asyncrat | 51ad998f3a847685ef42e7f85f11852d3a90939cb4d7166d7bc002f0ec87fce3

General

Target

2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
Size

91KB
MD5

2f7c56725edd95e9583197a7edc6d8d2
SHA1

bfd32f963c49656b7ba0a8204e57ed58d8b6cd81
SHA256

51ad998f3a847685ef42e7f85f11852d3a90939cb4d7166d7bc002f0ec87fce3
SHA512

749c3c05dab9224d8234243fca7fe7b2af814778652b2d3e915b15b2abf6f23064daa3218e47c69af462772c89caa0ea424399bc85d7454175357432f4f7ad29
SSDEEP

1536:HTVckhKYIj91aCnBbZ6geIWwYVxf2DfB370lGuKnkbrEgCgqULd6pXGTZcq:HTVckhKJaWbZ6geIWFx253QGuKnkbr7l

Score

10^/10

asyncrat discovery rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

phuccau.exe

pid process

5104 phuccau.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5104	phuccau.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.execmd.execmd.exeschtasks.exetimeout.exephuccau.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	phuccau.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3292 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1732 schtasks.exe

pid	process
3292	timeout.exe

pid	process
1732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe

pid	process
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exephuccau.exe

description pid process

Token: SeDebugPrivilege 4148 2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
Token: SeDebugPrivilege 5104 phuccau.exe

description	pid	process
Token: SeDebugPrivilege	4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
Token: SeDebugPrivilege	5104	phuccau.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.execmd.execmd.exe

description	pid	process	target process
PID 4148 wrote to memory of 1592	4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe	cmd.exe
PID 4148 wrote to memory of 1592	4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe	cmd.exe
PID 4148 wrote to memory of 1592	4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe	cmd.exe
PID 4148 wrote to memory of 2636	4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe	cmd.exe
PID 4148 wrote to memory of 2636	4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe	cmd.exe
PID 4148 wrote to memory of 2636	4148	2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe	cmd.exe
PID 1592 wrote to memory of 1732	1592	cmd.exe	schtasks.exe
PID 1592 wrote to memory of 1732	1592	cmd.exe	schtasks.exe
PID 1592 wrote to memory of 1732	1592	cmd.exe	schtasks.exe
PID 2636 wrote to memory of 3292	2636	cmd.exe	timeout.exe
PID 2636 wrote to memory of 3292	2636	cmd.exe	timeout.exe
PID 2636 wrote to memory of 3292	2636	cmd.exe	timeout.exe
PID 2636 wrote to memory of 5104	2636	cmd.exe	phuccau.exe
PID 2636 wrote to memory of 5104	2636	cmd.exe	phuccau.exe
PID 2636 wrote to memory of 5104	2636	cmd.exe	phuccau.exe

C:\Users\Admin\AppData\Local\Temp\2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f7c56725edd95e9583197a7edc6d8d2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "phuccau" /tr '"C:\Users\Admin\AppData\Roaming\phuccau.exe"' & exit
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "phuccau" /tr '"C:\Users\Admin\AppData\Roaming\phuccau.exe"'
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA519.tmp.bat""
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3292

C:\Users\Admin\AppData\Roaming\phuccau.exe
"C:\Users\Admin\AppData\Roaming\phuccau.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA519.tmp.bat

Filesize
151B

MD5
bda77714abcc9f94194c2ee40caf858b

SHA1
e55adbca53890c7c59249c49639c1d6ad498ae2d

SHA256
7742506bf80484a84e0ad9b68b01da5554e7086eed715c3e0494c5c5eded8408

SHA512
2b6627dfee6ef05c55aaebb6814a64a340cce7d7d8cbb350d6a20d0bbd4a26e453fa87268dc18e0588e157f97c3f1a8e6ed73aa9e1d7abced8d0a9de90a9daaa

Download Submit
C:\Users\Admin\AppData\Roaming\phuccau.exe

Filesize
91KB

MD5
2f7c56725edd95e9583197a7edc6d8d2

SHA1
bfd32f963c49656b7ba0a8204e57ed58d8b6cd81

SHA256
51ad998f3a847685ef42e7f85f11852d3a90939cb4d7166d7bc002f0ec87fce3

SHA512
749c3c05dab9224d8234243fca7fe7b2af814778652b2d3e915b15b2abf6f23064daa3218e47c69af462772c89caa0ea424399bc85d7454175357432f4f7ad29

Download Submit
memory/4148-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download
memory/4148-1-0x00000000006F0000-0x000000000070C000-memory.dmp

Filesize
112KB

Download
memory/4148-2-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4148-3-0x00000000050D0000-0x000000000516C000-memory.dmp

Filesize
624KB

Download
memory/4148-8-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/5104-13-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-14-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads