Malware Analysis Report

2024-09-22 16:28

Sample ID 240419-n2zk5sbh3w
Target fa3d40ce6752360f82f85789de9206da_JaffaCakes118
SHA256 290fbd80875f828748b26dd45ea64d3a289cb94f5bda9f6998a5f4e054af4d4a
Tags
babadeda redline sectoprat @treeline300 crypter discovery infostealer loader rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

290fbd80875f828748b26dd45ea64d3a289cb94f5bda9f6998a5f4e054af4d4a

Threat Level: Known bad

The file fa3d40ce6752360f82f85789de9206da_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

babadeda redline sectoprat @treeline300 crypter discovery infostealer loader rat trojan

RedLine payload

SectopRAT payload

SectopRAT

Babadeda Crypter

Babadeda family

Babadeda

RedLine

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-19 11:54

Signatures

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Babadeda family

babadeda

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 11:54

Reported

2024-04-19 11:56

Platform

win7-20231129-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa3d40ce6752360f82f85789de9206da_JaffaCakes118.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\ioassembly.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\ioassembly.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\ioassembly.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fa3d40ce6752360f82f85789de9206da_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fa3d40ce6752360f82f85789de9206da_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\ioassembly.exe

"C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\ioassembly.exe"

Network

Country Destination Domain Proto
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp

Files

C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\Lang\en\Phototheca EULA.rtf

MD5 9325aee138a4d9a15d651920fb403ffc
SHA1 19eb57cd989571fa8cd426cbd680430c0e006408
SHA256 9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35
SHA512 d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\Lang\fr\searchhelp.rtf

MD5 520077fd6d03c64c735258d4d87921d8
SHA1 1b8d82d7da2d85527ce91e72f179fb8a418d47de
SHA256 6faf5a4f8a729dbdc4082a7f33ffde3e72ef34acbf0875932b3e4427bfd9b598
SHA512 8ccd614aaf7cee74a0ed8b34267db004f240ed51d41dd80caeef12fe29a785d4e109b2526acf4c04ff30edc025c1e4afd7e9e11b32ca08ecc3ced7435514d4de

\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\ioassembly.exe

MD5 ecf7cced163166a2ca2028f87c09adfb
SHA1 54ac3d3ff99707a9220c72a1e30643d0e7dfe5ed
SHA256 518105a21064101544174005643c12b24404da142482e074453c27dc8d857fe6
SHA512 02bcf0ef6c7cab94f8090d55d5d7bca400ccf5693dc0f9c8837c77b56df25f75fa42676051d9a0016020fa78a898e2b63bc7267cc4435bc562af90dec4616e64

memory/1540-319-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\lcms-5.0.dll

MD5 91fb31637b57a44e2254dd83359334bd
SHA1 40adc1a5802146e2267a743f1c9ed39aafaa80a2
SHA256 dba6d23b14a2e6c2b80a27672f4902efbf70f601a7f2c55e2ced6ead0131eb3e
SHA512 95ed67b17935f9cee2ce15afdf6f094e4a522f0a5fa5b90f04adb88fc33a521a1ee8206b7249b8b3c0717eec56e36efcff404e6bc44449983fa0d20cf3eeab7c

C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\base.xml

MD5 a18ed82a8dddccca1113a2cb992c1617
SHA1 b49c499776a8fcce659e307dbc018de78bba494e
SHA256 f3a71f6466be37fcb5066258f8b25ee7db68aebd6c8b9e06d83d2c882851781c
SHA512 4ec5b1bbaf6a16f038bba46eae5558132947576178d7ee861f831887001def116467ccdac9b4b7f196925f2a0f05e545abc95e465a85cac2a86a12cd7c4aeca6

memory/1140-323-0x0000000000260000-0x000000000027E000-memory.dmp

memory/1140-324-0x0000000002F10000-0x0000000005F10000-memory.dmp

memory/1140-325-0x0000000006150000-0x0000000006190000-memory.dmp

memory/1140-326-0x0000000006150000-0x0000000006190000-memory.dmp

memory/1140-327-0x0000000073B50000-0x000000007423E000-memory.dmp

memory/1140-328-0x0000000002F10000-0x0000000005F10000-memory.dmp

memory/1140-329-0x0000000073B50000-0x000000007423E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 11:54

Reported

2024-04-19 11:56

Platform

win10v2004-20240412-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa3d40ce6752360f82f85789de9206da_JaffaCakes118.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fa3d40ce6752360f82f85789de9206da_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\ioassembly.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\ioassembly.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\ioassembly.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\ioassembly.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fa3d40ce6752360f82f85789de9206da_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fa3d40ce6752360f82f85789de9206da_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\ioassembly.exe

"C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\ioassembly.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp
NL 45.67.228.152:54641 tcp

Files

C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\Lang\en\Phototheca EULA.rtf

MD5 9325aee138a4d9a15d651920fb403ffc
SHA1 19eb57cd989571fa8cd426cbd680430c0e006408
SHA256 9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35
SHA512 d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\Lang\fr\searchhelp.rtf

MD5 520077fd6d03c64c735258d4d87921d8
SHA1 1b8d82d7da2d85527ce91e72f179fb8a418d47de
SHA256 6faf5a4f8a729dbdc4082a7f33ffde3e72ef34acbf0875932b3e4427bfd9b598
SHA512 8ccd614aaf7cee74a0ed8b34267db004f240ed51d41dd80caeef12fe29a785d4e109b2526acf4c04ff30edc025c1e4afd7e9e11b32ca08ecc3ced7435514d4de

C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\ioassembly.exe

MD5 ecf7cced163166a2ca2028f87c09adfb
SHA1 54ac3d3ff99707a9220c72a1e30643d0e7dfe5ed
SHA256 518105a21064101544174005643c12b24404da142482e074453c27dc8d857fe6
SHA512 02bcf0ef6c7cab94f8090d55d5d7bca400ccf5693dc0f9c8837c77b56df25f75fa42676051d9a0016020fa78a898e2b63bc7267cc4435bc562af90dec4616e64

memory/3008-324-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\lcms-5.0.dll

MD5 91fb31637b57a44e2254dd83359334bd
SHA1 40adc1a5802146e2267a743f1c9ed39aafaa80a2
SHA256 dba6d23b14a2e6c2b80a27672f4902efbf70f601a7f2c55e2ced6ead0131eb3e
SHA512 95ed67b17935f9cee2ce15afdf6f094e4a522f0a5fa5b90f04adb88fc33a521a1ee8206b7249b8b3c0717eec56e36efcff404e6bc44449983fa0d20cf3eeab7c

C:\Users\Admin\AppData\Roaming\Delimon Software\Delimon IO Assembly\base.xml

MD5 a18ed82a8dddccca1113a2cb992c1617
SHA1 b49c499776a8fcce659e307dbc018de78bba494e
SHA256 f3a71f6466be37fcb5066258f8b25ee7db68aebd6c8b9e06d83d2c882851781c
SHA512 4ec5b1bbaf6a16f038bba46eae5558132947576178d7ee861f831887001def116467ccdac9b4b7f196925f2a0f05e545abc95e465a85cac2a86a12cd7c4aeca6

memory/2200-328-0x0000000009700000-0x000000000971E000-memory.dmp

memory/2200-329-0x0000000009EF0000-0x000000000A508000-memory.dmp

memory/2200-330-0x0000000003E30000-0x0000000006E30000-memory.dmp

memory/2200-333-0x00000000098C0000-0x00000000098D0000-memory.dmp

memory/2200-332-0x00000000098C0000-0x00000000098D0000-memory.dmp

memory/2200-334-0x00000000098C0000-0x00000000098D0000-memory.dmp

memory/2200-331-0x00000000097E0000-0x00000000097F2000-memory.dmp

memory/2200-335-0x0000000009840000-0x000000000987C000-memory.dmp

memory/2200-336-0x0000000073890000-0x0000000074040000-memory.dmp

memory/2200-337-0x00000000099D0000-0x0000000009A1C000-memory.dmp

memory/2200-338-0x0000000009BF0000-0x0000000009CFA000-memory.dmp

memory/2200-339-0x0000000003E30000-0x0000000006E30000-memory.dmp

memory/2200-340-0x0000000073890000-0x0000000074040000-memory.dmp

memory/2200-341-0x00000000098C0000-0x00000000098D0000-memory.dmp