Malware Analysis Report

2024-09-22 16:41

Sample ID 231229-1lhnxafhfl
Target 04befedbe76440e1e24e59ff4244ce6a
SHA256 bd8d1264a88d5cdd701a4ee909b70beaec39d216c988b33bfb30f25aee3540ee
Tags
babadeda crypter loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd8d1264a88d5cdd701a4ee909b70beaec39d216c988b33bfb30f25aee3540ee

Threat Level: Known bad

The file 04befedbe76440e1e24e59ff4244ce6a was found to be: Known bad.

Malicious Activity Summary

babadeda crypter loader

Babadeda

Babadeda Crypter

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-12-29 21:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 21:44

Reported

2023-12-30 02:38

Platform

win7-20231129-en

Max time kernel

143s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe

"C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe"

C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe

"C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.77:80 api.ipify.org tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp

Files

memory/3020-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1628-557-0x0000000000400000-0x0000000000A0F000-memory.dmp

memory/3020-554-0x0000000004090000-0x000000000469F000-memory.dmp

memory/3020-548-0x0000000002930000-0x0000000002940000-memory.dmp

\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3020-559-0x0000000000400000-0x0000000000701000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 21:44

Reported

2023-12-30 02:37

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe

"C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe"

C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe

"C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:80 api.ipify.org tcp
MD 45.142.212.149:80 tcp
US 8.8.8.8:53 156.227.185.64.in-addr.arpa udp
MD 45.142.212.149:80 tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
MD 45.142.212.149:80 tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 59.134.221.88.in-addr.arpa udp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
MD 45.142.212.149:80 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
MD 45.142.212.149:80 tcp

Files

memory/1824-0-0x0000000002720000-0x0000000002721000-memory.dmp

C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe

MD5 183f44ca3a4f33e88bf1d80566db603b
SHA1 87634a0e5b32587088d8d800049c56076db15e47
SHA256 5d92455f98253d7bdcd2a57d5cd73f749866794eb7730c2fa296800e45ceebb0
SHA512 b0cbf29e7dfec29830740cb13bbf11282794f9854bf2ecc574ade9f6d27994c2df1ec66ec22b7f490b45199ab9364abed02610fb120c3473959fed478c8f4299

C:\Users\Admin\AppData\Roaming\Smart Cleanup\libGLES-v2.dll

MD5 abbf4b4e4aad7213ac3939668e23f852
SHA1 1b9d2ad0e5cdde8f3f497cfb07969a05f5047256
SHA256 8bbd280dffe1fd7947b54c56c7f57543b35e4b03b35c359599af313dd6877596
SHA512 3ebe9a0f17c24fcf83e264291b0a77deaf30e4da13bfc539081375db58b7e38329724847049b8adf77121c0998d95f3a4474b3fbc77c2a17a22c6489f779e4ac

C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe

MD5 6a375329aacf40e7d3e205b3cce8e806
SHA1 6b9750a1f84dbfe3710ab83900d62e79a58a8850
SHA256 03bcdf56ded7eaf83402048ed5db72941709bdb486fcc5ad03b06c0488ad3dc3
SHA512 74f28e8d92e2579f8262d6c6f2ee77e05001a19a358c8922353efde58e7fd037fc442e0d832df52ff99c3bb9f07b57e484aad771b1afa93f8162f4d475dba009

C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe

MD5 caee23d8e98273df92daabb889dba8a7
SHA1 fd60bc11426076a1485fbcd71fa26716cc584125
SHA256 df7cf012ae09f8db1bd8b7c1ea5dc200949d9f85aedcd6c282bc40e1eeeace6a
SHA512 7d7889e3d77d7406cf72c74789054cf5991323ccf89ed8a04abed091f18f8c007e651160f8014a8d1ca77c56ed0fcef77b624f15c0f9d8615f0dbbc8df38a20c

memory/1536-557-0x0000000000400000-0x0000000000A0F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Smart Cleanup\libGLES-v2.dll

MD5 5e788e7e416cfaddae77c191e07936c6
SHA1 b44255d02dcbe89c30cfe57c05621e9872cf1361
SHA256 ae4f240cb74678005efb11dab65ef82a01b5619ae117b6c9e2a3f9c986a16b4b
SHA512 2a1b5580dbed340cd508fd0270d23297d69985e2e89a15fda83ee0c4a7a16898414754b4a12136edad8f0e94b1ffa25cb5b6e753a62c6e88ac7521a8c6639fa3

C:\Users\Admin\AppData\Roaming\Smart Cleanup\menu.xml

MD5 a2ffbe69712106dc778625e3f55076da
SHA1 010f27681359f09dcce63349e5d7737c9b383eb7
SHA256 618ff25fa1dbd690b0fa884238ab12a110821edbd6988c053ac8f64fe002796c
SHA512 5621258333581ebc20dd40c0331751334cb3536ca4e9dc81b5ac3b4ff1b344f8dd56eb5ca3bcc749e341a22186e93cb4119900ca6e18e0742c145e0c648f61f9

memory/1824-561-0x0000000000400000-0x0000000000701000-memory.dmp

C:\ProgramData\kaosdma.txt

MD5 8cf4dec152a9d79a3d62202b886eda9b
SHA1 0c1b3d3d02c0b655aa3526a58486b84872f18cc2
SHA256 c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01
SHA512 a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd