asyncrat | 5647b223088d5f7055db455ce7c82de9a1f762126af37635e29b7ef84963ebf5

General

Target

3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
Size

422KB
MD5

3667642dbd2ed4f103292dd8944fc719
SHA1

54316089a0d981867f12d4ac551173cfde17233f
SHA256

5647b223088d5f7055db455ce7c82de9a1f762126af37635e29b7ef84963ebf5
SHA512

6858d1eeb7d9482029c06308a29bd512135bb7d20bad8e999c28ccb7a5544a50c6b9a619d338542dbb5371209a407ba948fc6dec1cdec3ab922c5af06180ca1b
SSDEEP

6144:Mvvu5zBxMQssziYWZTZ6ZSd2e2efswGaEXEdr10SH8+pOD4tyraO:OyiYWN408efsDaE0drS+OD4Ar

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:2510

194.5.98.81:2510

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
20
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2008 svchost.exe
1160 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1924 cmd.exe

pid	process
2008	svchost.exe
1160	svchost.exe

pid	process
1924	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exesvchost.exe

description	pid	process	target process
PID 1672 set thread context of 2636	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
PID 2008 set thread context of 1160	2008	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exetimeout.exeschtasks.exesvchost.execmd.exesvchost.exe3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exeschtasks.exe3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2732 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2768 schtasks.exe
1324 schtasks.exe
2844 schtasks.exe

pid	process
2732	timeout.exe

pid	process
2768	schtasks.exe
1324	schtasks.exe
2844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe

pid	process
1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
2636	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
2636	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
2636	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
Token: SeDebugPrivilege	2636	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	1160	svchost.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 1672 wrote to memory of 2768	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	schtasks.exe
PID 1672 wrote to memory of 2768	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	schtasks.exe
PID 1672 wrote to memory of 2768	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	schtasks.exe
PID 1672 wrote to memory of 2768	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	schtasks.exe
PID 1672 wrote to memory of 2796	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
PID 1672 wrote to memory of 2796	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
PID 1672 wrote to memory of 2796	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
PID 1672 wrote to memory of 2796	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
PID 1672 wrote to memory of 2636	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
PID 1672 wrote to memory of 2636	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
PID 1672 wrote to memory of 2636	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
PID 1672 wrote to memory of 2636	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
PID 1672 wrote to memory of 2636	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
PID 1672 wrote to memory of 2636	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
PID 1672 wrote to memory of 2636	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
PID 1672 wrote to memory of 2636	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
PID 1672 wrote to memory of 2636	1672	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
PID 2636 wrote to memory of 2292	2636	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 2292	2636	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 2292	2636	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 2292	2636	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 1924	2636	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 1924	2636	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 1924	2636	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 1924	2636	3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe	cmd.exe
PID 2292 wrote to memory of 1324	2292	cmd.exe	schtasks.exe
PID 2292 wrote to memory of 1324	2292	cmd.exe	schtasks.exe
PID 2292 wrote to memory of 1324	2292	cmd.exe	schtasks.exe
PID 2292 wrote to memory of 1324	2292	cmd.exe	schtasks.exe
PID 1924 wrote to memory of 2732	1924	cmd.exe	timeout.exe
PID 1924 wrote to memory of 2732	1924	cmd.exe	timeout.exe
PID 1924 wrote to memory of 2732	1924	cmd.exe	timeout.exe
PID 1924 wrote to memory of 2732	1924	cmd.exe	timeout.exe
PID 1924 wrote to memory of 2008	1924	cmd.exe	svchost.exe
PID 1924 wrote to memory of 2008	1924	cmd.exe	svchost.exe
PID 1924 wrote to memory of 2008	1924	cmd.exe	svchost.exe
PID 1924 wrote to memory of 2008	1924	cmd.exe	svchost.exe
PID 2008 wrote to memory of 2844	2008	svchost.exe	schtasks.exe
PID 2008 wrote to memory of 2844	2008	svchost.exe	schtasks.exe
PID 2008 wrote to memory of 2844	2008	svchost.exe	schtasks.exe
PID 2008 wrote to memory of 2844	2008	svchost.exe	schtasks.exe
PID 2008 wrote to memory of 1160	2008	svchost.exe	svchost.exe
PID 2008 wrote to memory of 1160	2008	svchost.exe	svchost.exe
PID 2008 wrote to memory of 1160	2008	svchost.exe	svchost.exe
PID 2008 wrote to memory of 1160	2008	svchost.exe	svchost.exe
PID 2008 wrote to memory of 1160	2008	svchost.exe	svchost.exe
PID 2008 wrote to memory of 1160	2008	svchost.exe	svchost.exe
PID 2008 wrote to memory of 1160	2008	svchost.exe	svchost.exe
PID 2008 wrote to memory of 1160	2008	svchost.exe	svchost.exe
PID 2008 wrote to memory of 1160	2008	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BQLmrI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5448.tmp"
2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Users\Admin\AppData\Local\Temp\3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
"{path}"
2⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\3667642dbd2ed4f103292dd8944fc719_JaffaCakes118.exe
"{path}"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA87F.tmp.bat""
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2732

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BQLmrI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2FC7.tmp"
5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Users\Admin\AppData\Roaming\svchost.exe
"{path}"
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5448.tmp

Filesize
1KB

MD5
bd64b517c8437a8fdbbdb593268352c3

SHA1
79678681314bf509272d06ea37066caf462d0547

SHA256
135ebc00670b10f777bfb7ca689242d0f5683c4e832726370d9bd0f34a0b9a9f

SHA512
40af7ee4140f02ae8e99a73849351a821848cf0606fe59cdc9aa0dcd3a17206acfc08b60c60737c5427fd569c3efc3436fa5ee398cf8660b8b5e91ea527a340f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA87F.tmp.bat

Filesize
151B

MD5
d56862f4ab2436ca13b49f1d4418cf0c

SHA1
8bfeeb7ca8d4953920f60858aad5c4a2b219d1ac

SHA256
4e1de60e7ded4714d931c67a2746e8887b1a18e03b20f83d26764b919b42580f

SHA512
105b4f8e0bd5ff9540f63bcbefe3029c3cc57cc0f2173f162dcfa35dbbf112827d610fcbf4f5ffbfcc8437a6d1a345e5ebc5cbc5f9de619a5eb9b834c4219d6b

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
422KB

MD5
3667642dbd2ed4f103292dd8944fc719

SHA1
54316089a0d981867f12d4ac551173cfde17233f

SHA256
5647b223088d5f7055db455ce7c82de9a1f762126af37635e29b7ef84963ebf5

SHA512
6858d1eeb7d9482029c06308a29bd512135bb7d20bad8e999c28ccb7a5544a50c6b9a619d338542dbb5371209a407ba948fc6dec1cdec3ab922c5af06180ca1b

Download Submit
memory/1160-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1160-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1160-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1672-4-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/1672-7-0x0000000004FF0000-0x000000000505E000-memory.dmp

Filesize
440KB

Download
memory/1672-8-0x00000000005F0000-0x000000000060C000-memory.dmp

Filesize
112KB

Download
memory/1672-6-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1672-5-0x000000007412E000-0x000000007412F000-memory.dmp

Filesize
4KB

Download
memory/1672-26-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1672-3-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1672-0-0x000000007412E000-0x000000007412F000-memory.dmp

Filesize
4KB

Download
memory/1672-2-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1672-1-0x0000000000310000-0x0000000000380000-memory.dmp

Filesize
448KB

Download
memory/2008-43-0x0000000000B20000-0x0000000000B90000-memory.dmp

Filesize
448KB

Download
memory/2636-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2636-27-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-25-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2636-28-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-29-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-23-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2636-38-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2636-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2636-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2636-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads