General

  • Target

    RetardedNigger2024.zip

  • Size

    21.7MB

  • Sample

    241117-v5a6aatqft

  • MD5

    77c232adb4ab9f4919d82a3a2cc72246

  • SHA1

    994efdf00f2f89ae57833de378c17a66ce94e643

  • SHA256

    bd7a853e20ec918539038278bb788fea3314d1da09e7f75608d13a8cd2436362

  • SHA512

    c939c5ad357ce18882c21b205d5fbcba20f7deaad6556229cdc5e265416168b74e6ebe214e2edfc91c6f248c88c436893eb215ce5e081d14bc96bccf91ad8057

  • SSDEEP

    393216:aKiW0JS2OD2FNeBBEfxVKfcX5Vi+D2vXs2Ju8aDAGHimE//suXiYuX+wzsyrVG:aENbeNMqvDzF2Ju1AGHNjuXif+wzTw

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Targets

    • Target

      tmpfile-main/0000000r00d000r3.exe

    • Size

      4.9MB

    • MD5

      340753116751ef6f5212667501a0e562

    • SHA1

      ad4d25b43964c1c54accdcbe97a3f2ca80d15894

    • SHA256

      b61907b9081bb5d7125264c5e60de013c02b7b866148248de603fb55f8d39a18

    • SHA512

      d9564e38ea4000c16ebacc4a4b95925c8998d2bce33b3ad7bd0aa0b220d60f372d798591f4365b1271085036055519e4a94afd47d51ad5a2c6002e1f54ffc2f2

    • SSDEEP

      98304:w4KoSKQ6Kob7IdoOPn49MWTB9z2OuVIsFx6fZPELW4sF+JKcNWdZRM9b7:wAXQFob7Idj/4VTbaVIsSBfFoxMnsb

    Score
    8/10
    • Sets service image path in registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      tmpfile-main/Exterm.exe

    • Size

      830KB

    • MD5

      4b1fba57411e2fb9756f44a84bd74b43

    • SHA1

      06305226e1d4e4fcca12d83d72dc8a4fe9f4d9ed

    • SHA256

      4001b4e8a309eb8949f827d0b3ef572c79c1b21d96aa4c35436b0930bea8eec1

    • SHA512

      ce491f3fcea8d270351825f0ac8e48994866d728db121b954c0fa2d16d7999d0f898c99b969f75521c5c827bc5437221e707f78e3fb68e70c8a6abd91775f113

    • SSDEEP

      24576:75bRMyb2OEpAoC0HJ0EWRVW4ICikaZo8M:NbRMyb5YP0ny4xiNZoB

    • Bdaejec

      Bdaejec is a backdoor written in C++.

    • Bdaejec family

    • Detects Bdaejec Backdoor.

      Bdaejec is backdoor written in C++.

    • Stops running service(s)

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      tmpfile-main/Gaming Chair.exe

    • Size

      2.1MB

    • MD5

      9503205a5f7581720f7fa6348c49a93b

    • SHA1

      34453ec11bb30ae10519a468deaefbf3f965fe3a

    • SHA256

      0dca41e17e4f286a420dd2e6fbbd9ad460f1dac1f3de83672fa9de977f6b6402

    • SHA512

      0524cabf5d0b87bf6f34a1c2e2cc3eef85e95e5b3fdd66fc60e5e07e4c0ce7cdbeb9eca7778bae5b4a0302ce822a08ce30c346d62bdbd746e2c8c6c8fe015191

    • SSDEEP

      49152:xMi7EDQljtuC9Ss8k9yi83GMB5rr3KJPjFJa9Ndcs8Mcs8Mcs8Mcs8M7Lbr7Lbr6:xBYDQ1th9SVk99scB

    • Bdaejec

      Bdaejec is a backdoor written in C++.

    • Bdaejec family

    • Detects Bdaejec Backdoor.

      Bdaejec is backdoor written in C++.

    • Stops running service(s)

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      tmpfile-main/Node32.exe

    • Size

      366KB

    • MD5

      31be6f6a2cbf1c49790b490df463500a

    • SHA1

      878a2fee90a2ceb49213a5b5742499ca8e14fec0

    • SHA256

      6d4222db12dd717bef62cabc134fbbdad8033767780eeb6d7322a38b8a2a81de

    • SHA512

      8b3c2e96ee85502d4ebd750e94397915370f47543cb7ce0c0b598407319387727678daac28dd843f0d61685b83fb8597cf473091774cdf74cdc9dd98f9a06d37

    • SSDEEP

      6144:NClTCNaC5liBrWdzoRQJx9LDmaAF5kDERQp+QDW9WkkHp683KX:NUolitMIaAFkJ6

    • Modifies security service

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      tmpfile-main/Node63.exe

