bdaejec | 13c739544e392920c0e108aed613c98f097f985631c6cc118d796fcee59bab17 | Triage

Sharing

General

Target

Spoofer.rar
Size

9.4MB
Sample

241012-tbc74sybna
MD5

dd1f7eeba35048af94ef7c2737cfb89a
SHA1

fa652d2b7adf5e9982720e08ac17c9fecfe95a03
SHA256

13c739544e392920c0e108aed613c98f097f985631c6cc118d796fcee59bab17
SHA512

7b608452151bc5fb57641205002152c3e893d5e824b0308d7fad921b5dedf711c571a123f4eb99b12552e92425b113ead546822d2a850ecbfc013c85512ee521
SSDEEP

196608:4WfGSWpkN/fz0a0XBlIau9Kv9L3Far7Oo17hI+VqA4beiQX6glI4:iTkND0zRlGo1AvlrqA4VQz

Score

10^/10

bdaejec aspackv2 backdoor discovery execution pyinstaller

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Targets

- Target
  
  Spoofer/Cambiador de serial/kdmapper.exe
- Size
  
  107KB
- MD5
  
  d63c0a558ae60ae055d8f2aae1d0a494
- SHA1
  
  51ed78431c44402abcea6913ecf845e1662777ba
- SHA256
  
  779411d073c1aaefc7df224c9e972fd3ea848944b7fa92412c5cd71da512a729
- SHA512
  
  c2f421be696ac398d158a9da6fe6586b7bd1f528bc94f7b295d65f12d515584c4d78cb901ae667c925f60182e62815fe8c64b95c6806f95cd2facfd4db52f55b
- SSDEEP
  
  3072:Yppjdz7eqQfZ8G7A5G390uDmJTQSaMm5/6lWOax9gg:YppjdPsZ8qqWlQWx3
Score

1^/10
behavioral1 behavioral2
- Target
  
  Spoofer/Cambiador de serial/spoofer.sys
- Size
  
  11KB
- MD5
  
  ece894602ee9353cce23dc4ece8a5445
- SHA1
  
  ba600000eb12f543516576035e4bb25dc5628b46
- SHA256
  
  93a516ebdd6bb1fe9dc5951b21fbacdff660997548bbb3df57dba92417caa33d
- SHA512
  
  0ad350f2d52e1b2c6f3b9a76cfcdb29307de22ea19ca71ab6cdea80350882eadb5ccf68d317360924fdd166ebd32eb2997167466c4407a2b5c45f4e6db7acc89
- SSDEEP
  
  192:QreOkMkNIcwT4ZdVynlkR2N6quhu58JLTWY4fuo5XDNboli:weuPnlkR2N6b3LTS0i
Score

1^/10
behavioral3
- Target
  
  Spoofer/Remover Logs/log1.exe
- Size
  
  107KB
- MD5
  
  990683bf20e4c23e92f988992e64b1f2
- SHA1
  
  782fa1c9d964b70881a896504c9822ea44aeee0f
- SHA256
  
  0b848b847ec52d4037c9a4ccb108fed8b877d93f13f20b089f327f2385043b88
- SHA512
  
  389760fa7fe3a7ecaa22cd0082ed58a3ba5bd18c88fe976a64c79b81a7ccdd14d9de48c3a3835eceadfd8f517997159a3208afc6a076f1f5693cf3f4b5ff72eb
- SSDEEP
  
  1536:57fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfqwqO08GCq2iW7z:t7DhdC6kzWypvaQ0FxyNTBfqqGCH
Score

10^/10

bdaejec aspackv2 backdoor discovery
- Bdaejec
  Bdaejec is a backdoor written in C++.
  backdoor bdaejec
- Detects Bdaejec Backdoor.
  Bdaejec is backdoor written in C++.
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral4 behavioral5
- Target
  
  Spoofer/Remover Logs/log2.exe
- Size
  
  107KB
- MD5
  
  fc0cf51e23828300811b9279e641e65f
- SHA1
  
  7c4d0b7efe4e9648e1e13625255e4d00c65dda73
- SHA256
  
  a8ebd91e787da7058191684de95648495d391090aa617c7d8ab7949b1a2d10c6
- SHA512
  
  08a460191d6d07c84dc9c9c7f2c0d9df2f33c5df07be441637cbe04a1e93758de2a7189d543b7a00a5e5e0ef44f42603fc78f88b75493ffde58992cf39216eb4
- SSDEEP
  
  1536:57fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfrw4xON1GCq2iW7z:t7DhdC6kzWypvaQ0FxyNTBfr0GCH
Score

10^/10

bdaejec aspackv2 backdoor discovery
- Bdaejec
  Bdaejec is a backdoor written in C++.
  backdoor bdaejec
- Detects Bdaejec Backdoor.
  Bdaejec is backdoor written in C++.
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral6 behavioral7
- Target
  
  Spoofer/Remover Logs/log3.exe
- Size
  
  9.4MB
- MD5
  
  79fd04395a1df6c2dc3f46dac43e2682
- SHA1
  
  4a69dfe95ef2901ec1afc63bbc2b9817bee26455
- SHA256
  
  d9ca44315aaffd331091ae3c106601e3daaaa778868105257f3d8b21074cbff1
- SHA512
  
  28140df85b1d65b83f0f340cadbf14eb10b35ea5b4ea72ac5f0c08d704febbbfbe6d32ffbd90a4df4a3df04a2d755285f163de38e7f77ff78ab2638da6f89564
- SSDEEP
  
  196608:Fjv3QkY8XMCHGLLc54i1wN+rPIcu9KYK39sevBare+3PP+VMwxCEc/j:tvtXMCHWUjMcuIhv4e+/P+VA
Score

8^/10

discovery execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
behavioral8 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

bdaejecaspackv2backdoordiscovery

behavioral5

bdaejecaspackv2backdoordiscovery

behavioral6

bdaejecaspackv2backdoordiscovery

behavioral7

bdaejecaspackv2backdoordiscovery

behavioral8

behavioral9

discoveryexecution