babylonrat | d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f

General

Target

PANDUAN_PENGGUNA_MyKHAS.ps1
Size

627B
MD5

e7d2e1452702bc0de5a92e745dbdc4a9
SHA1

da8e9f9f43e29f02e5a0332239f38416f4dff844
SHA256

b348935e378b57001e6b41d96ae498ca00dd9fb296115a4e036dad8ccc7155d3
SHA512

28d2c9690f5f104e73404fa025bb09ca3c189b968716ac25f06f3e5c09ad719b17dc5319035f4172e91bb1c74797a4137f2a81f226f0d6ed25a900d1ba1b1293

Score

10^/10

babylonrat discovery execution persistence trojan upx

Malware Config

Extracted

Family

babylonrat

C2

149.28.19.207

fund.sekretariatparti.org

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Executes dropped EXE 1 IoCs

Processes:

controller.exe

pid process

2804 controller.exe

pid	process
2804	controller.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral7/memory/2984-12-0x0000000000130000-0x00000000001FA000-memory.dmp	upx
behavioral7/memory/2984-14-0x0000000000130000-0x00000000001FA000-memory.dmp	upx
behavioral7/memory/2984-15-0x0000000000130000-0x00000000001FA000-memory.dmp	upx
behavioral7/memory/2984-18-0x0000000000130000-0x00000000001FA000-memory.dmp	upx
behavioral7/memory/2984-16-0x0000000000130000-0x00000000001FA000-memory.dmp	upx
behavioral7/memory/2804-26-0x0000000000180000-0x000000000024A000-memory.dmp	upx
behavioral7/memory/2804-27-0x0000000000180000-0x000000000024A000-memory.dmp	upx
behavioral7/memory/2984-45-0x0000000000130000-0x00000000001FA000-memory.dmp	upx
behavioral7/memory/2984-47-0x0000000000130000-0x00000000001FA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\USBController = "C:\\Users\\Admin\\AppData\\Roaming\\controller.exe"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2528 powershell.exe

pid	process
2528	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AcroRd32.execontroller.execontroller.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	controller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	controller.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2528 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

controller.exeAcroRd32.exe

pid process

2984 controller.exe
2252 AcroRd32.exe

pid	process
2528	powershell.exe

pid	process
2984	controller.exe
2252	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.execontroller.execontroller.exe

description	pid	process
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeShutdownPrivilege	2984	controller.exe
Token: SeDebugPrivilege	2984	controller.exe
Token: SeTcbPrivilege	2984	controller.exe
Token: SeShutdownPrivilege	2804	controller.exe
Token: SeDebugPrivilege	2804	controller.exe
Token: SeTcbPrivilege	2804	controller.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.execontroller.exe

pid process

2252 AcroRd32.exe
2252 AcroRd32.exe
2984 controller.exe
2252 AcroRd32.exe

pid	process
2252	AcroRd32.exe
2252	AcroRd32.exe
2984	controller.exe
2252	AcroRd32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2528 wrote to memory of 2252	2528	powershell.exe	AcroRd32.exe
PID 2528 wrote to memory of 2252	2528	powershell.exe	AcroRd32.exe
PID 2528 wrote to memory of 2252	2528	powershell.exe	AcroRd32.exe
PID 2528 wrote to memory of 2252	2528	powershell.exe	AcroRd32.exe
PID 2528 wrote to memory of 2984	2528	powershell.exe	controller.exe
PID 2528 wrote to memory of 2984	2528	powershell.exe	controller.exe
PID 2528 wrote to memory of 2984	2528	powershell.exe	controller.exe
PID 2528 wrote to memory of 2984	2528	powershell.exe	controller.exe
PID 2528 wrote to memory of 2804	2528	powershell.exe	controller.exe
PID 2528 wrote to memory of 2804	2528	powershell.exe	controller.exe
PID 2528 wrote to memory of 2804	2528	powershell.exe	controller.exe
PID 2528 wrote to memory of 2804	2528	powershell.exe	controller.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\PANDUAN_PENGGUNA_MyKHAS.ps1
1⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PANDUAN_PENGGUNA_MyKHAS.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2252
- C:\Users\Admin\AppData\Local\Temp\controller.exe
  "C:\Users\Admin\AppData\Local\Temp\controller.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2984
- C:\Users\Admin\AppData\Roaming\controller.exe
  "C:\Users\Admin\AppData\Roaming\controller.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
82e0b9816fb45d710595bc9a2187f4ca

SHA1
b9c00c2c90e069ba5685f4cb11e03fc57d8346ad

SHA256
d98eea8d43cb67587b5ad7f409973e8874c5f65119c60171d335be9ffc470530

SHA512
e82c71bdc6884af4135c81b7f3386417c305dbb8d294207cd86bd32cb033a96827bcc13079c486fa3250e4d33b52da3b3720282fbb5447bd8a28ba2def8c4dfa

Download Submit
memory/2528-25-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-7-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-6-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2528-5-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2528-9-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-8-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-10-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-11-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-4-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp

Filesize
4KB

Download
memory/2804-27-0x0000000000180000-0x000000000024A000-memory.dmp

Filesize
808KB

Download
memory/2804-26-0x0000000000180000-0x000000000024A000-memory.dmp

Filesize
808KB

Download
memory/2984-12-0x0000000000130000-0x00000000001FA000-memory.dmp

Filesize
808KB

Download
memory/2984-16-0x0000000000130000-0x00000000001FA000-memory.dmp

Filesize
808KB

Download
memory/2984-18-0x0000000000130000-0x00000000001FA000-memory.dmp

Filesize
808KB

Download
memory/2984-15-0x0000000000130000-0x00000000001FA000-memory.dmp

Filesize
808KB

Download
memory/2984-14-0x0000000000130000-0x00000000001FA000-memory.dmp

Filesize
808KB

Download
memory/2984-45-0x0000000000130000-0x00000000001FA000-memory.dmp

Filesize
808KB

Download
memory/2984-47-0x0000000000130000-0x00000000001FA000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads