Overview
overview
10Static
static
4out.iso
windows7-x64
1out.iso
windows10-2004-x64
1PANDUAN_PE...AS.lnk
windows7-x64
10PANDUAN_PE...AS.lnk
windows10-2004-x64
10PANDUAN_PE...AS.pdf
windows7-x64
3PANDUAN_PE...AS.pdf
windows10-2004-x64
3PANDUAN_PE...AS.ps1
windows7-x64
10PANDUAN_PE...AS.ps1
windows10-2004-x64
10controller.exe
windows7-x64
10controller.exe
windows10-2004-x64
10Analysis
-
max time kernel
125s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
28-08-2024 14:34
Behavioral task
behavioral1
Sample
out.iso
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
out.iso
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
PANDUAN_PENGGUNA_MyKHAS.lnk
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
PANDUAN_PENGGUNA_MyKHAS.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
PANDUAN_PENGGUNA_MyKHAS.pdf
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
PANDUAN_PENGGUNA_MyKHAS.pdf
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
PANDUAN_PENGGUNA_MyKHAS.ps1
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
PANDUAN_PENGGUNA_MyKHAS.ps1
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
controller.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
controller.exe
Resource
win10v2004-20240802-en
General
-
Target
PANDUAN_PENGGUNA_MyKHAS.lnk
-
Size
3KB
-
MD5
843154177ad124c22d0107ea786b82f8
-
SHA1
c0d80dfd81bd6b59ae8effad3e2e643da93becb9
-
SHA256
b9dddf801db527b3895409443fadeeced176b3ccac220395f700e91b151076b0
-
SHA512
527291e9d492b0891277a9fdf13e5dcd41aed2fb993ba8c3eaa9a3adc42393548f9f3e0b39ead176087949787aa2bc407c6512684be4c3913702d6abf1a947a8
Malware Config
Extracted
babylonrat
149.28.19.207
fund.sekretariatparti.org
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2596 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2904 controller.exe -
resource yara_rule behavioral3/memory/1440-59-0x0000000000490000-0x000000000055A000-memory.dmp upx behavioral3/memory/1440-60-0x0000000000490000-0x000000000055A000-memory.dmp upx behavioral3/memory/1440-61-0x0000000000490000-0x000000000055A000-memory.dmp upx behavioral3/memory/1440-64-0x0000000000490000-0x000000000055A000-memory.dmp upx behavioral3/memory/1440-62-0x0000000000490000-0x000000000055A000-memory.dmp upx behavioral3/memory/2904-72-0x0000000000150000-0x000000000021A000-memory.dmp upx behavioral3/memory/2904-73-0x0000000000150000-0x000000000021A000-memory.dmp upx behavioral3/memory/1440-91-0x0000000000490000-0x000000000055A000-memory.dmp upx behavioral3/memory/1440-93-0x0000000000490000-0x000000000055A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\USBController = "C:\\Users\\Admin\\AppData\\Roaming\\controller.exe" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language controller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language controller.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2596 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1440 controller.exe 1444 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2596 powershell.exe Token: SeShutdownPrivilege 1440 controller.exe Token: SeDebugPrivilege 1440 controller.exe Token: SeTcbPrivilege 1440 controller.exe Token: SeShutdownPrivilege 2904 controller.exe Token: SeDebugPrivilege 2904 controller.exe Token: SeTcbPrivilege 2904 controller.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1440 controller.exe 1444 AcroRd32.exe 1444 AcroRd32.exe 1444 AcroRd32.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2556 2348 cmd.exe 31 PID 2348 wrote to memory of 2556 2348 cmd.exe 31 PID 2348 wrote to memory of 2556 2348 cmd.exe 31 PID 2556 wrote to memory of 2596 2556 cmd.exe 32 PID 2556 wrote to memory of 2596 2556 cmd.exe 32 PID 2556 wrote to memory of 2596 2556 cmd.exe 32 PID 2596 wrote to memory of 1444 2596 powershell.exe 33 PID 2596 wrote to memory of 1444 2596 powershell.exe 33 PID 2596 wrote to memory of 1444 2596 powershell.exe 33 PID 2596 wrote to memory of 1444 2596 powershell.exe 33 PID 2596 wrote to memory of 1440 2596 powershell.exe 34 PID 2596 wrote to memory of 1440 2596 powershell.exe 34 PID 2596 wrote to memory of 1440 2596 powershell.exe 34 PID 2596 wrote to memory of 1440 2596 powershell.exe 34 PID 2596 wrote to memory of 2904 2596 powershell.exe 35 PID 2596 wrote to memory of 2904 2596 powershell.exe 35 PID 2596 wrote to memory of 2904 2596 powershell.exe 35 PID 2596 wrote to memory of 2904 2596 powershell.exe 35
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\PANDUAN_PENGGUNA_MyKHAS.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -WindowStyle hidden -nologo -executionpolicy bypass -File "PANDUAN_PENGGUNA_MyKHAS.ps1"2⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -nologo -executionpolicy bypass -File "PANDUAN_PENGGUNA_MyKHAS.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PANDUAN_PENGGUNA_MyKHAS.pdf"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1444
-
-
C:\Users\Admin\AppData\Local\Temp\controller.exe"C:\Users\Admin\AppData\Local\Temp\controller.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1440
-
-
C:\Users\Admin\AppData\Roaming\controller.exe"C:\Users\Admin\AppData\Roaming\controller.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD54af06085bd3c875457587069395af965
SHA16f2ad2571c4f1c5ce0e4307d2c001a4ec9c9fb53
SHA256c1c6a774bcada5295ec06414e463c0f3a70a83252e0728064178b63b0a35d749
SHA51289d990af0b73a22a41adbdb1e8e3a545427f6c32465edd3ee26e878404e74fd85ade8e85ac9080692072ab9eca631075b28086fbb2857c1d2250ac9d7e9dbe9e