babylonrat | d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f

General

Target

PANDUAN_PENGGUNA_MyKHAS.lnk
Size

3KB
MD5

843154177ad124c22d0107ea786b82f8
SHA1

c0d80dfd81bd6b59ae8effad3e2e643da93becb9
SHA256

b9dddf801db527b3895409443fadeeced176b3ccac220395f700e91b151076b0
SHA512

527291e9d492b0891277a9fdf13e5dcd41aed2fb993ba8c3eaa9a3adc42393548f9f3e0b39ead176087949787aa2bc407c6512684be4c3913702d6abf1a947a8

Score

10^/10

babylonrat discovery execution persistence trojan upx

Malware Config

Extracted

Family

babylonrat

C2

149.28.19.207

fund.sekretariatparti.org

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2764	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1524	controller.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral5/memory/2536-59-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral5/memory/2536-60-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral5/memory/2536-62-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral5/memory/2536-64-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral5/memory/2536-61-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral5/memory/1524-73-0x0000000000430000-0x00000000004FA000-memory.dmp	upx
behavioral5/memory/1524-72-0x0000000000430000-0x00000000004FA000-memory.dmp	upx
behavioral5/memory/2536-91-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral5/memory/2536-93-0x0000000000400000-0x00000000004CA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\USBController = "C:\\Users\\Admin\\AppData\\Roaming\\controller.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	controller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	controller.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2764	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2536	controller.exe
3040	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeShutdownPrivilege	2536	controller.exe
Token: SeDebugPrivilege	2536	controller.exe
Token: SeTcbPrivilege	2536	controller.exe
Token: SeShutdownPrivilege	1524	controller.exe
Token: SeDebugPrivilege	1524	controller.exe
Token: SeTcbPrivilege	1524	controller.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3040	AcroRd32.exe
2536	controller.exe
3040	AcroRd32.exe
3040	AcroRd32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2396	2500	cmd.exe	32
PID 2500 wrote to memory of 2396	2500	cmd.exe	32
PID 2500 wrote to memory of 2396	2500	cmd.exe	32
PID 2396 wrote to memory of 2764	2396	cmd.exe	33
PID 2396 wrote to memory of 2764	2396	cmd.exe	33
PID 2396 wrote to memory of 2764	2396	cmd.exe	33
PID 2764 wrote to memory of 3040	2764	powershell.exe	34
PID 2764 wrote to memory of 3040	2764	powershell.exe	34
PID 2764 wrote to memory of 3040	2764	powershell.exe	34
PID 2764 wrote to memory of 3040	2764	powershell.exe	34
PID 2764 wrote to memory of 2536	2764	powershell.exe	35
PID 2764 wrote to memory of 2536	2764	powershell.exe	35
PID 2764 wrote to memory of 2536	2764	powershell.exe	35
PID 2764 wrote to memory of 2536	2764	powershell.exe	35
PID 2764 wrote to memory of 1524	2764	powershell.exe	36
PID 2764 wrote to memory of 1524	2764	powershell.exe	36
PID 2764 wrote to memory of 1524	2764	powershell.exe	36
PID 2764 wrote to memory of 1524	2764	powershell.exe	36

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PANDUAN_PENGGUNA_MyKHAS.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -WindowStyle hidden -nologo -executionpolicy bypass -File "PANDUAN_PENGGUNA_MyKHAS.ps1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle hidden -nologo -executionpolicy bypass -File "PANDUAN_PENGGUNA_MyKHAS.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PANDUAN_PENGGUNA_MyKHAS.pdf"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\controller.exe
      "C:\Users\Admin\AppData\Local\Temp\controller.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2536
  - - C:\Users\Admin\AppData\Roaming\controller.exe
      "C:\Users\Admin\AppData\Roaming\controller.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d51cb569f13b4aae5fd1317b1f21d17a

SHA1
aab04cec94ae5f7270040e46caa672b2a1a42b1c

SHA256
1030d5a194ed2d5790d5bf940d98a7ea4a05f6de8ae5931b7401d0dfb78abb6d

SHA512
9ab26ec3c0d85d7a41ac46f9b3e2e60387b43e85d093f8eacdca8965fc6390e509bffe42e7e5a118c38c04c4797d30fc6f04d3beddb9b760e47b24c8c1ef1d23

Download Submit
memory/1524-73-0x0000000000430000-0x00000000004FA000-memory.dmp

Filesize
808KB

Download
memory/1524-72-0x0000000000430000-0x00000000004FA000-memory.dmp

Filesize
808KB

Download
memory/2536-59-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2536-60-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2536-62-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2536-64-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2536-61-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2536-91-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2536-93-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2764-57-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2764-58-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads