babadeda | ebaa5af691e844929d2cad60baf36b118db3fc4b0616ce8b9585838aaf4c34b6

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe
Size

7.5MB
MD5

f0b05b2333d9f421e29ea1c9d0ba0260
SHA1

aa657e8ee8f4fa0e68bb15f980344dfd8e9561df
SHA256

ebaa5af691e844929d2cad60baf36b118db3fc4b0616ce8b9585838aaf4c34b6
SHA512

66db04869cd2d704c6da6958a708cb3aa17fc70eff9f8be98fe269e6ddac1015347cbc1c10d2bcda52bc1cf31ae42e49085561d817c32e29d7e575b4ce945875
SSDEEP

196608:pOWD5akOJ3Vekcb2tOaD3c5izrT8uKYRpA6mUcy4Jn:s05AV2AFDM5iPfAB/t

Score

10^/10

babadeda cryptbot crypter discovery loader spyware stealer

Malware Config

Extracted

Family

cryptbot

veocou63.top

morizu06.top

Attributes

payload_url
http://tynpdi08.top/download.php?file=loungy.exe

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ca5-66.dat	family_babadeda

Babadeda family
babadeda
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Executes dropped EXE 1 IoCs

pid	Process
1188	backdata.exe

Loads dropped DLL 5 IoCs

pid	Process
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
1188	backdata.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{71CD67EC-C060-49EA-85E5-97ED42D7335B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB03.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBBA0.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBBEF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC4E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCFB.tmp	msiexec.exe
File created	C:\Windows\Installer\e57b9ee.msi	msiexec.exe
File created	C:\Windows\Installer\e57b9ea.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b9ea.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backdata.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	backdata.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	backdata.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2920	msiexec.exe
2920	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2896	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2896	msiexec.exe
Token: SeSecurityPrivilege	2920	msiexec.exe
Token: SeCreateTokenPrivilege	2896	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2896	msiexec.exe
Token: SeLockMemoryPrivilege	2896	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2896	msiexec.exe
Token: SeMachineAccountPrivilege	2896	msiexec.exe
Token: SeTcbPrivilege	2896	msiexec.exe
Token: SeSecurityPrivilege	2896	msiexec.exe
Token: SeTakeOwnershipPrivilege	2896	msiexec.exe
Token: SeLoadDriverPrivilege	2896	msiexec.exe
Token: SeSystemProfilePrivilege	2896	msiexec.exe
Token: SeSystemtimePrivilege	2896	msiexec.exe
Token: SeProfSingleProcessPrivilege	2896	msiexec.exe
Token: SeIncBasePriorityPrivilege	2896	msiexec.exe
Token: SeCreatePagefilePrivilege	2896	msiexec.exe
Token: SeCreatePermanentPrivilege	2896	msiexec.exe
Token: SeBackupPrivilege	2896	msiexec.exe
Token: SeRestorePrivilege	2896	msiexec.exe
Token: SeShutdownPrivilege	2896	msiexec.exe
Token: SeDebugPrivilege	2896	msiexec.exe
Token: SeAuditPrivilege	2896	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2896	msiexec.exe
Token: SeChangeNotifyPrivilege	2896	msiexec.exe
Token: SeRemoteShutdownPrivilege	2896	msiexec.exe
Token: SeUndockPrivilege	2896	msiexec.exe
Token: SeSyncAgentPrivilege	2896	msiexec.exe
Token: SeEnableDelegationPrivilege	2896	msiexec.exe
Token: SeManageVolumePrivilege	2896	msiexec.exe
Token: SeImpersonatePrivilege	2896	msiexec.exe
Token: SeCreateGlobalPrivilege	2896	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1188	backdata.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 2896	4620	JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe	82
PID 4620 wrote to memory of 2896	4620	JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe	82
PID 4620 wrote to memory of 2896	4620	JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe	82
PID 2920 wrote to memory of 2240	2920	msiexec.exe	85
PID 2920 wrote to memory of 2240	2920	msiexec.exe	85
PID 2920 wrote to memory of 2240	2920	msiexec.exe	85
PID 2920 wrote to memory of 1188	2920	msiexec.exe	86
PID 2920 wrote to memory of 1188	2920	msiexec.exe	86
PID 2920 wrote to memory of 1188	2920	msiexec.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\SysWOW64\msiexec.exe
  msiexec /i "C:\Users\Admin\AppData\Local\Temp\AdvBackup\AdvBackup.msi" /qn /norestart
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2896

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 55E7D75337C7AA80C68BEC40CEA44936
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2240
- C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\backdata.exe
  "C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\backdata.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b9ed.rbs

Filesize
13KB

MD5
f1fb79a876d4f28774a2adef1a9085e3

SHA1
f27833cfede7b4fde123d4d770070c871d68f380

SHA256
fa6adbc96cb2b200fe53a48d3bc63edd20a13cc8c531e4770d75eb316a9c8c6f

SHA512
b2544045e9bd4165d08daebaf46fce83c530078ee268ceedee227ca127d10ad6dc5360a082facda2182a551b61fa6ef3f580f5625d8873fb979d4c18342231c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvBackup\AdvBackup.msi

Filesize
7.7MB

MD5
25ad5262c29d2ea7404bda26ef0188bd

SHA1
83f9194b6224defe5827c94c67c2d32808d71919

SHA256
a45f49a2506f2353a72a287630f6ce1ab002554c75fc65a19321366bdd29ed0f

SHA512
7c990871346fe2e9d18cb4a46cd8f7cec07f1d4d5430362f2c6c60d2cbd34ac3cc61da121e50cba5f3a3a964876e6f4dd34c5a93344daae959e0fe030d532088

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcYeQSjKiCgMD\FBkUnhZbYfmkLT.zip

Filesize
46KB

MD5
9e7963fceecf78f006e0b1d2db69b755

SHA1
060012af1cba78807c5322dab72b05c594e18690

SHA256
c0a4d39ef95a74bcc1bf75f088e9a74ce6d8c47d3cdc38aab8005876c97ff797

SHA512
1a73c8186bff3035bf662ca4fba793d10f1db1156942bc695ca07080bf21d95217c23ccb702c355b35eb3f5c4f9d3f532988df01e6ec9dab1b749ff2481b3cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcYeQSjKiCgMD\_Files\_Information.txt

Filesize
7KB

MD5
fcf2f191f9c5abe0c9b56c2fb78b7087

SHA1
840e1ae1eb3fbb6f0369f6b15fa67560658dcd1c

SHA256
6237b1d11fa48d5443decf0f7fb1a48f194774e41b5e92a4a87d08e0e7b3a9e3

SHA512
9a3a6a87c946d9eac9610a2696b804ac1c00f0e3c58b05cfd42250a1321a7f57261b60acf5b266dd3a0123a114e41a7aa944f4dfea16ad700ab93664d909a4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcYeQSjKiCgMD\_Files\_Screen_Desktop.jpeg

Filesize
51KB

MD5
e39290487fd18ff7e09cf53f5f8fa818

SHA1
2134e2a60148cb140553e611f8f969d6f637930b

SHA256
4d9143d5f6f33ff9d863b58494a6dbadb376f27f64d189f2b3e62a1c7ab7eee9

SHA512
657f5b6b9494d207603a01a4ef7434604c5f637a05d39eff344415155f9e7462a44e2d7a034c9f4eec21953efba48fa5f7c0c35dba39f91951c9bee086015148

Download Submit
C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\backdata.exe

Filesize
10.2MB

MD5
b4f358fb5e2687505a7793a1c3fd30b8

SHA1
665fdf0bfece66a4e65684e4a8022ba18ea90b29

SHA256
843daace027b06df1ceb220a8dca85099e6249d3cd588f192c19105dfebd9008

SHA512
73c875846ec43aa2db3d0d45cedd330e8ae2bc1fe58298a08e6ad9824a5caedb00d670a7d1816ff7c778e4ac0bd6b166107a1b64cc0ff5d5ed50893ded8d9aeb

Download Submit
C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\libmetis30.dll

Filesize
3.8MB

MD5
5a9963267a59111458cc97cffe054699

SHA1
233cd89ab6cef194b2aaa9cc17bfb7f3f24e7411

SHA256
21b706d416bbdaf6037e8efbfa86cf1eb10fc1834dfa8fdf2386a7f0492246db

SHA512
03c7b50185b084e6ccf4c09be1eeff7fc6c254e22e36eb4b8a11e3d6b239f378df1659274fe2341a5a54b8b0043fc44678a2405716c54109391b67925fe5edd8

Download Submit
C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\mlg

Filesize
559KB

MD5
d3cefa732bbfb96d5e9ac98650a85733

SHA1
b6a914c0e61d1640b83849ae77d2aa3e0b28604b

SHA256
025545351f15a7e62b271453eb5f2e12e13d53bf8b08d466d3e6e62a5c530e81

SHA512
fc582f7e19d843b854e75f5f7b39713152c3b1c3d5f599eae46c78d9cfa358a2b81de47dda6c0769f346fed98d7e00cc0a4a46c126a5d2b4b78268ec163fdf4b

Download Submit
C:\Windows\Installer\MSIBB03.tmp

Filesize
393KB

MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
memory/1188-65-0x0000000000AA0000-0x000000000153D000-memory.dmp

Filesize
10.6MB

Download
memory/1188-192-0x0000000000AA0000-0x000000000153D000-memory.dmp

Filesize
10.6MB

Download