Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28/08/2024, 00:58 UTC

General

  • Target

    niggas.exe

  • Size

    355KB

  • MD5

    427d3738eeb619ef2c1ef2510baac15c

  • SHA1

    1b53ba2b409632de07ba41bd9a1aa62330ab4568

  • SHA256

    92bd69c3130ecb7a5113f9a5c2dc8463e16e21e6db3414cf0a8342c4dab702e1

  • SHA512

    fbe735a7107d4eb6272d98da93ad6db9ab172eec5532217c2289bf4bc676ffa287924d63c0d8f8b0adba76be92a6f2f7880bee0ab5bd85c7ac14df52b1b3645c

  • SSDEEP

    6144:iL1ncfWwN0oc35jeRh8Xqfy/Ka1OHAH0tMrKCTEABG+Z9d3cQT/9nR4Ioy19erV:iLdcfxaeM6fy/KaVUtgKkTZ73coNRJe

Malware Config

Signatures

  • Babylon RAT

    Babylon RAT is remote access trojan written in C++.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\niggas.exe
    "C:\Users\Admin\AppData\Local\Temp\niggas.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\ProgramData\Babylon RAT\client.exe
      "C:\ProgramData\Babylon RAT\client.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2228
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /0
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2876

Network

  • flag-us
    DNS
    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
    IN PTR
    Response
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
    dns
    118 B
    182 B
    1
    1

    DNS Request

    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Babylon RAT\client.exe

    Filesize

    355KB

    MD5

    427d3738eeb619ef2c1ef2510baac15c

    SHA1

    1b53ba2b409632de07ba41bd9a1aa62330ab4568

    SHA256

    92bd69c3130ecb7a5113f9a5c2dc8463e16e21e6db3414cf0a8342c4dab702e1

    SHA512

    fbe735a7107d4eb6272d98da93ad6db9ab172eec5532217c2289bf4bc676ffa287924d63c0d8f8b0adba76be92a6f2f7880bee0ab5bd85c7ac14df52b1b3645c

  • memory/904-0-0x0000000001230000-0x00000000012F9000-memory.dmp

    Filesize

    804KB

  • memory/904-7-0x0000000001230000-0x00000000012F9000-memory.dmp

    Filesize

    804KB

  • memory/2228-5-0x00000000008F0000-0x00000000009B9000-memory.dmp

    Filesize

    804KB

  • memory/2228-8-0x00000000008F0000-0x00000000009B9000-memory.dmp

    Filesize

    804KB

  • memory/2228-15-0x00000000008F0000-0x00000000009B9000-memory.dmp

    Filesize

    804KB

  • memory/2228-18-0x00000000008F0000-0x00000000009B9000-memory.dmp

    Filesize

    804KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.