Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
28-08-2024 00:58
Behavioral task
behavioral1
Sample
niggas.exe
Resource
win10-20240611-en
windows10-1703-x64
15 signatures
150 seconds
General
-
Target
niggas.exe
-
Size
355KB
-
MD5
427d3738eeb619ef2c1ef2510baac15c
-
SHA1
1b53ba2b409632de07ba41bd9a1aa62330ab4568
-
SHA256
92bd69c3130ecb7a5113f9a5c2dc8463e16e21e6db3414cf0a8342c4dab702e1
-
SHA512
fbe735a7107d4eb6272d98da93ad6db9ab172eec5532217c2289bf4bc676ffa287924d63c0d8f8b0adba76be92a6f2f7880bee0ab5bd85c7ac14df52b1b3645c
-
SSDEEP
6144:iL1ncfWwN0oc35jeRh8Xqfy/Ka1OHAH0tMrKCTEABG+Z9d3cQT/9nR4Ioy19erV:iLdcfxaeM6fy/KaVUtgKkTZ73coNRJe
Score
10/10
Malware Config
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Executes dropped EXE 1 IoCs
pid Process 2228 client.exe -
resource yara_rule behavioral1/memory/904-0-0x0000000001230000-0x00000000012F9000-memory.dmp upx behavioral1/files/0x000800000001aacc-3.dat upx behavioral1/memory/2228-5-0x00000000008F0000-0x00000000009B9000-memory.dmp upx behavioral1/memory/904-7-0x0000000001230000-0x00000000012F9000-memory.dmp upx behavioral1/memory/2228-8-0x00000000008F0000-0x00000000009B9000-memory.dmp upx behavioral1/memory/2228-15-0x00000000008F0000-0x00000000009B9000-memory.dmp upx behavioral1/memory/2228-18-0x00000000008F0000-0x00000000009B9000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" niggas.exe Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" client.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language niggas.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2228 client.exe 2876 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeShutdownPrivilege 904 niggas.exe Token: SeDebugPrivilege 904 niggas.exe Token: SeTcbPrivilege 904 niggas.exe Token: SeShutdownPrivilege 2228 client.exe Token: SeDebugPrivilege 2228 client.exe Token: SeTcbPrivilege 2228 client.exe Token: SeDebugPrivilege 2876 taskmgr.exe Token: SeSystemProfilePrivilege 2876 taskmgr.exe Token: SeCreateGlobalPrivilege 2876 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe 2876 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2228 client.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 904 wrote to memory of 2228 904 niggas.exe 70 PID 904 wrote to memory of 2228 904 niggas.exe 70 PID 904 wrote to memory of 2228 904 niggas.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\niggas.exe"C:\Users\Admin\AppData\Local\Temp\niggas.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904 -
C:\ProgramData\Babylon RAT\client.exe"C:\ProgramData\Babylon RAT\client.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2228
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
355KB
MD5427d3738eeb619ef2c1ef2510baac15c
SHA11b53ba2b409632de07ba41bd9a1aa62330ab4568
SHA25692bd69c3130ecb7a5113f9a5c2dc8463e16e21e6db3414cf0a8342c4dab702e1
SHA512fbe735a7107d4eb6272d98da93ad6db9ab172eec5532217c2289bf4bc676ffa287924d63c0d8f8b0adba76be92a6f2f7880bee0ab5bd85c7ac14df52b1b3645c