asyncrat | 185b8075ebe0e41cfdabdb9f1d676c417778ccc2861dbc98f00a8dd8cfbc199b

General

Target

JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe
Size

186KB
MD5

622b97f6333970486d841abf78e3fdb8
SHA1

7faf2915ab113571dcc2a2cc81d21e988ea5b94f
SHA256

185b8075ebe0e41cfdabdb9f1d676c417778ccc2861dbc98f00a8dd8cfbc199b
SHA512

642a85b022b92c1bf7443fbcb6693c920c9c1463ac8824cf20dadd78390493fe51a40b52f5b8dea143cf4834e4c49451767c3c9f912603ea1aac54061dc5263b
SSDEEP

384:LlAR5043qPe6L5w/ep7Q8xi7FXhopJOWfDAyMx7UcvhfBT8+vMmN+tVgvKneyqLx:mRdzGVvk+nXqU2r

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
Runtime Broker.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/CmxpZKhW

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023c74-6.dat	family_asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	GQIyv..exe

Executes dropped EXE 2 IoCs

pid	Process
2336	GQIyv..exe
4872	Runtime Broker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
18	pastebin.com
19	0.tcp.ngrok.io
41	0.tcp.ngrok.io
49	0.tcp.ngrok.io
60	0.tcp.ngrok.io
17	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4304	2016	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Broker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GQIyv..exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3364	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe
2336	GQIyv..exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	GQIyv..exe
Token: SeDebugPrivilege	4872	Runtime Broker.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2336	2016	JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe	84
PID 2016 wrote to memory of 2336	2016	JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe	84
PID 2016 wrote to memory of 2336	2016	JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe	84
PID 2336 wrote to memory of 696	2336	GQIyv..exe	91
PID 2336 wrote to memory of 696	2336	GQIyv..exe	91
PID 2336 wrote to memory of 696	2336	GQIyv..exe	91
PID 2336 wrote to memory of 4796	2336	GQIyv..exe	93
PID 2336 wrote to memory of 4796	2336	GQIyv..exe	93
PID 2336 wrote to memory of 4796	2336	GQIyv..exe	93
PID 696 wrote to memory of 2784	696	cmd.exe	95
PID 696 wrote to memory of 2784	696	cmd.exe	95
PID 696 wrote to memory of 2784	696	cmd.exe	95
PID 4796 wrote to memory of 3364	4796	cmd.exe	96
PID 4796 wrote to memory of 3364	4796	cmd.exe	96
PID 4796 wrote to memory of 3364	4796	cmd.exe	96
PID 4796 wrote to memory of 4872	4796	cmd.exe	99
PID 4796 wrote to memory of 4872	4796	cmd.exe	99
PID 4796 wrote to memory of 4872	4796	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622b97f6333970486d841abf78e3fdb8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\GQIyv..exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\GQIyv..exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBDE1.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4796
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3364
  - - C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
      "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1892
  2⤵
  - Program crash
  PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2016 -ip 2016
1⤵
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\GQIyv..exe

Filesize
45KB

MD5
96ca55aa4324d544bb66e1e00a0cd53f

SHA1
d313b17ad8d186cbb1b935fae08a8fd728f57027

SHA256
aefa7577517ff9d0e9dc7c2152ec1830a9b0addb791a53778d87b7998defbf39

SHA512
ff109063070060c76cf14486d23dbe86cf6f19e690a88d173339a46ee9e9449189aa08aa11660b4a02abf5d8ebae18e451f0bcb741a2f7c72b0490cfaf676fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBDE1.tmp.bat

Filesize
158B

MD5
31038f5093d71fb0c893680e26440ca8

SHA1
bd2dbcbbf41613b61ecf083366e3638d3c439529

SHA256
417a232e0717350b379f1128c6e2bcdf3d2e9f84422345fbe3e0d162484a3821

SHA512
b2fd62b191805612b326ea2ea914b3a83c16058eee2de520943e2fd8853ad13561f4f35de8e88f126cd7fd59374d5686df5738b419dd8d2b0fdb224554328486

Download Submit
memory/2016-0-0x000000007508E000-0x000000007508F000-memory.dmp

Filesize
4KB

Download
memory/2016-1-0x00000000009E0000-0x0000000000A14000-memory.dmp

Filesize
208KB

Download
memory/2336-15-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2336-16-0x0000000075080000-0x0000000075830000-memory.dmp

Filesize
7.7MB

Download
memory/2336-17-0x0000000075080000-0x0000000075830000-memory.dmp

Filesize
7.7MB

Download
memory/2336-18-0x0000000004A40000-0x0000000004AA6000-memory.dmp

Filesize
408KB

Download
memory/2336-19-0x0000000004E50000-0x0000000004EEC000-memory.dmp

Filesize
624KB

Download
memory/2336-24-0x0000000075080000-0x0000000075830000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads