Overview
overview
10Static
static
4out.iso
windows7-x64
1out.iso
windows10-2004-x64
1PANDUAN_PE...AS.lnk
windows7-x64
10PANDUAN_PE...AS.lnk
windows10-2004-x64
10PANDUAN_PE...AS.pdf
windows7-x64
3PANDUAN_PE...AS.pdf
windows10-2004-x64
3PANDUAN_PE...AS.ps1
windows7-x64
10PANDUAN_PE...AS.ps1
windows10-2004-x64
10controller.exe
windows7-x64
10controller.exe
windows10-2004-x64
10Analysis
-
max time kernel
127s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28-08-2024 14:34
Behavioral task
behavioral1
Sample
out.iso
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
out.iso
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
PANDUAN_PENGGUNA_MyKHAS.lnk
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
PANDUAN_PENGGUNA_MyKHAS.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
PANDUAN_PENGGUNA_MyKHAS.pdf
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
PANDUAN_PENGGUNA_MyKHAS.pdf
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
PANDUAN_PENGGUNA_MyKHAS.ps1
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
PANDUAN_PENGGUNA_MyKHAS.ps1
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
controller.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
controller.exe
Resource
win10v2004-20240802-en
General
-
Target
PANDUAN_PENGGUNA_MyKHAS.ps1
-
Size
627B
-
MD5
e7d2e1452702bc0de5a92e745dbdc4a9
-
SHA1
da8e9f9f43e29f02e5a0332239f38416f4dff844
-
SHA256
b348935e378b57001e6b41d96ae498ca00dd9fb296115a4e036dad8ccc7155d3
-
SHA512
28d2c9690f5f104e73404fa025bb09ca3c189b968716ac25f06f3e5c09ad719b17dc5319035f4172e91bb1c74797a4137f2a81f226f0d6ed25a900d1ba1b1293
Malware Config
Extracted
babylonrat
149.28.19.207
fund.sekretariatparti.org
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Executes dropped EXE 1 IoCs
pid Process 2804 controller.exe -
resource yara_rule behavioral7/memory/2984-12-0x0000000000130000-0x00000000001FA000-memory.dmp upx behavioral7/memory/2984-14-0x0000000000130000-0x00000000001FA000-memory.dmp upx behavioral7/memory/2984-15-0x0000000000130000-0x00000000001FA000-memory.dmp upx behavioral7/memory/2984-18-0x0000000000130000-0x00000000001FA000-memory.dmp upx behavioral7/memory/2984-16-0x0000000000130000-0x00000000001FA000-memory.dmp upx behavioral7/memory/2804-26-0x0000000000180000-0x000000000024A000-memory.dmp upx behavioral7/memory/2804-27-0x0000000000180000-0x000000000024A000-memory.dmp upx behavioral7/memory/2984-45-0x0000000000130000-0x00000000001FA000-memory.dmp upx behavioral7/memory/2984-47-0x0000000000130000-0x00000000001FA000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\USBController = "C:\\Users\\Admin\\AppData\\Roaming\\controller.exe" powershell.exe -
pid Process 2528 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language controller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language controller.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2528 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2984 controller.exe 2252 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2528 powershell.exe Token: SeShutdownPrivilege 2984 controller.exe Token: SeDebugPrivilege 2984 controller.exe Token: SeTcbPrivilege 2984 controller.exe Token: SeShutdownPrivilege 2804 controller.exe Token: SeDebugPrivilege 2804 controller.exe Token: SeTcbPrivilege 2804 controller.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2252 AcroRd32.exe 2252 AcroRd32.exe 2984 controller.exe 2252 AcroRd32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2252 2528 powershell.exe 31 PID 2528 wrote to memory of 2252 2528 powershell.exe 31 PID 2528 wrote to memory of 2252 2528 powershell.exe 31 PID 2528 wrote to memory of 2252 2528 powershell.exe 31 PID 2528 wrote to memory of 2984 2528 powershell.exe 33 PID 2528 wrote to memory of 2984 2528 powershell.exe 33 PID 2528 wrote to memory of 2984 2528 powershell.exe 33 PID 2528 wrote to memory of 2984 2528 powershell.exe 33 PID 2528 wrote to memory of 2804 2528 powershell.exe 34 PID 2528 wrote to memory of 2804 2528 powershell.exe 34 PID 2528 wrote to memory of 2804 2528 powershell.exe 34 PID 2528 wrote to memory of 2804 2528 powershell.exe 34
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\PANDUAN_PENGGUNA_MyKHAS.ps11⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PANDUAN_PENGGUNA_MyKHAS.pdf"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2252
-
-
C:\Users\Admin\AppData\Local\Temp\controller.exe"C:\Users\Admin\AppData\Local\Temp\controller.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2984
-
-
C:\Users\Admin\AppData\Roaming\controller.exe"C:\Users\Admin\AppData\Roaming\controller.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD582e0b9816fb45d710595bc9a2187f4ca
SHA1b9c00c2c90e069ba5685f4cb11e03fc57d8346ad
SHA256d98eea8d43cb67587b5ad7f409973e8874c5f65119c60171d335be9ffc470530
SHA512e82c71bdc6884af4135c81b7f3386417c305dbb8d294207cd86bd32cb033a96827bcc13079c486fa3250e4d33b52da3b3720282fbb5447bd8a28ba2def8c4dfa