bdaejec | 72898e403b43fb06d0e7aa755d5b721715c38a442c56dd485db323fe34a58a8c

General

Target

2024-11-06_5b5a3d2315892c38f6b63a8e0c024527_smoke-loader_wapomi.exe
Size

80KB
MD5

5b5a3d2315892c38f6b63a8e0c024527
SHA1

76cc975fcd29b896b0774905c1e2c213d5fbb439
SHA256

72898e403b43fb06d0e7aa755d5b721715c38a442c56dd485db323fe34a58a8c
SHA512

2c63b6b14d4fc38df1b1cb98c6829ed67d91a50b3b188322f4fc8c7322c84e53ca55fef5cd85b570ba9075b950ce23e455952fac9c2ec57e2b2f76f81555d1e2
SSDEEP

1536:fHB0UxMkzOt7HcvJGt5AdHIOWnToIf12ZKJGCq2iW7z:fhAWJGSCTBf12Z2GCH

Score

10^/10

bdaejec aspackv2 backdoor discovery

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec
Bdaejec family
bdaejec

Detects Bdaejec Backdoor. 1 IoCs

Bdaejec is backdoor written in C++.

Processes:

resource	yara_rule
behavioral1/memory/2960-29-0x00000000010D0000-0x00000000010D9000-memory.dmp	family_bdaejec_backdoor

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\QAtAmvt.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

QAtAmvt.exe

pid process

2960 QAtAmvt.exe

pid	process
2960	QAtAmvt.exe

Loads dropped DLL 2 IoCs

Processes:

2024-11-06_5b5a3d2315892c38f6b63a8e0c024527_smoke-loader_wapomi.exe

pid	process
2912	2024-11-06_5b5a3d2315892c38f6b63a8e0c024527_smoke-loader_wapomi.exe
2912	2024-11-06_5b5a3d2315892c38f6b63a8e0c024527_smoke-loader_wapomi.exe

Drops file in Program Files directory 64 IoCs

Processes:

QAtAmvt.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	QAtAmvt.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	QAtAmvt.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	QAtAmvt.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{06715A9D-70D2-4C5C-9F8A-D2392905D83D}\chrome_installer.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	QAtAmvt.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	QAtAmvt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	QAtAmvt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	QAtAmvt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	QAtAmvt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe2024-11-06_5b5a3d2315892c38f6b63a8e0c024527_smoke-loader_wapomi.exeQAtAmvt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-06_5b5a3d2315892c38f6b63a8e0c024527_smoke-loader_wapomi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QAtAmvt.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2024-11-06_5b5a3d2315892c38f6b63a8e0c024527_smoke-loader_wapomi.exeQAtAmvt.exe

description	pid	process	target process
PID 2912 wrote to memory of 2960	2912	2024-11-06_5b5a3d2315892c38f6b63a8e0c024527_smoke-loader_wapomi.exe	QAtAmvt.exe
PID 2912 wrote to memory of 2960	2912	2024-11-06_5b5a3d2315892c38f6b63a8e0c024527_smoke-loader_wapomi.exe	QAtAmvt.exe
PID 2912 wrote to memory of 2960	2912	2024-11-06_5b5a3d2315892c38f6b63a8e0c024527_smoke-loader_wapomi.exe	QAtAmvt.exe
PID 2912 wrote to memory of 2960	2912	2024-11-06_5b5a3d2315892c38f6b63a8e0c024527_smoke-loader_wapomi.exe	QAtAmvt.exe
PID 2960 wrote to memory of 2740	2960	QAtAmvt.exe	cmd.exe
PID 2960 wrote to memory of 2740	2960	QAtAmvt.exe	cmd.exe
PID 2960 wrote to memory of 2740	2960	QAtAmvt.exe	cmd.exe
PID 2960 wrote to memory of 2740	2960	QAtAmvt.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-06_5b5a3d2315892c38f6b63a8e0c024527_smoke-loader_wapomi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-06_5b5a3d2315892c38f6b63a8e0c024527_smoke-loader_wapomi.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\QAtAmvt.exe
  C:\Users\Admin\AppData\Local\Temp\QAtAmvt.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\003470fb.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\003470fb.bat

Filesize
189B

MD5
2a094f9047e9a93ccd25324d7ce8f86c

SHA1
031faa6b0507f2edbd209bc4e65819449e56b2d2

SHA256
91243716b692cdd3040efdd5206ebcc5392539a95f01998f478ca1c4d7f94c89

SHA512
0b55e36ffd3602fa0f9d5da34760cb93ccf6f30093867191930ba847eef06f0a051330654c4710cc1ca965bd095f11003ba2d1972473f0c6cd21ddf621c00d3a

Download Submit
\Users\Admin\AppData\Local\Temp\QAtAmvt.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/2912-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2912-4-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/2912-31-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2912-32-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/2960-10-0x00000000010D0000-0x00000000010D9000-memory.dmp

Filesize
36KB

Download
memory/2960-29-0x00000000010D0000-0x00000000010D9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads