Overview
overview
10Static
static
7Badware Wo...ee.exe
windows7-x64
5Badware Wo...ee.exe
windows10-2004-x64
5Badware Wo...er.bat
windows7-x64
1Badware Wo...er.bat
windows10-2004-x64
1Badware Wo...er.exe
windows7-x64
9Badware Wo...er.exe
windows10-2004-x64
9Badware Wo...EL.exe
windows7-x64
9Badware Wo...EL.exe
windows10-2004-x64
9Badware Wo...er.exe
windows7-x64
10Badware Wo...er.exe
windows10-2004-x64
10Badware Wo...er.exe
windows7-x64
10Badware Wo...er.exe
windows10-2004-x64
10Badware Wo...er.exe
windows7-x64
9Badware Wo...er.exe
windows10-2004-x64
9Badware Wo...er.bat
windows7-x64
8Badware Wo...er.bat
windows10-2004-x64
8Badware Wo...er.bat
windows7-x64
1Badware Wo...er.bat
windows10-2004-x64
1Badware Wo...er.exe
windows7-x64
7Badware Wo...er.exe
windows10-2004-x64
10Badware Wo...ol.bat
windows7-x64
8Badware Wo...ol.bat
windows10-2004-x64
8Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-03-2024 00:13
Behavioral task
behavioral1
Sample
Badware Woofer/BadwareFree.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
Badware Woofer/BadwareFree.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Badware Woofer/Serials_Checker.bat
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral4
Sample
Badware Woofer/Serials_Checker.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Badware Woofer/cleaners/AppleCleaner.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral6
Sample
Badware Woofer/cleaners/AppleCleaner.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Badware Woofer/cleaners/AppleS5-DEL.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
Badware Woofer/cleaners/AppleS5-DEL.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Badware Woofer/cleaners/BadwareCleaner.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
Badware Woofer/cleaners/BadwareCleaner.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Badware Woofer/cleaners/BadwareDeepCleaner.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
Badware Woofer/cleaners/BadwareDeepCleaner.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Badware Woofer/cleaners/EventCleaner.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral14
Sample
Badware Woofer/cleaners/EventCleaner.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Badware Woofer/cleaners/Fivem-Cleaner.bat
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral16
Sample
Badware Woofer/cleaners/Fivem-Cleaner.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Badware Woofer/cleaners/FortniteCleaner.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
Badware Woofer/cleaners/FortniteCleaner.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Badware Woofer/cleaners/NXTcleaner.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
Badware Woofer/cleaners/NXTcleaner.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Badware Woofer/cleaners/full deep cleaner by nigga mhatt lol.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
Badware Woofer/cleaners/full deep cleaner by nigga mhatt lol.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
Badware Woofer/cleaners/FortniteCleaner.bat
-
Size
1.5MB
-
MD5
2429db21a224c48fa6b17e55a6762328
-
SHA1
f86eb0c2de25e8970add83b66253d3f18b0994e1
-
SHA256
365685c1e71944bc955c6be46cc33a44099bcb0f8c625228e89445f18866b778
-
SHA512
0487e79a9b2b427f8c0e5bb860e78039bcf29626bd58ad8190df858fcfa130d15add3fcd350cdadaccbc1d2e13f822dab76e418029d692d2ccd972594b4c0e23
-
SSDEEP
49152:9TOB4ynYygOvXsMruROZyUpWvWOLZkORn:b
Malware Config
Signatures
-
Kills process with taskkill 11 IoCs
pid Process 1672 taskkill.exe 2552 taskkill.exe 2640 taskkill.exe 3020 taskkill.exe 3060 taskkill.exe 2732 taskkill.exe 2768 taskkill.exe 2600 taskkill.exe 2484 taskkill.exe 2616 taskkill.exe 2500 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 1672 taskkill.exe Token: SeDebugPrivilege 2732 taskkill.exe Token: SeDebugPrivilege 2768 taskkill.exe Token: SeDebugPrivilege 2600 taskkill.exe Token: SeDebugPrivilege 3060 taskkill.exe Token: SeDebugPrivilege 2484 taskkill.exe Token: SeDebugPrivilege 2552 taskkill.exe Token: SeDebugPrivilege 2616 taskkill.exe Token: SeDebugPrivilege 2640 taskkill.exe Token: SeDebugPrivilege 2500 taskkill.exe Token: SeDebugPrivilege 3020 taskkill.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1672 2016 cmd.exe 29 PID 2016 wrote to memory of 1672 2016 cmd.exe 29 PID 2016 wrote to memory of 1672 2016 cmd.exe 29 PID 2016 wrote to memory of 2732 2016 cmd.exe 31 PID 2016 wrote to memory of 2732 2016 cmd.exe 31 PID 2016 wrote to memory of 2732 2016 cmd.exe 31 PID 2016 wrote to memory of 2768 2016 cmd.exe 32 PID 2016 wrote to memory of 2768 2016 cmd.exe 32 PID 2016 wrote to memory of 2768 2016 cmd.exe 32 PID 2016 wrote to memory of 2600 2016 cmd.exe 33 PID 2016 wrote to memory of 2600 2016 cmd.exe 33 PID 2016 wrote to memory of 2600 2016 cmd.exe 33 PID 2016 wrote to memory of 3060 2016 cmd.exe 34 PID 2016 wrote to memory of 3060 2016 cmd.exe 34 PID 2016 wrote to memory of 3060 2016 cmd.exe 34 PID 2016 wrote to memory of 2484 2016 cmd.exe 35 PID 2016 wrote to memory of 2484 2016 cmd.exe 35 PID 2016 wrote to memory of 2484 2016 cmd.exe 35 PID 2016 wrote to memory of 2552 2016 cmd.exe 36 PID 2016 wrote to memory of 2552 2016 cmd.exe 36 PID 2016 wrote to memory of 2552 2016 cmd.exe 36 PID 2016 wrote to memory of 2616 2016 cmd.exe 37 PID 2016 wrote to memory of 2616 2016 cmd.exe 37 PID 2016 wrote to memory of 2616 2016 cmd.exe 37 PID 2016 wrote to memory of 2640 2016 cmd.exe 38 PID 2016 wrote to memory of 2640 2016 cmd.exe 38 PID 2016 wrote to memory of 2640 2016 cmd.exe 38 PID 2016 wrote to memory of 2500 2016 cmd.exe 39 PID 2016 wrote to memory of 2500 2016 cmd.exe 39 PID 2016 wrote to memory of 2500 2016 cmd.exe 39 PID 2016 wrote to memory of 3020 2016 cmd.exe 40 PID 2016 wrote to memory of 3020 2016 cmd.exe 40 PID 2016 wrote to memory of 3020 2016 cmd.exe 40 PID 2016 wrote to memory of 2624 2016 cmd.exe 41 PID 2016 wrote to memory of 2624 2016 cmd.exe 41 PID 2016 wrote to memory of 2624 2016 cmd.exe 41 PID 2624 wrote to memory of 2968 2624 cmd.exe 42 PID 2624 wrote to memory of 2968 2624 cmd.exe 42 PID 2624 wrote to memory of 2968 2624 cmd.exe 42
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Badware Woofer\cleaners\FortniteCleaner.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im UnrealCEFSubProcess.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im CEFProcess.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEServices.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BattleEye.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Badware Woofer\cleaners\FortniteCleaner.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\system32\findstr.exefindstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Badware Woofer\cleaners\FortniteCleaner.bat"3⤵PID:2968
-
-