berbew | ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103

General

Target

ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe
Size

55KB
MD5

f5492aeac001e80bd0429c4f5f591e40
SHA1

3421f0f8032f9809452704fd4ef85d4eddbaa8dc
SHA256

ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103
SHA512

85d9bb62ab74fe702eb1d4feea31bad48cb9e48cd148b2cbb8dc822477f12faccf96739cab3dee5cd8ba515c110fc2895937e9aeaa2e6f27a76078f8eaacc356
SSDEEP

768:LPOhBHsQRzrtG0Qpc6kDgSSSFjmneYq03bEYATBfcTLT2p/1H5RXdnh:LPOvVg0QpnkYQeYcD2Lp

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 2 IoCs

pid	Process
2848	Danpemej.exe
1040	Dpapaj32.exe

Loads dropped DLL 7 IoCs

pid	Process
2688	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe
2688	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe
2848	Danpemej.exe
2848	Danpemej.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Danpemej.exe	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2920	1040	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danpemej.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2848	2688	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe	31
PID 2688 wrote to memory of 2848	2688	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe	31
PID 2688 wrote to memory of 2848	2688	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe	31
PID 2688 wrote to memory of 2848	2688	ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe	31
PID 2848 wrote to memory of 1040	2848	Danpemej.exe	32
PID 2848 wrote to memory of 1040	2848	Danpemej.exe	32
PID 2848 wrote to memory of 1040	2848	Danpemej.exe	32
PID 2848 wrote to memory of 1040	2848	Danpemej.exe	32
PID 1040 wrote to memory of 2920	1040	Dpapaj32.exe	33
PID 1040 wrote to memory of 2920	1040	Dpapaj32.exe	33
PID 1040 wrote to memory of 2920	1040	Dpapaj32.exe	33
PID 1040 wrote to memory of 2920	1040	Dpapaj32.exe	33

C:\Users\Admin\AppData\Local\Temp\ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe
"C:\Users\Admin\AppData\Local\Temp\ff8f7f05aaa397faee7b97ab8da2eaca798ce48e1ee29bd7db015b3158a33103N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\Danpemej.exe
  C:\Windows\system32\Danpemej.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\Dpapaj32.exe
    C:\Windows\system32\Dpapaj32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 144
      4⤵
      Loads dropped DLL
      Program crash
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
55KB

MD5
d94eaf38b4b668da2b65749a25c20d38

SHA1
6a03c93c575f4428421ed478a8831398362970ce

SHA256
e062574674ba7f3a2a942b8a5182b7cf57636d73a65e7ac14eb7785f01694599

SHA512
07fec92fca1ff51027853866a3c0ed7469d0db5b45ca23b54e9adc0b325f0b6701c6c8b5d77790ede44da088a72c679b5f289d6ebb6253105b3acd33b1d0d3ea

Download Submit
\Windows\SysWOW64\Danpemej.exe

Filesize
55KB

MD5
e714a848342863a3ad36556c19e16827

SHA1
6aa5f7b6fe9f897c81ccced8cdbae598b4337462

SHA256
5bc2f934cd5d428f2306bc43d8598abb1ccec28a2853af0a89c8cdaf96607e5a

SHA512
73e70c26d256971219068488605dcd7c6c8466f2564a740ac1265d1fc1416867deabe52eca8c03fea96bbae66539f85f2caece6f7e0ad4dbc785986b84ec5408

Download Submit
memory/1040-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-13-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2688-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2688-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-29-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2848-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads