babadeda | 4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.exe
Size

4.8MB
MD5

e987477b0d14b6d7075f0105aa28ba92
SHA1

54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA256

4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512

bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
SSDEEP

98304:8Sis3whP2XB/9Jp3KbjnCDHMz+7ZrrZPx3AqadVQnnPcMj:S92x/vNungMIZfZPx3knQPck

Score

10^/10

babadeda crypter loader

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002323f-325.dat	family_babadeda

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp

Executes dropped EXE 3 IoCs

pid	Process
3528	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp
1200	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp
760	fsucenter.exe

Loads dropped DLL 1 IoCs

pid	Process
760	fsucenter.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
45	bitbucket.org
32	iplogger.org
34	iplogger.org
41	bitbucket.org
42	bitbucket.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1200	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp
1200	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe
760	fsucenter.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1200	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 3528	1612	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.exe	88
PID 1612 wrote to memory of 3528	1612	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.exe	88
PID 1612 wrote to memory of 3528	1612	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.exe	88
PID 3528 wrote to memory of 208	3528	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp	90
PID 3528 wrote to memory of 208	3528	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp	90
PID 3528 wrote to memory of 208	3528	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp	90
PID 208 wrote to memory of 1200	208	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.exe	91
PID 208 wrote to memory of 1200	208	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.exe	91
PID 208 wrote to memory of 1200	208	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.exe	91
PID 1200 wrote to memory of 760	1200	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp	92
PID 1200 wrote to memory of 760	1200	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp	92
PID 1200 wrote to memory of 760	1200	e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp	92

C:\Users\Admin\AppData\Local\Temp\e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\is-S4JJM.tmp\e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-S4JJM.tmp\e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp" /SL5="$80098,4193427,831488,C:\Users\Admin\AppData\Local\Temp\e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\is-BQ7MU.tmp\e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BQ7MU.tmp\e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp" /SL5="$90098,4193427,831488,C:\Users\Admin\AppData\Local\Temp\e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.exe" /VERYSILENT
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1200
    - - C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
        
        "C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-S4JJM.tmp\e987477b0d14b6d7075f0105aa28ba92_JaffaCakes118.tmp

Filesize
3.0MB

MD5
6da8ef761a1ac640f74c4509a3da8b47

SHA1
de626da008e5e8500388ec7827bcd1158f703d98

SHA256
232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

SHA512
c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\Lang\it\is-IHICV.tmp

Filesize
5KB

MD5
9325aee138a4d9a15d651920fb403ffc

SHA1
19eb57cd989571fa8cd426cbd680430c0e006408

SHA256
9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35

SHA512
d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe

Filesize
4.8MB

MD5
cf8114289d40ec83b53463b1ac8930c9

SHA1
00036a509bc31c4264a0414d3386f420854ca047

SHA256
39b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12

SHA512
e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dll

Filesize
3.8MB

MD5
96f1c8a9c83fbf6411f35d3de8fdc77c

SHA1
41b590133df449c8e0ce247aab7def7cfc39399d

SHA256
ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e

SHA512
fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\menu.xml

Filesize
863KB

MD5
0ad63807522a2fc76deff4eddbc77d35

SHA1
85ba4baf1b1a623bc8fe5ea9334088de8da390c7

SHA256
f04362f73243736c636a08982e1f3655ce5824f2e5b0e3e87acbd94d0a906b96

SHA512
5cacea66310d6f8fc41cc742d6570e389e9df0f9faec4af2c8d036635500bfcf605148ec0a6e8d54b64485abb8a3881f00e7c93bbe7ab35eec85f39c6c33dac9

Download Submit
memory/208-9-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/208-329-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/760-323-0x0000000000AD0000-0x0000000000FA5000-memory.dmp

Filesize
4.8MB

Download
memory/1200-17-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1200-327-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/1612-13-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1612-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3528-11-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3528-5-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download