    • Size

      13KB

    • MD5

      f04105a5ee0d0b440ab470546ac95400

    • SHA1

      64cd0a16d842065336eb2e47f9a2a04339f187fe

    • SHA256

      8788e01aa0ff4f299112ce04501a23d241522d8abe9663bfd09487adc8322d10

    • SHA512

      fa5f41b2b0ec3c14b35b980147c40e7c1afd55729ced4280a70819a278dec265c7f37fe0faf69a96ca09a92f5e77073e54acf3dfd37017b69b928ae42148adce

    • SSDEEP

      384:8TzzCX9HSjnpYNLLt3rYKHzMr2X1Vl6fnr:8Ta9yjWxxzg2X1Xk

    Score
    3/10
    • Target

      tmpfile-main/Node64.exe

    • Size

      368KB

    • MD5

      47fe2649cc2325a477fce08731aeb716

    • SHA1

      268abf2cceac62263fe040dc40b8b4b9aa3592da

    • SHA256

      d3808b41fe847339d9d69eaa05a5c7dea072b3e6325127a53b54c0d5e102f49b

    • SHA512

      173bd39f32dc4c95309e8e23a33542f92bb1c22459be30e47b52ab92827f418c7ba59fd9b31606f7f40824366e949e7de89a851d1acb8425bbf7fd607632e0d4

    • SSDEEP

      6144:dClTCNaC5liBrWdzoRQJx9LDmaAF5kDERQp+QDN9gkHp683KX:dUolitMIaAFkh6

    • Modifies security service

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      tmpfile-main/Sobfox.exe

    • Size

      5.2MB

    • MD5

      a34a8c7f18a484aebc37cc67e86f8441

    • SHA1

      c0fbef5f036d7b4bb1d9d350e24d6d99096f1ba1

    • SHA256

      1f350ddd7b2d7cf5da7dd41b793d1d28642b7bfd4ddac2c278499b2d911bece5

    • SHA512

      e8df773de29f73bf7b1e3915b842abcdb3f42185cfb632b60ae1f5c1fcf9cc0cad57d3f54f79f9ce6c94c9691e3f72e66efdec4f63ba5f5de908f318d2d9f9ab

    • SSDEEP

      98304:j3GIi+v8hp0EI/mbrVVxAnPJ6hR0O+vk3nVcJGOLS:j3GIiMhubJVeQ5+k3nVYLS

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      tmpfile-main/stTfuo7I.exe

    • Size

      4.9MB

    • MD5

      6f179cb4399501b0aef6bed87067c461

    • SHA1

      8cdfeebc4075540d4eb80403aab1c412ce1ff483

    • SHA256

      caa64978428e81f087a0407398a5a0d47c1d5e6e438f220c2ea34de3aa0bcb0c

    • SHA512

      20361366df3d0fe038a17230ab8002e784f5d10026375894b223b69cfde0c7885cefd294aecb5870fcd6dee12c5a427c98b0e086f96ae6c21120b2932893d2e2

    • SSDEEP

      98304:Mxv9MTqUi2Rg7yxivn0jokds41Fh4bpgxAYDaRDzHM4TOFRAJSNfcFXN/D+HxowG:2v9mfi866AYafs4iITrmnhpDBzvTKS

    Score
    1/10
    • Target

      tmpfile-main/stTfuo8I.exe

    • Size

      4.8MB

    • MD5

      e9f9aaf1b165f0e1a0310cfe04b7deaf

    • SHA1

      512b5d16ccc0a16619e69dda46382f346c1b1d51

    • SHA256

      9ab3067a40f40f1e171a5ae3cd036ae9ef32d8cabb0e06502e56fe6df67d6feb

    • SHA512

      d2940b5f86e731dae7df1d5f69cc138e03b50a19ff77843fdf61d92035f64449ba3e8948585cfeca709d871ccfd51aca8f734adc09dfde14c8e27d4c972f4d0c

    • SSDEEP

      98304:5F+ssBEhz9Nq5s7ydXteaDJ/23nPl2ptbzfoHvoimaTFAeXzl:5Xs2Ju9eaD0tGHfoTmE/D

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

persistence
Score
8/10

behavioral2

persistence
Score
8/10

behavioral3

bdaejecaspackv2backdoordiscoveryevasionexecution
Score
10/10

behavioral4

bdaejecaspackv2backdoordiscoveryevasionexecution
Score
10/10

behavioral5

bdaejecaspackv2backdoordiscoveryevasionexecution
Score
10/10

behavioral6

bdaejecaspackv2backdoordiscoveryevasionexecution
Score
10/10

behavioral7

discoveryevasionexecutionpersistence
Score
10/10

behavioral8

discoveryexecutionpersistence
Score
10/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discoveryevasionexecutionpersistence
Score
10/10

behavioral12

discoveryexecutionpersistence
Score
10/10

behavioral13

Score
7/10

behavioral14

Score
7/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
7/10

behavioral18

Score
7/10