Malware Analysis Report

2024-09-22 16:44

Sample ID 231230-lwyqjscccr
Target 150857f47c2baeebe41028b415ba30ec
SHA256 7d580d1416efb8a4475d4d682ca4e53b96482ef437770e66cb2ca8bcfbc075c9
Tags
babadeda crypter loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d580d1416efb8a4475d4d682ca4e53b96482ef437770e66cb2ca8bcfbc075c9

Threat Level: Known bad

The file 150857f47c2baeebe41028b415ba30ec was found to be: Known bad.

Malicious Activity Summary

babadeda crypter loader

Babadeda

Babadeda Crypter

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Drops desktop.ini file(s)

Enumerates physical storage devices

NSIS installer

Checks processor information in registry

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-12-30 09:53

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 09:53

Reported

2023-12-31 11:25

Platform

win7-20231215-en

Max time kernel

209s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe

"C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe"

C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe

C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe

MD5 0f9210c3a6b12248b281b4b9015491e5
SHA1 5201fd2f0cf319e8076a7fc693ef2fb3a3c1147a
SHA256 6dc84b136a6bdb51cb98f7668f66bc7fac776856797db175435bed73f708555b
SHA512 fe2d6ebb5d8a4163857f54e94011b6549f2efc32d76e88c42bf1aa432545280fdb283fcc9922014f115b14e9a7f26411e3d863bc4ad16313317e46adb7dd34dc

C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe

MD5 846eb78bc7dfaf8b661c3ce529be7f56
SHA1 01c82f1791611b57f0d704533a91fce4da91c3eb
SHA256 0027c2bf63938d8512fd710d1fd0b8cd0d6368ff18df05d9d66f9ef73fb54088
SHA512 3d3fb50bc42392987ba042025a4d0c61907044946f500b91fbde1a589d80a4ef0cabea19d5988487830b6d246e09315caa3ebc6b7bec7a1c377e39061a413c71

memory/2416-241-0x00000000023B0000-0x0000000002B26000-memory.dmp

memory/2340-242-0x0000000000400000-0x0000000000B76000-memory.dmp

C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\JdbcOdbc.dll

MD5 ae579e792f697b49ab65ddc49b513041
SHA1 ddacc12dbdf3942ebbacb88096668f1300d2c990
SHA256 29a8ca5ecce3ec352181e4da596e9d6e8f2405092118ba96749ff61ed8098d84
SHA512 315edc8d139396a60da7eb24ae9e3b54fac5b918910d97e97a7be479da9383fa3229e24c87defe1b7fb09f4d8880ab0554bf40e9d3d06a0668191e6f54a2b6f7

\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\JdbcOdbc.dll

MD5 2d74780cb8efdd7038d663f5ea35a38d
SHA1 337c81688c22cbf5df03848d5fd617bca25848dc
SHA256 9750f93885304887d088e68737827cb970943d000ccd4245e6e7fdb55b0a9606
SHA512 ab9e6b9c76e0d10fcbedeba558aa25a3adeb1a3e9107ece02b20e5a25a1d0196b5bd6cf62ebae206ad3c72c1dbf70b0024beff2b64f21d7a83fbe899623bdec8

C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\base.xml

MD5 51599707dc82f6946f39a87c5ac9fcd7
SHA1 f23db51bfe863a3ac1362ce131f5645e9f8b614e
SHA256 0be18ef99cfd38e7c43ef01f270778c46b46a43d5b7cdc81e7f83f91729609ca
SHA512 ab0669617b3d826a6b45e5fa2a814acb0ef0d2cb4d63dafa6e72156b158334d21af47c423f560cd4fdbb8657c78aa0037383611d06c66745e74873b32c68c69e

memory/2340-246-0x0000000000400000-0x0000000000B76000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 09:53

Reported

2023-12-31 11:22

Platform

win10v2004-20231222-en

Max time kernel

79s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini C:\Windows\system32\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3803511929-1339359695-2191195476-1000\{22EFD199-3459-4B67-88D9-89DB3B9BF5C6} C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3803511929-1339359695-2191195476-1000\{2E9A8C2B-033F-4D11-AA0C-63F03AA951B4} C:\Windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe

"C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe"

C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe

C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.77:80 api.ipify.org tcp
US 8.8.8.8:53 prunerflowershop.com udp
US 8.8.8.8:53 77.16.231.173.in-addr.arpa udp
US 8.8.8.8:53 prunerflowershop.com udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 prunerflowershop.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 prunerflowershop.com udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 prunerflowershop.com udp
US 8.8.8.8:53 prunerflowershop.com udp
US 8.8.8.8:53 prunerflowershop.com udp
US 8.8.8.8:53 prunerflowershop.com udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 prunerflowershop.com udp

Files

C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe

MD5 6f12f9ee72e6e02c79e48404f049d2d0
SHA1 8508169aaff7fd03ec7de7bac2d4f02c7784989f
SHA256 c270e35ecd93ce0bf3490d3bbf0e318547d440e6171ff746fdca5bb62824e16b
SHA512 89281ec882f91f03e145663a5a40b715393b7ac88af92777f3bb483ba08b4ff91ad173a6045fa14cf1fe6eec6f7886dbc8bcc01c0357f4761772fb0a7de197b2

C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe

MD5 9d393a02d1b792d938217bad1f0d0173
SHA1 e786056d4de8e022ff9bf85af2ef019d3f991917
SHA256 176f2daee944217c70dd83c76018679dd3a9bb37f44363538c97264134cad9b0
SHA512 dd8d15a2d8ac21f2ca6633cecf9b08efcde8cf95dd6d787594ed3df9c5f30a9a9767d26b831279bcb6cbdc9656e0abfbb5aac94f778ba43d27b3993d9b825c70

memory/4732-240-0x0000000000400000-0x0000000000B76000-memory.dmp

C:\Users\Admin\Videos\Captures\desktop.ini

MD5 b0d27eaec71f1cd73b015f5ceeb15f9d
SHA1 62264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA256 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA512 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\JdbcOdbc.dll

MD5 aaa3bfdf7c3d9d8a0f9d40ab64454665
SHA1 f13fa60b6c95d30c67cec3e73ce928356bdb8d6e
SHA256 c0db73f3003d1daf0e33643c75e1e3e407c884e287795c0bf8a42f834097d83b
SHA512 24048ca7af7fcc122ed5d6d006016ef6fba6725687b8b9a1853bbf1a588d4a946edaa0fba359c519cc1a4ee201f8e3c7f7018211d2e213ee9bc79e82596b9418

C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\JdbcOdbc.dll

MD5 62cebb1d9556e26ee20da12d37a34cac
SHA1 414b05d363c122b47e1f01ac8502d003de7d6c48
SHA256 c9ebb75e6b5e7bb23d9ae6f5457643fbfacc7a2ad28e4d24f6dac1d4c1187e0b
SHA512 63b4e7e64457cbebf05ad024141cd3efb241f3fbcf3872fbd97c322261abfb03040cb342f655cdd3718efb41ac3e138269699503047f33c89019be484fe4ad99

C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\base.xml

MD5 51599707dc82f6946f39a87c5ac9fcd7
SHA1 f23db51bfe863a3ac1362ce131f5645e9f8b614e
SHA256 0be18ef99cfd38e7c43ef01f270778c46b46a43d5b7cdc81e7f83f91729609ca
SHA512 ab0669617b3d826a6b45e5fa2a814acb0ef0d2cb4d63dafa6e72156b158334d21af47c423f560cd4fdbb8657c78aa0037383611d06c66745e74873b32c68c69e

C:\ProgramData\kaosdma.txt

MD5 8cf4dec152a9d79a3d62202b886eda9b
SHA1 0c1b3d3d02c0b655aa3526a58486b84872f18cc2
SHA256 c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01
SHA512 a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd