berbew | 308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a

General

Target

308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe
Size

460KB
MD5

57a586976c44d034078b0e45a054c22d
SHA1

334d278de3a312af1087a2d6cd2a9bbdcce7fa68
SHA256

308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a
SHA512

336db006263638fe5deea04b2efc37940b53a9915cd2fc717f531ab4b0bbd4198a0293a2eacf90f6f7731028d2e86c589801e79054fea7d7ac27d0adce851342
SSDEEP

6144:R+nZKDqXSTYaT15f7o+STYaT15fKj+v3WTlcy6TR9TbM:R+ZKDvTYapJoTYapI2mTlQTfTQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 3 IoCs

pid	Process
452	Dfnjafap.exe
1640	Dmjocp32.exe
2964	Dmllipeg.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dmjocp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3520	2964	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 452	2272	308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe	83
PID 2272 wrote to memory of 452	2272	308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe	83
PID 2272 wrote to memory of 452	2272	308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe	83
PID 452 wrote to memory of 1640	452	Dfnjafap.exe	84
PID 452 wrote to memory of 1640	452	Dfnjafap.exe	84
PID 452 wrote to memory of 1640	452	Dfnjafap.exe	84
PID 1640 wrote to memory of 2964	1640	Dmjocp32.exe	85
PID 1640 wrote to memory of 2964	1640	Dmjocp32.exe	85
PID 1640 wrote to memory of 2964	1640	Dmjocp32.exe	85

C:\Users\Admin\AppData\Local\Temp\308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe
"C:\Users\Admin\AppData\Local\Temp\308d247c2f455dc6688b1dc00b84641ada8d21802581a0d35ec9071ba3b4b91a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\Dfnjafap.exe
  C:\Windows\system32\Dfnjafap.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\Dmjocp32.exe
    C:\Windows\system32\Dmjocp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\SysWOW64\Dmllipeg.exe
      C:\Windows\system32\Dmllipeg.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 396
        5⤵
        Program crash
        
        PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2964 -ip 2964
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
460KB

MD5
dda9c227cf5e75d5c9701b6eb9ae9168

SHA1
3717cfc2cd6a3d62a258134f79a594c2bdc4d552

SHA256
9f3ae45344b76405d1ae2ffa1ec0415ef66ce2933a462a609860a93278d7d6ca

SHA512
4b8a67a4f1bd57b94cad983e3b1c89af1f8e00031002a9f5d51c4f5cd3ce605786dac9e8e3460f42205701de85f8c7057b6c07b4dd4bc2786581b515a0b29404

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
460KB

MD5
61d618a8ec34b5ab1623b068c277bd38

SHA1
4844f115b45c2fc648dc4905fbf94efec36d5f6f

SHA256
ccecb556e94979fe1624673f575b4c7d72b4308fa02bb54986184d30eb40cf83

SHA512
a5864c41e7c5072065a387e9c95adaf2c41bce0f1363f3b2548a61490af83da5661c89214e54f19cc1d6c8626e5e3fd2b01b8c897a050fa513bf428ff0071c8e

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
460KB

MD5
89b3f8eaf121712b14801811915c47cd

SHA1
2ec6733da5e20d778affb31146af0cfe2c5ab532

SHA256
07500d856d73f164d39c7e524f434a698050b14a1dcf4afaadd81ac3b67f840e

SHA512
ba90229af9ae4215b9392546818f21fa9798cf270c564f11c14636010394d2f67b6f2f8196239e43e4b2d51b262480495e5e4301e7c4e4283824a81f4ac3ce46

Download Submit
memory/452-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2272-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads