berbew | 3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959

General

Target

3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
Size

90KB
MD5

bf0334416987502fec6746e9518ab217
SHA1

e1a2f0055c243876e303641701679758b3357f7d
SHA256

3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959
SHA512

9faa9900504a6daf3b09d550ba40fd46d88d42451374ba64d3ad4367a08c564f706a0069f1bab3c66a283ecdc7e113b0ab38bfbf8814701d74499c94199e2425
SSDEEP

1536:kaPBxh8Fh+wQwD5u6ge5KW6ZivLuOATSvjDVGju/Ub0VkVNK:kaP58Fh+wd5u6/5B7vLXVGju/Ub0+NK

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjakccop.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 4 IoCs

pid	Process
2056	Cjakccop.exe
2196	Cmpgpond.exe
2668	Dnpciaef.exe
2644	Dpapaj32.exe

Loads dropped DLL 11 IoCs

pid	Process
2436	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
2436	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
2056	Cjakccop.exe
2056	Cjakccop.exe
2196	Cmpgpond.exe
2196	Cmpgpond.exe
2668	Dnpciaef.exe
2668	Dnpciaef.exe
2636	WerFault.exe
2636	WerFault.exe
2636	WerFault.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2636	2644	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2056	2436	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe	31
PID 2436 wrote to memory of 2056	2436	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe	31
PID 2436 wrote to memory of 2056	2436	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe	31
PID 2436 wrote to memory of 2056	2436	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe	31
PID 2056 wrote to memory of 2196	2056	Cjakccop.exe	32
PID 2056 wrote to memory of 2196	2056	Cjakccop.exe	32
PID 2056 wrote to memory of 2196	2056	Cjakccop.exe	32
PID 2056 wrote to memory of 2196	2056	Cjakccop.exe	32
PID 2196 wrote to memory of 2668	2196	Cmpgpond.exe	33
PID 2196 wrote to memory of 2668	2196	Cmpgpond.exe	33
PID 2196 wrote to memory of 2668	2196	Cmpgpond.exe	33
PID 2196 wrote to memory of 2668	2196	Cmpgpond.exe	33
PID 2668 wrote to memory of 2644	2668	Dnpciaef.exe	34
PID 2668 wrote to memory of 2644	2668	Dnpciaef.exe	34
PID 2668 wrote to memory of 2644	2668	Dnpciaef.exe	34
PID 2668 wrote to memory of 2644	2668	Dnpciaef.exe	34
PID 2644 wrote to memory of 2636	2644	Dpapaj32.exe	35
PID 2644 wrote to memory of 2636	2644	Dpapaj32.exe	35
PID 2644 wrote to memory of 2636	2644	Dpapaj32.exe	35
PID 2644 wrote to memory of 2636	2644	Dpapaj32.exe	35

C:\Users\Admin\AppData\Local\Temp\3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
"C:\Users\Admin\AppData\Local\Temp\3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\Cjakccop.exe
  C:\Windows\system32\Cjakccop.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\Cmpgpond.exe
    C:\Windows\system32\Cmpgpond.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\Dnpciaef.exe
      C:\Windows\system32\Dnpciaef.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 144
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cjakccop.exe

Filesize
90KB

MD5
a41027fd233ec70e6f9c3852dc22cc6c

SHA1
b66690207bac23560e3144757c1afc8a2f593546

SHA256
4851d3ab5fe79c1fb9bec8f647253cc4bc1282c780c064fa836c219aa5a4525e

SHA512
36c3976e0df7d831e6a0adc93df63d9988f90354feaeffc0b2f6060dcc001a958b1d3beace8c1af220f9cb7132524be12401dbd5618ed6774bd8518d426284f2

Download Submit
\Windows\SysWOW64\Cmpgpond.exe

Filesize
90KB

MD5
a437c073402883a6f339e2e746da1cbf

SHA1
2bce958d6114f813591f408e429b9fd52fd599a9

SHA256
b6117825905832ad949a184e6a124849b12fcb468483ed537788beb624b696a3

SHA512
d8871f0af9481a09ba91bbfb2e0d7e9243c52ece2a1f0565eb832d07df18b86fef5685e69b2d7516629d3cc2b23474a3d3e8b6a38d713a0cd5516bb4eedafc8d

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
90KB

MD5
f51b797788193e077325a952317673f6

SHA1
baeb964660f1ede9485b9de1a3d075208f72cd04

SHA256
e625621702b128b58d1c65fe2ab2449864694c391d18064aeea8765fd129c0a5

SHA512
00f8f644455a219f0d51bd1dc23265568342a3019da8270857c6ed0c09e0c50f1c59fae0f6a1f43044def76469230c47230f11c79f4d3e9da1f4cfe820eef80e

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
90KB

MD5
62e9a74ac098319228b2d73087c4ec92

SHA1
2590a21dec6c91a503084beadc81f6063c21a8f7

SHA256
528173c0759031d9a55b07133de730bbc5627e9ff83f2e7feab9688cf258e5bb

SHA512
e305a097e8ed00914dd053cede439bd272ad4db75f0457ca42adc7d2cacdff7dff8641995c40ee3af74e37f1f09c4985066fb3c239c0c169b11f9046a5d14b91

Download Submit
memory/2056-26-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/2056-25-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2196-27-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2196-34-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/2196-60-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2436-23-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2436-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2436-62-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2644-53-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2644-63-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2668-61-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads