asyncrat | dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879

Analysis

max time kernel
126s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe
Size

426KB
MD5

168378e8a46b7d46dff6f1ef480e35c1
SHA1

03f9d268aa5fc76e623175f43570a85cb246bf07
SHA256

dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879
SHA512

4dec9d14fa148031ff2fce5111d2f7c4153787ebc3c46b27934892ea92b9d5377d196abcbbe5fdd3336dd26f6d601e162468d780f6d3fd4d26cb169b0dd038c3
SSDEEP

6144:4+7NTvA0b6XG1MRTlwQaZmrH6YqsYJuAg5/41iOO7gvqipDi/+:4ovt621MHamrH6YGuAa/41itsvqKY+

Score

10^/10

asyncrat venom clients discovery rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

venom12345.duckdns.org:4449

venomunverified.duckdns.org:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Executes dropped EXE 2 IoCs

pid	Process
660	svchost.exe
2256	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2944 set thread context of 2500	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	31
PID 660 set thread context of 796	660	svchost.exe	41
PID 2256 set thread context of 2096	2256	svchost.exe	51

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2680	schtasks.exe
540	schtasks.exe
1992	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	RegAsm.exe
Token: SeDebugPrivilege	796	RegAsm.exe
Token: SeDebugPrivilege	2096	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2500	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	31
PID 2944 wrote to memory of 2500	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	31
PID 2944 wrote to memory of 2500	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	31
PID 2944 wrote to memory of 2500	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	31
PID 2944 wrote to memory of 2500	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	31
PID 2944 wrote to memory of 2500	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	31
PID 2944 wrote to memory of 2500	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	31
PID 2944 wrote to memory of 2500	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	31
PID 2944 wrote to memory of 2500	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	31
PID 2944 wrote to memory of 2500	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	31
PID 2944 wrote to memory of 2500	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	31
PID 2944 wrote to memory of 2500	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	31
PID 2944 wrote to memory of 3064	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	32
PID 2944 wrote to memory of 3064	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	32
PID 2944 wrote to memory of 3064	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	32
PID 2944 wrote to memory of 3064	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	32
PID 2944 wrote to memory of 2712	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	34
PID 2944 wrote to memory of 2712	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	34
PID 2944 wrote to memory of 2712	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	34
PID 2944 wrote to memory of 2712	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	34
PID 2944 wrote to memory of 2252	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	36
PID 2944 wrote to memory of 2252	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	36
PID 2944 wrote to memory of 2252	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	36
PID 2944 wrote to memory of 2252	2944	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	36
PID 2712 wrote to memory of 2680	2712	cmd.exe	38
PID 2712 wrote to memory of 2680	2712	cmd.exe	38
PID 2712 wrote to memory of 2680	2712	cmd.exe	38
PID 2712 wrote to memory of 2680	2712	cmd.exe	38
PID 1600 wrote to memory of 660	1600	taskeng.exe	40
PID 1600 wrote to memory of 660	1600	taskeng.exe	40
PID 1600 wrote to memory of 660	1600	taskeng.exe	40
PID 1600 wrote to memory of 660	1600	taskeng.exe	40
PID 660 wrote to memory of 796	660	svchost.exe	41
PID 660 wrote to memory of 796	660	svchost.exe	41
PID 660 wrote to memory of 796	660	svchost.exe	41
PID 660 wrote to memory of 796	660	svchost.exe	41
PID 660 wrote to memory of 796	660	svchost.exe	41
PID 660 wrote to memory of 796	660	svchost.exe	41
PID 660 wrote to memory of 796	660	svchost.exe	41
PID 660 wrote to memory of 796	660	svchost.exe	41
PID 660 wrote to memory of 796	660	svchost.exe	41
PID 660 wrote to memory of 796	660	svchost.exe	41
PID 660 wrote to memory of 796	660	svchost.exe	41
PID 660 wrote to memory of 796	660	svchost.exe	41
PID 660 wrote to memory of 2760	660	svchost.exe	42
PID 660 wrote to memory of 2760	660	svchost.exe	42
PID 660 wrote to memory of 2760	660	svchost.exe	42
PID 660 wrote to memory of 2760	660	svchost.exe	42
PID 660 wrote to memory of 756	660	svchost.exe	44
PID 660 wrote to memory of 756	660	svchost.exe	44
PID 660 wrote to memory of 756	660	svchost.exe	44
PID 660 wrote to memory of 756	660	svchost.exe	44
PID 660 wrote to memory of 1560	660	svchost.exe	46
PID 660 wrote to memory of 1560	660	svchost.exe	46
PID 660 wrote to memory of 1560	660	svchost.exe	46
PID 660 wrote to memory of 1560	660	svchost.exe	46
PID 756 wrote to memory of 540	756	cmd.exe	48
PID 756 wrote to memory of 540	756	cmd.exe	48
PID 756 wrote to memory of 540	756	cmd.exe	48
PID 756 wrote to memory of 540	756	cmd.exe	48
PID 1600 wrote to memory of 2256	1600	taskeng.exe	50
PID 1600 wrote to memory of 2256	1600	taskeng.exe	50
PID 1600 wrote to memory of 2256	1600	taskeng.exe	50
PID 1600 wrote to memory of 2256	1600	taskeng.exe	50

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2252

C:\Windows\system32\taskeng.exe
taskeng.exe {8DF9EB25-4391-4F98-BB15-AC73C0F9B19F} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:796
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:540
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1560
- C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2256
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:944
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1972
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
426KB

MD5
168378e8a46b7d46dff6f1ef480e35c1

SHA1
03f9d268aa5fc76e623175f43570a85cb246bf07

SHA256
dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879

SHA512
4dec9d14fa148031ff2fce5111d2f7c4153787ebc3c46b27934892ea92b9d5377d196abcbbe5fdd3336dd26f6d601e162468d780f6d3fd4d26cb169b0dd038c3

Download Submit
memory/660-23-0x0000000000C30000-0x0000000000CA2000-memory.dmp

Filesize
456KB

Download
memory/2500-7-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2500-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2500-9-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2500-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2500-13-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2500-17-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2500-15-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2500-3-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2944-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

Filesize
4KB

Download
memory/2944-18-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2944-2-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2944-1-0x0000000000BC0000-0x0000000000C32000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads