asyncrat | 185b8075ebe0e41cfdabdb9f1d676c417778ccc2861dbc98f00a8dd8cfbc199b

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe
Size

186KB
MD5

622b97f6333970486d841abf78e3fdb8
SHA1

7faf2915ab113571dcc2a2cc81d21e988ea5b94f
SHA256

185b8075ebe0e41cfdabdb9f1d676c417778ccc2861dbc98f00a8dd8cfbc199b
SHA512

642a85b022b92c1bf7443fbcb6693c920c9c1463ac8824cf20dadd78390493fe51a40b52f5b8dea143cf4834e4c49451767c3c9f912603ea1aac54061dc5263b
SSDEEP

384:LlAR5043qPe6L5w/ep7Q8xi7FXhopJOWfDAyMx7UcvhfBT8+vMmN+tVgvKneyqLx:mRdzGVvk+nXqU2r

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
Runtime Broker.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/CmxpZKhW

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000012117-3.dat	family_asyncrat

Executes dropped EXE 2 IoCs

pid	Process
2256	GQIyv..exe
1996	Runtime Broker.exe

Loads dropped DLL 2 IoCs

pid	Process
2912	JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe
2440	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com
6	0.tcp.ngrok.io
12	0.tcp.ngrok.io
21	0.tcp.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2540	2912	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Broker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GQIyv..exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2640	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2256	GQIyv..exe
2256	GQIyv..exe
2256	GQIyv..exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	GQIyv..exe
Token: SeDebugPrivilege	1996	Runtime Broker.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2256	2912	JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe	30
PID 2912 wrote to memory of 2256	2912	JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe	30
PID 2912 wrote to memory of 2256	2912	JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe	30
PID 2912 wrote to memory of 2256	2912	JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe	30
PID 2912 wrote to memory of 2540	2912	JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe	31
PID 2912 wrote to memory of 2540	2912	JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe	31
PID 2912 wrote to memory of 2540	2912	JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe	31
PID 2912 wrote to memory of 2540	2912	JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe	31
PID 2256 wrote to memory of 2992	2256	GQIyv..exe	33
PID 2256 wrote to memory of 2992	2256	GQIyv..exe	33
PID 2256 wrote to memory of 2992	2256	GQIyv..exe	33
PID 2256 wrote to memory of 2992	2256	GQIyv..exe	33
PID 2256 wrote to memory of 2440	2256	GQIyv..exe	35
PID 2256 wrote to memory of 2440	2256	GQIyv..exe	35
PID 2256 wrote to memory of 2440	2256	GQIyv..exe	35
PID 2256 wrote to memory of 2440	2256	GQIyv..exe	35
PID 2992 wrote to memory of 2960	2992	cmd.exe	37
PID 2992 wrote to memory of 2960	2992	cmd.exe	37
PID 2992 wrote to memory of 2960	2992	cmd.exe	37
PID 2992 wrote to memory of 2960	2992	cmd.exe	37
PID 2440 wrote to memory of 2640	2440	cmd.exe	38
PID 2440 wrote to memory of 2640	2440	cmd.exe	38
PID 2440 wrote to memory of 2640	2440	cmd.exe	38
PID 2440 wrote to memory of 2640	2440	cmd.exe	38
PID 2440 wrote to memory of 1996	2440	cmd.exe	40
PID 2440 wrote to memory of 1996	2440	cmd.exe	40
PID 2440 wrote to memory of 1996	2440	cmd.exe	40
PID 2440 wrote to memory of 1996	2440	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\GQIyv..exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\GQIyv..exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.bat""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2640
  - - C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
      "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 900
  2⤵
  - Program crash
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.bat

Filesize
158B

MD5
d1763941dd751b5d38689864c7f11572

SHA1
90aedee7048de9a2871e3ca6f7ae8efb2a23e928

SHA256
ccdb1e39b6ebb2dbb0fad9350924d7d99f1cd608a4d9927f969a93a91b7cc872

SHA512
8cff2fb7d6d8c05cfe223bf4aabe3c6ecf3924958afef229d9393439d9b2af38a169e8e6bf48cddc0aa0919b778ff1c02c52a37f4998c80f95880912efe759dc

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\GQIyv..exe

Filesize
45KB

MD5
96ca55aa4324d544bb66e1e00a0cd53f

SHA1
d313b17ad8d186cbb1b935fae08a8fd728f57027

SHA256
aefa7577517ff9d0e9dc7c2152ec1830a9b0addb791a53778d87b7998defbf39

SHA512
ff109063070060c76cf14486d23dbe86cf6f19e690a88d173339a46ee9e9449189aa08aa11660b4a02abf5d8ebae18e451f0bcb741a2f7c72b0490cfaf676fab

Download Submit
memory/1996-25-0x00000000010A0000-0x00000000010B2000-memory.dmp

Filesize
72KB

Download
memory/2256-9-0x0000000001090000-0x00000000010A2000-memory.dmp

Filesize
72KB

Download
memory/2256-10-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Filesize
6.9MB

Download
memory/2256-11-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Filesize
6.9MB

Download
memory/2256-20-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Filesize
6.9MB

Download
memory/2912-0-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

Filesize
4KB

Download
memory/2912-1-0x0000000000F00000-0x0000000000F34000-memory.dmp

Filesize
208KB

Download