Analysis
-
max time kernel
64s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
28-11-2024 03:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
General
-
Target
2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe
-
Size
36KB
-
MD5
c205558b705dbf77c766e78d25e57e60
-
SHA1
80358a4a30c0a4786b9764160e1e20ad624c795c
-
SHA256
83904ffe5a5c3e8b3af0c98d7a81ac9ac78f9140e55e9944b22a4c7436d672be
-
SHA512
b796e11783466c0f3e603e1a2ab93a9d0764fae89d374ac74ef004cad79cbf3b6a074dd2ba6d038240c761519db0f6cb0c4e88d30afc00f225f7c235e3eeae10
-
SSDEEP
768:Y4BZwegjJmxWJQpk84Ul+3xOXB27QGPL4vzZq2o9W7GsxBbPr:Y4BZ2Jm/kWmOXB28GCq2iW7z
Malware Config
Extracted
Family
bdaejec
C2
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
Processes:
resource yara_rule behavioral1/memory/2372-22-0x0000000000130000-0x0000000000139000-memory.dmp family_bdaejec_backdoor -
Processes:
resource yara_rule behavioral1/files/0x00080000000120fe-1.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
ySZeVE.exepid Process 2372 ySZeVE.exe -
Loads dropped DLL 2 IoCs
Processes:
2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exepid Process 2300 2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe 2300 2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ySZeVE.exedescription ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE ySZeVE.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE ySZeVE.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe ySZeVE.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe ySZeVE.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe ySZeVE.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE ySZeVE.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE ySZeVE.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE ySZeVE.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE ySZeVE.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe ySZeVE.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE ySZeVE.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe ySZeVE.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe ySZeVE.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe ySZeVE.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe ySZeVE.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe ySZeVE.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe ySZeVE.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE ySZeVE.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE ySZeVE.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe ySZeVE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exeySZeVE.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ySZeVE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exeySZeVE.exedescription pid Process procid_target PID 2300 wrote to memory of 2372 2300 2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe 31 PID 2300 wrote to memory of 2372 2300 2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe 31 PID 2300 wrote to memory of 2372 2300 2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe 31 PID 2300 wrote to memory of 2372 2300 2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe 31 PID 2372 wrote to memory of 1624 2372 ySZeVE.exe 33 PID 2372 wrote to memory of 1624 2372 ySZeVE.exe 33 PID 2372 wrote to memory of 1624 2372 ySZeVE.exe 33 PID 2372 wrote to memory of 1624 2372 ySZeVE.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\ySZeVE.exeC:\Users\Admin\AppData\Local\Temp\ySZeVE.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2ce66ac4.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:1624
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD545f055d6e32f0180fff94e531c47a774
SHA19bc7ac7495c711881a51b64bd5535bb2dbfa433e
SHA2566345e8d9dff4c1235846a4839aabc69257049b4dbcf4501f002d65bb8ca07f11
SHA51269011120599e6abda493d9a31db29fb8621d4d6c5c0d9aba53f3d54f372d20020e75559e86121cea3e3a9280b9fb1d1d081da68c0a754fd3d22f4e84d26986e2
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e