bdaejec | ce35342f5478d4d93db3abf616fad729cef7d1de7034a30f418e7a98240f0c2b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_b12cee209774d385be3ae497e7c63e11_mafia_wapomi.exe
Size

188KB
MD5

b12cee209774d385be3ae497e7c63e11
SHA1

5f064ad90e5e4144e2e9b856414680f21798907e
SHA256

ce35342f5478d4d93db3abf616fad729cef7d1de7034a30f418e7a98240f0c2b
SHA512

acb432f388ad10f61cba32c055d2abe666b57dd3a69d900d525aa196d47b97eadde6220f9182796fa31010951bd460ec4ba547259fa4a26cabdab3fdc5fc0f0f
SSDEEP

3072:Djaz/kdH1QuA3rGuYt/ie+0T1ddxWTXOvXjfaz4WUSXpltz7GUd+w3wieCzp8GCH:LdHeuAbGuYVie+0T1ddxWTXOvXjfaz4u

Score

10^/10

bdaejec aspackv2 backdoor discovery

Malware Config

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec
Bdaejec family
bdaejec

Detects Bdaejec Backdoor. 1 IoCs

Bdaejec is backdoor written in C++.

resource	yara_rule
behavioral1/memory/2772-28-0x0000000000030000-0x0000000000039000-memory.dmp	family_bdaejec_backdoor

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b00000001225f-11.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2772	STqhUQ.exe

Loads dropped DLL 2 IoCs

pid	Process
388	2024-11-11_b12cee209774d385be3ae497e7c63e11_mafia_wapomi.exe
388	2024-11-11_b12cee209774d385be3ae497e7c63e11_mafia_wapomi.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	STqhUQ.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	STqhUQ.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	STqhUQ.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	STqhUQ.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	STqhUQ.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	STqhUQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	STqhUQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	STqhUQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-11_b12cee209774d385be3ae497e7c63e11_mafia_wapomi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STqhUQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 2772	388	2024-11-11_b12cee209774d385be3ae497e7c63e11_mafia_wapomi.exe	32
PID 388 wrote to memory of 2772	388	2024-11-11_b12cee209774d385be3ae497e7c63e11_mafia_wapomi.exe	32
PID 388 wrote to memory of 2772	388	2024-11-11_b12cee209774d385be3ae497e7c63e11_mafia_wapomi.exe	32
PID 388 wrote to memory of 2772	388	2024-11-11_b12cee209774d385be3ae497e7c63e11_mafia_wapomi.exe	32
PID 2772 wrote to memory of 2156	2772	STqhUQ.exe	34
PID 2772 wrote to memory of 2156	2772	STqhUQ.exe	34
PID 2772 wrote to memory of 2156	2772	STqhUQ.exe	34
PID 2772 wrote to memory of 2156	2772	STqhUQ.exe	34

C:\Users\Admin\AppData\Local\Temp\2024-11-11_b12cee209774d385be3ae497e7c63e11_mafia_wapomi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_b12cee209774d385be3ae497e7c63e11_mafia_wapomi.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Local\Temp\STqhUQ.exe
  C:\Users\Admin\AppData\Local\Temp\STqhUQ.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\06d35518.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\06d35518.bat

Filesize
187B

MD5
f1ac512ac282d4c8520784ffd67e33b2

SHA1
f1d241ccc90ba6e50048c005dd870e98a0312d0f

SHA256
41c39741e8aa67983e8a70ca1b3ce232e5acf50b15167dfe825eace20e7273b5

SHA512
64105c174477b0fe0c5dbe4420bc3e5df7f1845363e129edff74461631a36b96fd833a1db4417ee5aad9f95725182e21220a06164b3104b109c4861040229a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\STqhUQ.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/388-0-0x0000000000020000-0x0000000000055000-memory.dmp

Filesize
212KB

Download
memory/388-9-0x0000000000020000-0x0000000000055000-memory.dmp

Filesize
212KB

Download
memory/2772-10-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2772-28-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download