babadeda | 290fbd80875f828748b26dd45ea64d3a289cb94f5bda9f6998a5f4e054af4d4a

General

Target

fa3d40ce6752360f82f85789de9206da_JaffaCakes118.exe
Size

19.3MB
MD5

fa3d40ce6752360f82f85789de9206da
SHA1

b2257a28bd6c5fc2330c43911cb3b09fc7a3f793
SHA256

290fbd80875f828748b26dd45ea64d3a289cb94f5bda9f6998a5f4e054af4d4a
SHA512

0e1be7b19409625f4dd821aaaeec8b0105ca6c5db34ccb2d0dbeec56916a61c12f78164ba09fea0f865c64d0c13dbf933c22175a4ccaceec042ff3f38a2075b9
SSDEEP

196608:ItKgK+WQiP0b9HVd2THcW/VYDzBAdLGMyO2FUAfvHoqToihJ:1gKlcb5Vd2THcWt4wLbyOifvHr

Score

10^/10

babadeda redline sectoprat @treeline300 crypter discovery infostealer loader rat trojan

Malware Config

Extracted

Family

redline

Botnet

@treeline300

C2

45.67.228.152:54641

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 3 IoCs

resource	yara_rule
behavioral2/files/0x000700000002343b-327.dat	family_babadeda
behavioral2/memory/2200-330-0x0000000003E30000-0x0000000006E30000-memory.dmp	family_babadeda
behavioral2/memory/2200-339-0x0000000003E30000-0x0000000006E30000-memory.dmp	family_babadeda

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2200-328-0x0000000009700000-0x000000000971E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2200-328-0x0000000009700000-0x000000000971E000-memory.dmp	family_sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	fa3d40ce6752360f82f85789de9206da_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2200	ioassembly.exe

Loads dropped DLL 1 IoCs

pid	Process
2200	ioassembly.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	ioassembly.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2200	ioassembly.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2200	3008	fa3d40ce6752360f82f85789de9206da_JaffaCakes118.exe	86
PID 3008 wrote to memory of 2200	3008	fa3d40ce6752360f82f85789de9206da_JaffaCakes118.exe	86
PID 3008 wrote to memory of 2200	3008	fa3d40ce6752360f82f85789de9206da_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\fa3d40ce6752360f82f85789de9206da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa3d40ce6752360f82f85789de9206da_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\ioassembly.exe
  "C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\ioassembly.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\Lang\en\Phototheca EULA.rtf

Filesize
5KB

MD5
9325aee138a4d9a15d651920fb403ffc

SHA1
19eb57cd989571fa8cd426cbd680430c0e006408

SHA256
9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35

SHA512
d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

Download Submit
C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\Lang\fr\searchhelp.rtf

Filesize
56KB

MD5
520077fd6d03c64c735258d4d87921d8

SHA1
1b8d82d7da2d85527ce91e72f179fb8a418d47de

SHA256
6faf5a4f8a729dbdc4082a7f33ffde3e72ef34acbf0875932b3e4427bfd9b598

SHA512
8ccd614aaf7cee74a0ed8b34267db004f240ed51d41dd80caeef12fe29a785d4e109b2526acf4c04ff30edc025c1e4afd7e9e11b32ca08ecc3ced7435514d4de

Download Submit
C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\base.xml

Filesize
386KB

MD5
a18ed82a8dddccca1113a2cb992c1617

SHA1
b49c499776a8fcce659e307dbc018de78bba494e

SHA256
f3a71f6466be37fcb5066258f8b25ee7db68aebd6c8b9e06d83d2c882851781c

SHA512
4ec5b1bbaf6a16f038bba46eae5558132947576178d7ee861f831887001def116467ccdac9b4b7f196925f2a0f05e545abc95e465a85cac2a86a12cd7c4aeca6

Download Submit
C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\ioassembly.exe

Filesize
10.5MB

MD5
ecf7cced163166a2ca2028f87c09adfb

SHA1
54ac3d3ff99707a9220c72a1e30643d0e7dfe5ed

SHA256
518105a21064101544174005643c12b24404da142482e074453c27dc8d857fe6

SHA512
02bcf0ef6c7cab94f8090d55d5d7bca400ccf5693dc0f9c8837c77b56df25f75fa42676051d9a0016020fa78a898e2b63bc7267cc4435bc562af90dec4616e64

Download Submit
C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\lcms-5.0.dll

Filesize
3.9MB

MD5
91fb31637b57a44e2254dd83359334bd

SHA1
40adc1a5802146e2267a743f1c9ed39aafaa80a2

SHA256
dba6d23b14a2e6c2b80a27672f4902efbf70f601a7f2c55e2ced6ead0131eb3e

SHA512
95ed67b17935f9cee2ce15afdf6f094e4a522f0a5fa5b90f04adb88fc33a521a1ee8206b7249b8b3c0717eec56e36efcff404e6bc44449983fa0d20cf3eeab7c

Download Submit
memory/2200-332-0x00000000098C0000-0x00000000098D0000-memory.dmp

Filesize
64KB

Download
memory/2200-331-0x00000000097E0000-0x00000000097F2000-memory.dmp

Filesize
72KB

Download
memory/2200-329-0x0000000009EF0000-0x000000000A508000-memory.dmp

Filesize
6.1MB

Download
memory/2200-330-0x0000000003E30000-0x0000000006E30000-memory.dmp

Filesize
48.0MB

Download
memory/2200-333-0x00000000098C0000-0x00000000098D0000-memory.dmp

Filesize
64KB

Download
memory/2200-341-0x00000000098C0000-0x00000000098D0000-memory.dmp

Filesize
64KB

Download
memory/2200-334-0x00000000098C0000-0x00000000098D0000-memory.dmp

Filesize
64KB

Download
memory/2200-328-0x0000000009700000-0x000000000971E000-memory.dmp

Filesize
120KB

Download
memory/2200-335-0x0000000009840000-0x000000000987C000-memory.dmp

Filesize
240KB

Download
memory/2200-336-0x0000000073890000-0x0000000074040000-memory.dmp

Filesize
7.7MB

Download
memory/2200-337-0x00000000099D0000-0x0000000009A1C000-memory.dmp

Filesize
304KB

Download
memory/2200-338-0x0000000009BF0000-0x0000000009CFA000-memory.dmp

Filesize
1.0MB

Download
memory/2200-339-0x0000000003E30000-0x0000000006E30000-memory.dmp

Filesize
48.0MB

Download
memory/2200-340-0x0000000073890000-0x0000000074040000-memory.dmp

Filesize
7.7MB

Download
memory/3008-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing