Overview

overview

10

Static

static

3

cf9acdeb82...18.exe

windows7-x64

10

cf9acdeb82...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 13:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    cf9acdeb824bb9df6a31761b8dbc487f_JaffaCakes118.exe

  • Size

    41KB

  • MD5

    cf9acdeb824bb9df6a31761b8dbc487f

  • SHA1

    e6585c92833fd710920d738f791341c05852bfeb

  • SHA256

    9f3169004f468804b94ec9c9b8a58b30d9853e8be06ebd7d3d3ea8ca18df6fd2

  • SHA512

    ba78e9f6c26b2900b20853a6287b0dc6f27b7683317d1cf304cc0ad9decb7cad8b56299b408540399ecc9184afaee61ec485024580499cb48d28dfaba6805ce8

  • SSDEEP

    768:7YOYRRNa5FN36puc1C2jT6zhcUDTZxmEyNnyWWaq2:LScx6puOLjT+hcUnA8WVx

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

207.32.216.106:6606

207.32.216.106:7707

207.32.216.106:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    WinSecurity.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf9acdeb824bb9df6a31761b8dbc487f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cf9acdeb824bb9df6a31761b8dbc487f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
        "C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1556
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WinSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WinSecurity.exe"' & exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4908
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "WinSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WinSecurity.exe"'
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:4300
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB0F1.tmp.bat""
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3332
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1984
          • C:\Users\Admin\AppData\Roaming\WinSecurity.exe
            "C:\Users\Admin\AppData\Roaming\WinSecurity.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1752

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
          Filesize

          45KB

          MD5

          97def300dec6a8ca1b9a055e4b36a2a0

          SHA1

          f46929e192c46c8ffa1a8875d594dc8fc8ae2e62

          SHA256

          4c71010ecc3e194f4d1b06decacd87d0da4ba1b46ee40d09b4fb617f354966fc

          SHA512

          adce42118ccfd4852781c0ada61961c02a6109b2be0ede7599906d3d0ff1553f038b331c09468022c9de5bf7fa3f392a66972dad9c4e6fe904ced399454265b1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Client.exe
          Filesize

          32KB

          MD5

          1e35717cd8ddd2281a5acabd483b2a41

          SHA1

          7073616e0959ab9590a7a133ed9d9201e0e8c460

          SHA256

          b9e84d395202a437fd777cded8abb1739bd371369924583f83bb9cd92c6ef2f1

          SHA512

          3e5fd1b5ed6fc43656c7b162f97e74c43dbdac8184bc2289b6324e64eff689f39fcd6f1076504be10adb2eb8014b056bb01db41ac9847641d664a58f29f98482

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpB0F1.tmp.bat
          Filesize

          155B

          MD5

          f564ef10c36dc4a71bc75eda4c4f6990

          SHA1

          2426e5ba65c999e2994739e1af168ad934d72790

          SHA256

          8358d90816e638254c991b063574e229a280b0febc5da92bb4c8b982de25dd6c

          SHA512

          e2f0668cbff61d3854300176b2a185e207b41b7b8ebf7203dac9dc05353059d5d350788cf1fec6329ed0c28a5962cecd9d23badb4ada733e44015b3086e69fa3

          Download Submit

        • memory/1556-34-0x0000000000260000-0x0000000000272000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1556-35-0x0000000004AF0000-0x0000000004B8C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/1648-1-0x00007FFCAAD70000-0x00007FFCAAF65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1648-4-0x00007FFCAAD70000-0x00007FFCAAF65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1648-16-0x00007FFCAAD70000-0x00007FFCAAF65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1648-0-0x0000000000B30000-0x0000000000B40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2552-18-0x00007FFCAAD70000-0x00007FFCAAF65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2552-32-0x00007FFCAAD70000-0x00007FFCAAF65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2552-21-0x00007FFCAAD70000-0x00007FFCAAF65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2552-17-0x0000000000F80000-0x0000000000F8E000-memory.dmp

          Filesize

          56KB

          Download