 wrote to memory of 2332	2908	soft.exe	36
PID 2908 wrote to memory of 2332	2908	soft.exe	36
PID 2908 wrote to memory of 2332	2908	soft.exe	36
PID 2908 wrote to memory of 2332	2908	soft.exe	36
PID 2760 wrote to memory of 1484	2760	yduxa.exe	37
PID 2760 wrote to memory of 1484	2760	yduxa.exe	37
PID 2760 wrote to memory of 1484	2760	yduxa.exe	37
PID 2760 wrote to memory of 1484	2760	yduxa.exe	37
PID 2760 wrote to memory of 344	2760	yduxa.exe	38
PID 2760 wrote to memory of 344	2760	yduxa.exe	38
PID 2760 wrote to memory of 344	2760	yduxa.exe	38
PID 2760 wrote to memory of 344	2760	yduxa.exe	38
PID 2332 wrote to memory of 1112	2332	raod.exe	19
PID 2332 wrote to memory of 1112	2332	raod.exe	19
PID 2332 wrote to memory of 1112	2332	raod.exe	19
PID 2332 wrote to memory of 1112	2332	raod.exe	19
PID 2332 wrote to memory of 1112	2332	raod.exe	19
PID 2332 wrote to memory of 1164	2332	raod.exe	20
PID 2332 wrote to memory of 1164	2332	raod.exe	20
PID 2332 wrote to memory of 1164	2332	raod.exe	20
PID 2332 wrote to memory of 1164	2332	raod.exe	20
PID 2332 wrote to memory of 1164	2332	raod.exe	20
PID 2760 wrote to memory of 376	2760	yduxa.exe	39
PID 2760 wrote to memory of 376	2760	yduxa.exe	39
PID 2760 wrote to memory of 376	2760	yduxa.exe	39
PID 2760 wrote to memory of 376	2760	yduxa.exe	39
PID 2760 wrote to memory of 376	2760	yduxa.exe	39
PID 2760 wrote to memory of 376	2760	yduxa.exe	39
PID 2760 wrote to memory of 376	2760	yduxa.exe	39
PID 2760 wrote to memory of 376	2760	yduxa.exe	39
PID 2760 wrote to memory of 376	2760	yduxa.exe	39
PID 2760 wrote to memory of 376	2760	yduxa.exe	39
PID 2332 wrote to memory of 1200	2332	raod.exe	21
PID 2332 wrote to memory of 1200	2332	raod.exe	21

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Pony.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\Babylon .exe
    "C:\Users\Admin\AppData\Local\Temp\Babylon .exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2104
- - C:\Users\Admin\AppData\Local\Temp\soft.exe
    "C:\Users\Admin\AppData\Local\Temp\soft.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Users\Admin\AppData\Roaming\Fitooh\raod.exe
      "C:\Users\Admin\AppData\Roaming\Fitooh\raod.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2332
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp34dc5df4.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2868
- - C:\Users\Admin\AppData\Local\Temp\Pony.exe
    "C:\Users\Admin\AppData\Local\Temp\Pony.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - outlook_win_path
    PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\259440738.bat" "C:\Users\Admin\AppData\Local\Temp\Pony.exe" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2256
- - C:\Users\Admin\AppData\Local\Temp\477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Users\Admin\AppData\Roaming\Seykeb\yduxa.exe
      "C:\Users\Admin\AppData\Roaming\Seykeb\yduxa.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Users\Admin\AppData\Roaming\Seykeb\Babylon .exe
        
        "C:\Users\Admin\AppData\Roaming\Seykeb\Babylon .exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
    - - C:\Users\Admin\AppData\Roaming\Seykeb\soft.exe
        
        "C:\Users\Admin\AppData\Roaming\Seykeb\soft.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1484
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp34dc5df4.bat"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
    - - C:\Users\Admin\AppData\Roaming\Seykeb\Pony.exe
        
        "C:\Users\Admin\AppData\Roaming\Seykeb\Pony.exe"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\259437103.bat" "C:\Users\Admin\AppData\Roaming\Seykeb\Pony.exe" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
    - - C:\Users\Admin\AppData\Roaming\Seykeb\yduxa.exe
        
        "C:\Users\Admin\AppData\Roaming\Seykeb\yduxa.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:376
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpea34fe0c.bat"
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      PID:1288

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1416

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1884

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4816

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:108

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4620

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3472

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1124

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3848

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
e9a07ecbb453e338300df2f11da9e17d

SHA1
cd73c6f44feb2cb551b1a8bb14e5e27a34ed3a42

SHA256
9066c5aeef72d3ffd210c7edb33a90e409219da612e44c20bad1068bc34c66d7

SHA512
2066347e07c1e5ce496c87596cbad2fe5e1250e59aee246064fce74781226897168e1a079b91dd1e4cb1a14ea87ed8a4c967e49812cb3ca8f38658ab0abce991

Download Submit
C:\Users\Admin\AppData\Local\Temp\259437103.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pony.exe

Filesize
34KB

MD5
7930fc68bc3cb9bf6a35d54558bcfb91

SHA1
8de4b17263c3416598fa04bc47aae4821c11765d

SHA256
91c2e0525c0303a92fc4daea82cc1223a4044cffa64a5d0bf23d575c60555b13

SHA512
96ea5c9dad7271df85076fc491f8d385ee799dd3e6a5328b182bd63d3653116735da250d749d59df4e0146308fe33f77b98a8633d9ed117f1f3405b8c8cfd3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\soft.exe

Filesize
221KB

MD5
815266c018e9a3d517d5865cf8918c2d

SHA1
575486e27a86adde49217cf9055ab6b5b9011c3e

SHA256
35ee92e61ea7bc51cb6dd00bc372627c42f956ed8573191621844e82165ddb80

SHA512
dabc5a0cf124889b4099bd4ffed0557d1d789f50bc6a02a20dff41eca322d66f2c984647f622d67ee19d93db2bbe14955ddf07bff8a5dce0dd8a0858b799725e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp34dc5df4.bat

Filesize
195B

MD5
3d8c8624973ae3af58143a634283bac0

SHA1
0e9df87ac218bf9c6872704e2e044f19790b4efa

SHA256
a70529bac14308fb033a87a73087db66efc49199409451e3eefe6abc321c76f1

SHA512
cf5cf6732fa4466248abbc663a7e94d04b216c6b8c7e65c86ef44b222eafafaaff20428a8922d3efdf6315e26610bd40f9e6ddc2febbd860afbdf664a6ad1dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpea34fe0c.bat

Filesize
271B

MD5
744ca9913df80d1ead900c0142c90549

SHA1
fdc32000c262559fdf1b636f1e0437f7a093b04e

SHA256
4dfbe1d1dc0b2a6fbb5770652b1e7967c4905f1bfaebdcb878beb15677ad19f4

SHA512
f1987bc25764c65e36ae47846f17670feeb1aef4103be97de680277885386fc46f062b50f8b78035e4c704d7e405427e85e03268846546da9b9ec1d5c85475d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mucufu\zoik.tev

Filesize
4KB

MD5
20013d436b43f90c55743bba11777b8f

SHA1
e72bfd2d3ec0d9b7bfca89bed2671b6e4437909e

SHA256
22d1f31bc8737ae1d717376f554698eb84ac635069748725a2683086e97a0981

SHA512
bcb23659d5d44cf3abbb6136760f92a53cd021dacf21812f84869c4f206acc1f3efed8da2deb9e7c486b78cd97b9afb90ff571a6c04fe06d3680a5ac50396206

Download Submit
C:\Users\Admin\AppData\Roaming\Seykeb\yduxa.exe

Filesize
2.0MB

MD5
6675e1414fbbbb586b1b120eb89448ae

SHA1
401b2f930123ef5f1279fb3c370ffca1ab944680

SHA256
ed2a7fffc30f3dd77a8c765ea442bbd2fe3fd73cac1496c096ca3d7334dc31c0

SHA512
23ca8d06725e7ec543ba0f7a06493c7a7e07d57cfc7ba7a454dc1de54ebb3e40f269fa8c9fda5b5e702cea617f57eaf720a09d6b2b46c45d172d6cd734458a87

Download Submit
\Users\Admin\AppData\Local\Temp\Babylon .exe

Filesize
355KB

MD5
5d05b4f6accd34f7085bb70970683a8c

SHA1
721ab6c7559ea584d259df2448a5e30b4c222b92

SHA256
503b5746ec5c5cc50e44672a7a49cf112106607d8cea8f80b537280f541cd214

SHA512
ff02f4d8462e52f7cc5d4452a703ca2b65f6b80b3974c602e503e9ef568c9d8f2ed08e72776c0602ee7337a689964e3d4b0df8ec5db5cb6868144dcbc93f2d97

Download Submit
\Users\Admin\AppData\Roaming\Fitooh\raod.exe

Filesize
221KB

MD5
1fc4884c739ff861aa01ad3563dd7137

SHA1
0ac484c05baf8cf72ee4a777bc527cc1f98d7951

SHA256
951bac98dfe60948855a3174956251516cb177fad7bd516c7be38952672bd804

SHA512
536d7ba439b268d06f5e9b61b9c1342a547a5ffb61ebf299e7c4bed6cfb01e5c39efede8614fb3d398e9b3eeacb691d98f4b8305f772c4a6556d32fa1989a54b

Download Submit
memory/344-124-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/344-535-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/376-147-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1112-113-0x0000000000370000-0x00000000003AB000-memory.dmp

Filesize
236KB

Download
memory/1112-111-0x0000000000370000-0x00000000003AB000-memory.dmp

Filesize
236KB

Download
memory/1112-119-0x0000000000370000-0x00000000003AB000-memory.dmp

Filesize
236KB

Download
memory/1112-117-0x0000000000370000-0x00000000003AB000-memory.dmp

Filesize
236KB

Download
memory/1112-115-0x0000000000370000-0x00000000003AB000-memory.dmp

Filesize
236KB

Download
memory/1164-127-0x0000000001FD0000-0x000000000200B000-memory.dmp

Filesize
236KB

Download
memory/1164-125-0x0000000001FD0000-0x000000000200B000-memory.dmp

Filesize
236KB

Download
memory/2104-2887-0x0000000000C90000-0x0000000000D59000-memory.dmp

Filesize
804KB

Download
memory/2104-11-0x0000000000C90000-0x0000000000D59000-memory.dmp

Filesize
804KB

Download
memory/2292-31-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2292-2628-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2332-1226-0x00000000004B0000-0x00000000004CD000-memory.dmp

Filesize
116KB

Download
memory/2676-0-0x000000007455E000-0x000000007455F000-memory.dmp

Filesize
4KB

Download
memory/2676-30-0x0000000002200000-0x000000000221D000-memory.dmp

Filesize
116KB

Download
memory/2676-24-0x0000000002200000-0x000000000221D000-memory.dmp

Filesize
116KB

Download
memory/2676-10-0x0000000004D60000-0x0000000004E29000-memory.dmp

Filesize
804KB

Download
memory/2676-2-0x0000000004270000-0x0000000004376000-memory.dmp

Filesize
1.0MB

Download
memory/2676-1-0x0000000000AD0000-0x0000000000CD8000-memory.dmp

Filesize
2.0MB

Download
memory/2760-63-0x0000000000FC0000-0x00000000011C8000-memory.dmp

Filesize
2.0MB

Download
memory/2760-123-0x0000000000670000-0x000000000068D000-memory.dmp

Filesize
116KB

Download
memory/2760-79-0x0000000005DA0000-0x0000000005E69000-memory.dmp

Filesize
804KB

Download
memory/2760-64-0x0000000004CD0000-0x0000000004DD6000-memory.dmp

Filesize
1.0MB

Download
memory/2908-34-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2908-32-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2920-54-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2920-39-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2920-41-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2920-55-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2920-44-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2920-47-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2920-50-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2920-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2920-53-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2920-37-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2988-82-0x00000000010C0000-0x0000000001189000-memory.dmp

Filesize
804KB

Download
memory/2988-83-0x00000000010C0000-0x0000000001189000-memory.dmp

Filesize
804KB

Download
memory/2988-2888-0x00000000010C0000-0x0000000001189000-memory.dmp

Filesize
804KB

Download