asyncrat | dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe
Size

426KB
MD5

168378e8a46b7d46dff6f1ef480e35c1
SHA1

03f9d268aa5fc76e623175f43570a85cb246bf07
SHA256

dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879
SHA512

4dec9d14fa148031ff2fce5111d2f7c4153787ebc3c46b27934892ea92b9d5377d196abcbbe5fdd3336dd26f6d601e162468d780f6d3fd4d26cb169b0dd038c3
SSDEEP

6144:4+7NTvA0b6XG1MRTlwQaZmrH6YqsYJuAg5/41iOO7gvqipDi/+:4ovt621MHamrH6YGuAa/41itsvqKY+

Score

10^/10

asyncrat venom clients discovery rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

venom12345.duckdns.org:4449

venomunverified.duckdns.org:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Executes dropped EXE 2 IoCs

pid	Process
1416	svchost.exe
1768	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3276 set thread context of 3652	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	84
PID 1416 set thread context of 376	1416	svchost.exe	109
PID 1768 set thread context of 4984	1768	svchost.exe	118

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1228	schtasks.exe
4100	schtasks.exe
3992	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	RegAsm.exe
Token: SeDebugPrivilege	376	RegAsm.exe
Token: SeDebugPrivilege	4984	RegAsm.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 3652	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	84
PID 3276 wrote to memory of 3652	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	84
PID 3276 wrote to memory of 3652	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	84
PID 3276 wrote to memory of 3652	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	84
PID 3276 wrote to memory of 3652	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	84
PID 3276 wrote to memory of 3652	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	84
PID 3276 wrote to memory of 3652	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	84
PID 3276 wrote to memory of 3652	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	84
PID 3276 wrote to memory of 4204	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	85
PID 3276 wrote to memory of 4204	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	85
PID 3276 wrote to memory of 4204	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	85
PID 3276 wrote to memory of 1136	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	87
PID 3276 wrote to memory of 1136	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	87
PID 3276 wrote to memory of 1136	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	87
PID 3276 wrote to memory of 4196	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	89
PID 3276 wrote to memory of 4196	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	89
PID 3276 wrote to memory of 4196	3276	JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe	89
PID 1136 wrote to memory of 1228	1136	cmd.exe	91
PID 1136 wrote to memory of 1228	1136	cmd.exe	91
PID 1136 wrote to memory of 1228	1136	cmd.exe	91
PID 1416 wrote to memory of 376	1416	svchost.exe	109
PID 1416 wrote to memory of 376	1416	svchost.exe	109
PID 1416 wrote to memory of 376	1416	svchost.exe	109
PID 1416 wrote to memory of 376	1416	svchost.exe	109
PID 1416 wrote to memory of 376	1416	svchost.exe	109
PID 1416 wrote to memory of 376	1416	svchost.exe	109
PID 1416 wrote to memory of 376	1416	svchost.exe	109
PID 1416 wrote to memory of 376	1416	svchost.exe	109
PID 1416 wrote to memory of 2940	1416	svchost.exe	110
PID 1416 wrote to memory of 2940	1416	svchost.exe	110
PID 1416 wrote to memory of 2940	1416	svchost.exe	110
PID 1416 wrote to memory of 1684	1416	svchost.exe	111
PID 1416 wrote to memory of 1684	1416	svchost.exe	111
PID 1416 wrote to memory of 1684	1416	svchost.exe	111
PID 1416 wrote to memory of 3252	1416	svchost.exe	113
PID 1416 wrote to memory of 3252	1416	svchost.exe	113
PID 1416 wrote to memory of 3252	1416	svchost.exe	113
PID 1684 wrote to memory of 4100	1684	cmd.exe	116
PID 1684 wrote to memory of 4100	1684	cmd.exe	116
PID 1684 wrote to memory of 4100	1684	cmd.exe	116
PID 1768 wrote to memory of 4984	1768	svchost.exe	118
PID 1768 wrote to memory of 4984	1768	svchost.exe	118
PID 1768 wrote to memory of 4984	1768	svchost.exe	118
PID 1768 wrote to memory of 4984	1768	svchost.exe	118
PID 1768 wrote to memory of 4984	1768	svchost.exe	118
PID 1768 wrote to memory of 4984	1768	svchost.exe	118
PID 1768 wrote to memory of 4984	1768	svchost.exe	118
PID 1768 wrote to memory of 4984	1768	svchost.exe	118
PID 1768 wrote to memory of 3172	1768	svchost.exe	119
PID 1768 wrote to memory of 3172	1768	svchost.exe	119
PID 1768 wrote to memory of 3172	1768	svchost.exe	119
PID 1768 wrote to memory of 3908	1768	svchost.exe	120
PID 1768 wrote to memory of 3908	1768	svchost.exe	120
PID 1768 wrote to memory of 3908	1768	svchost.exe	120
PID 1768 wrote to memory of 888	1768	svchost.exe	122
PID 1768 wrote to memory of 888	1768	svchost.exe	122
PID 1768 wrote to memory of 888	1768	svchost.exe	122
PID 3908 wrote to memory of 3992	3908	cmd.exe	125
PID 3908 wrote to memory of 3992	3908	cmd.exe	125
PID 3908 wrote to memory of 3992	3908	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3652
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4204
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4196

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4100
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3252

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4984
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3172
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3992
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
426KB

MD5
168378e8a46b7d46dff6f1ef480e35c1

SHA1
03f9d268aa5fc76e623175f43570a85cb246bf07

SHA256
dd94071cab75b6c0edd947b57439ec3a70e0c45fa9add74396d9a8058cfcd879

SHA512
4dec9d14fa148031ff2fce5111d2f7c4153787ebc3c46b27934892ea92b9d5377d196abcbbe5fdd3336dd26f6d601e162468d780f6d3fd4d26cb169b0dd038c3

Download Submit
memory/3276-0-0x0000000074C7E000-0x0000000074C7F000-memory.dmp

Filesize
4KB

Download
memory/3276-1-0x0000000000160000-0x00000000001D2000-memory.dmp

Filesize
456KB

Download
memory/3276-2-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/3276-6-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/3652-3-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3652-5-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/3652-9-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/3652-10-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/3652-11-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads