Analysis
-
max time kernel
142s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03-10-2024 02:45
General
-
Target
0d8cae7fa55a7e095e11fbb9aa4350f7_JaffaCakes118.exe
-
Size
791KB
-
MD5
0d8cae7fa55a7e095e11fbb9aa4350f7
-
SHA1
f0f9bd8f9110fbb06a51f4a987b1444bb96bb6a9
-
SHA256
2bdcbd54ec387b521cdd9e14777d7d24794ba6bb71c85a0402eb2bd8ba8696f0
-
SHA512
1d3da3b90042c7fb1ea2d09741a3f7b69835f5f8a885ddd3ad3d2819f80ed82397d8002d273f26685712183b3c08fb875a7d39a1d60c0e6bb0c89ce2f3033ce4
-
SSDEEP
12288:w0YDrHInYYiaqIH7jc4vfBZj2of9zqHh882KqXRRxFgMzxks+gvJFbWVzK7ISFj:wfjWYcbEc5R2oFWB88F2sKtJwVzK7I
Malware Config
Extracted
babylonrat
kingspy.mywire.org
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d8cae7fa55a7e095e11fbb9aa4350f7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d8cae7fa55a7e095e11fbb9aa4350f7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
791KB
MD50d8cae7fa55a7e095e11fbb9aa4350f7
SHA1f0f9bd8f9110fbb06a51f4a987b1444bb96bb6a9
SHA2562bdcbd54ec387b521cdd9e14777d7d24794ba6bb71c85a0402eb2bd8ba8696f0
SHA5121d3da3b90042c7fb1ea2d09741a3f7b69835f5f8a885ddd3ad3d2819f80ed82397d8002d273f26685712183b3c08fb875a7d39a1d60c0e6bb0c89ce2f3033ce4
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB