babylonrat | a4aac1323e3a175a3bc3b49176a364a00cde6fc55ef3bfbdb6e65be197d313cf

General

Target

d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f/PANDUAN_PENGGUNA_MyKHAS.lnk
Size

3KB
MD5

843154177ad124c22d0107ea786b82f8
SHA1

c0d80dfd81bd6b59ae8effad3e2e643da93becb9
SHA256

b9dddf801db527b3895409443fadeeced176b3ccac220395f700e91b151076b0
SHA512

527291e9d492b0891277a9fdf13e5dcd41aed2fb993ba8c3eaa9a3adc42393548f9f3e0b39ead176087949787aa2bc407c6512684be4c3913702d6abf1a947a8

Score

10^/10

babylonrat discovery execution persistence trojan upx

Malware Config

Extracted

Family

babylonrat

C2

149.28.19.207

fund.sekretariatparti.org

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2224	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2660	controller.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/2644-59-0x0000000000380000-0x000000000044A000-memory.dmp	upx
behavioral3/memory/2644-60-0x0000000000380000-0x000000000044A000-memory.dmp	upx
behavioral3/memory/2644-62-0x0000000000380000-0x000000000044A000-memory.dmp	upx
behavioral3/memory/2644-64-0x0000000000380000-0x000000000044A000-memory.dmp	upx
behavioral3/memory/2644-61-0x0000000000380000-0x000000000044A000-memory.dmp	upx
behavioral3/memory/2660-72-0x0000000000660000-0x000000000072A000-memory.dmp	upx
behavioral3/memory/2660-73-0x0000000000660000-0x000000000072A000-memory.dmp	upx
behavioral3/memory/2644-91-0x0000000000380000-0x000000000044A000-memory.dmp	upx
behavioral3/memory/2644-93-0x0000000000380000-0x000000000044A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\USBController = "C:\\Users\\Admin\\AppData\\Roaming\\controller.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	controller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	controller.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2224	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2644	controller.exe
2768	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeShutdownPrivilege	2644	controller.exe
Token: SeDebugPrivilege	2644	controller.exe
Token: SeTcbPrivilege	2644	controller.exe
Token: SeShutdownPrivilege	2660	controller.exe
Token: SeDebugPrivilege	2660	controller.exe
Token: SeTcbPrivilege	2660	controller.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2768	AcroRd32.exe
2644	controller.exe
2768	AcroRd32.exe
2768	AcroRd32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2728	2316	cmd.exe	31
PID 2316 wrote to memory of 2728	2316	cmd.exe	31
PID 2316 wrote to memory of 2728	2316	cmd.exe	31
PID 2728 wrote to memory of 2224	2728	cmd.exe	32
PID 2728 wrote to memory of 2224	2728	cmd.exe	32
PID 2728 wrote to memory of 2224	2728	cmd.exe	32
PID 2224 wrote to memory of 2768	2224	powershell.exe	33
PID 2224 wrote to memory of 2768	2224	powershell.exe	33
PID 2224 wrote to memory of 2768	2224	powershell.exe	33
PID 2224 wrote to memory of 2768	2224	powershell.exe	33
PID 2224 wrote to memory of 2644	2224	powershell.exe	34
PID 2224 wrote to memory of 2644	2224	powershell.exe	34
PID 2224 wrote to memory of 2644	2224	powershell.exe	34
PID 2224 wrote to memory of 2644	2224	powershell.exe	34
PID 2224 wrote to memory of 2660	2224	powershell.exe	35
PID 2224 wrote to memory of 2660	2224	powershell.exe	35
PID 2224 wrote to memory of 2660	2224	powershell.exe	35
PID 2224 wrote to memory of 2660	2224	powershell.exe	35

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f\PANDUAN_PENGGUNA_MyKHAS.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -WindowStyle hidden -nologo -executionpolicy bypass -File "PANDUAN_PENGGUNA_MyKHAS.ps1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle hidden -nologo -executionpolicy bypass -File "PANDUAN_PENGGUNA_MyKHAS.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f\PANDUAN_PENGGUNA_MyKHAS.pdf"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f\controller.exe
      "C:\Users\Admin\AppData\Local\Temp\d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f\controller.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2644
  - - C:\Users\Admin\AppData\Roaming\controller.exe
      "C:\Users\Admin\AppData\Roaming\controller.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d2305ccb559d8a60a1c42f3e71849ffa

SHA1
521a36e99d8d414ad2c5a9f6e094e3416b1c2084

SHA256
a6795b77ce85af21373de226b03f751a0412ae25a240fe9da893ccfef5b9cca2

SHA512
534f09f02babd9958531ef07771246e55654903a6a27afd60d4420a6c9aba27157cbe23c52232b5fb9842c5f19e90c0e68187bfd9a09295764f18cef1557aa18

Download Submit
memory/2224-57-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2224-58-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2644-59-0x0000000000380000-0x000000000044A000-memory.dmp

Filesize
808KB

Download
memory/2644-60-0x0000000000380000-0x000000000044A000-memory.dmp

Filesize
808KB

Download
memory/2644-62-0x0000000000380000-0x000000000044A000-memory.dmp

Filesize
808KB

Download
memory/2644-64-0x0000000000380000-0x000000000044A000-memory.dmp

Filesize
808KB

Download
memory/2644-61-0x0000000000380000-0x000000000044A000-memory.dmp

Filesize
808KB

Download
memory/2644-91-0x0000000000380000-0x000000000044A000-memory.dmp

Filesize
808KB

Download
memory/2644-93-0x0000000000380000-0x000000000044A000-memory.dmp

Filesize
808KB

Download
memory/2660-72-0x0000000000660000-0x000000000072A000-memory.dmp

Filesize
808KB

Download
memory/2660-73-0x0000000000660000-0x000000000072A000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads