babylonrat | d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f

General

Target

PANDUAN_PENGGUNA_MyKHAS.ps1
Size

627B
MD5

e7d2e1452702bc0de5a92e745dbdc4a9
SHA1

da8e9f9f43e29f02e5a0332239f38416f4dff844
SHA256

b348935e378b57001e6b41d96ae498ca00dd9fb296115a4e036dad8ccc7155d3
SHA512

28d2c9690f5f104e73404fa025bb09ca3c189b968716ac25f06f3e5c09ad719b17dc5319035f4172e91bb1c74797a4137f2a81f226f0d6ed25a900d1ba1b1293

Score

10^/10

babylonrat discovery execution persistence trojan upx

Malware Config

Extracted

Family

babylonrat

C2

149.28.19.207

fund.sekretariatparti.org

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Executes dropped EXE 1 IoCs

Processes:

controller.exe

pid process

2532 controller.exe

pid	process
2532	controller.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral9/memory/2848-11-0x00000000001B0000-0x000000000027A000-memory.dmp	upx
behavioral9/memory/2848-12-0x00000000001B0000-0x000000000027A000-memory.dmp	upx
behavioral9/memory/2848-13-0x00000000001B0000-0x000000000027A000-memory.dmp	upx
behavioral9/memory/2848-14-0x00000000001B0000-0x000000000027A000-memory.dmp	upx
behavioral9/memory/2848-16-0x00000000001B0000-0x000000000027A000-memory.dmp	upx
behavioral9/memory/2532-25-0x0000000000130000-0x00000000001FA000-memory.dmp	upx
behavioral9/memory/2532-24-0x0000000000130000-0x00000000001FA000-memory.dmp	upx
behavioral9/memory/2848-44-0x00000000001B0000-0x000000000027A000-memory.dmp	upx
behavioral9/memory/2848-46-0x00000000001B0000-0x000000000027A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\USBController = "C:\\Users\\Admin\\AppData\\Roaming\\controller.exe"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2304 powershell.exe

pid	process
2304	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AcroRd32.execontroller.execontroller.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	controller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	controller.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2304 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

controller.exeAcroRd32.exe

pid process

2848 controller.exe
2808 AcroRd32.exe

pid	process
2304	powershell.exe

pid	process
2848	controller.exe
2808	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.execontroller.execontroller.exe

description	pid	process
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeShutdownPrivilege	2848	controller.exe
Token: SeDebugPrivilege	2848	controller.exe
Token: SeTcbPrivilege	2848	controller.exe
Token: SeShutdownPrivilege	2532	controller.exe
Token: SeDebugPrivilege	2532	controller.exe
Token: SeTcbPrivilege	2532	controller.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.execontroller.exe

pid process

2808 AcroRd32.exe
2848 controller.exe
2808 AcroRd32.exe
2808 AcroRd32.exe

pid	process
2808	AcroRd32.exe
2848	controller.exe
2808	AcroRd32.exe
2808	AcroRd32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2304 wrote to memory of 2808	2304	powershell.exe	AcroRd32.exe
PID 2304 wrote to memory of 2808	2304	powershell.exe	AcroRd32.exe
PID 2304 wrote to memory of 2808	2304	powershell.exe	AcroRd32.exe
PID 2304 wrote to memory of 2808	2304	powershell.exe	AcroRd32.exe
PID 2304 wrote to memory of 2848	2304	powershell.exe	controller.exe
PID 2304 wrote to memory of 2848	2304	powershell.exe	controller.exe
PID 2304 wrote to memory of 2848	2304	powershell.exe	controller.exe
PID 2304 wrote to memory of 2848	2304	powershell.exe	controller.exe
PID 2304 wrote to memory of 2532	2304	powershell.exe	controller.exe
PID 2304 wrote to memory of 2532	2304	powershell.exe	controller.exe
PID 2304 wrote to memory of 2532	2304	powershell.exe	controller.exe
PID 2304 wrote to memory of 2532	2304	powershell.exe	controller.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\PANDUAN_PENGGUNA_MyKHAS.ps1
1⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PANDUAN_PENGGUNA_MyKHAS.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\controller.exe
  "C:\Users\Admin\AppData\Local\Temp\controller.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2848
- C:\Users\Admin\AppData\Roaming\controller.exe
  "C:\Users\Admin\AppData\Roaming\controller.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
8818f6b8b7185401f703abf052db5675

SHA1
b3d4b5a535b65c72752a64063b0951a1f8c4e115

SHA256
f7822bb4442e054de42686b91b4319d1325aa2b969c1929ec5f02f25986ccb9f

SHA512
da193dea90c87121b14c1444c23c80ba03788e662c3d5c18532bc1cde197cfd990ab3639e0a39f68b1daf2e2f7a4d1412526e00afa87211022bb45327b4b7581

Download Submit
memory/2304-4-0x000007FEF679E000-0x000007FEF679F000-memory.dmp

Filesize
4KB

Download
memory/2304-5-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/2304-6-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2304-7-0x000007FEF64E0000-0x000007FEF6E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-8-0x000007FEF64E0000-0x000007FEF6E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-9-0x000007FEF64E0000-0x000007FEF6E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-10-0x000007FEF64E0000-0x000007FEF6E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-26-0x000007FEF64E0000-0x000007FEF6E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-25-0x0000000000130000-0x00000000001FA000-memory.dmp

Filesize
808KB

Download
memory/2532-24-0x0000000000130000-0x00000000001FA000-memory.dmp

Filesize
808KB

Download
memory/2848-14-0x00000000001B0000-0x000000000027A000-memory.dmp

Filesize
808KB

Download
memory/2848-16-0x00000000001B0000-0x000000000027A000-memory.dmp

Filesize
808KB

Download
memory/2848-13-0x00000000001B0000-0x000000000027A000-memory.dmp

Filesize
808KB

Download
memory/2848-12-0x00000000001B0000-0x000000000027A000-memory.dmp

Filesize
808KB

Download
memory/2848-11-0x00000000001B0000-0x000000000027A000-memory.dmp

Filesize
808KB

Download
memory/2848-44-0x00000000001B0000-0x000000000027A000-memory.dmp

Filesize
808KB

Download
memory/2848-46-0x00000000001B0000-0x000000000027A000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads