Overview

overview

10

Static

static

4

out.iso

windows7-x64

1

out.iso

windows10-2004-x64

1

PANDUAN_PE...AS.lnk

windows7-x64

10

PANDUAN_PE...AS.lnk

windows10-2004-x64

10

PANDUAN_PE...AS.pdf

windows7-x64

3

PANDUAN_PE...AS.pdf

windows10-2004-x64

3

PANDUAN_PE...AS.ps1

windows7-x64

10

PANDUAN_PE...AS.ps1

windows10-2004-x64

10

controller.exe

windows7-x64

10

controller.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    28-08-2024 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PANDUAN_PENGGUNA_MyKHAS.lnk

  • Size

    3KB

  • MD5

    843154177ad124c22d0107ea786b82f8

  • SHA1

    c0d80dfd81bd6b59ae8effad3e2e643da93becb9

  • SHA256

    b9dddf801db527b3895409443fadeeced176b3ccac220395f700e91b151076b0

  • SHA512

    527291e9d492b0891277a9fdf13e5dcd41aed2fb993ba8c3eaa9a3adc42393548f9f3e0b39ead176087949787aa2bc407c6512684be4c3913702d6abf1a947a8

Score
10/10
babylonratdiscoveryexecutionpersistencetrojanupx

Malware Config

Extracted

Family

babylonrat

C2

149.28.19.207

fund.sekretariatparti.org

Signatures

  • Babylon RAT

    Babylon RAT is remote access trojan written in C++.

    trojanbabylonrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\PANDUAN_PENGGUNA_MyKHAS.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -WindowStyle hidden -nologo -executionpolicy bypass -File "PANDUAN_PENGGUNA_MyKHAS.ps1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle hidden -nologo -executionpolicy bypass -File "PANDUAN_PENGGUNA_MyKHAS.ps1"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PANDUAN_PENGGUNA_MyKHAS.pdf"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:1444
        • C:\Users\Admin\AppData\Local\Temp\controller.exe
          "C:\Users\Admin\AppData\Local\Temp\controller.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1440
        • C:\Users\Admin\AppData\Roaming\controller.exe
          "C:\Users\Admin\AppData\Roaming\controller.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    4af06085bd3c875457587069395af965

    SHA1

    6f2ad2571c4f1c5ce0e4307d2c001a4ec9c9fb53

    SHA256

    c1c6a774bcada5295ec06414e463c0f3a70a83252e0728064178b63b0a35d749

    SHA512

    89d990af0b73a22a41adbdb1e8e3a545427f6c32465edd3ee26e878404e74fd85ade8e85ac9080692072ab9eca631075b28086fbb2857c1d2250ac9d7e9dbe9e

    Download Submit

  • memory/1440-59-0x0000000000490000-0x000000000055A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1440-60-0x0000000000490000-0x000000000055A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1440-61-0x0000000000490000-0x000000000055A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1440-64-0x0000000000490000-0x000000000055A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1440-62-0x0000000000490000-0x000000000055A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1440-91-0x0000000000490000-0x000000000055A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1440-93-0x0000000000490000-0x000000000055A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2596-57-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2596-58-0x0000000001E90000-0x0000000001E98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2904-72-0x0000000000150000-0x000000000021A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2904-73-0x0000000000150000-0x000000000021A000-memory.dmp

    Filesize

    808KB

    Download