Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-12-2024 08:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-12-28_ac90e952b3508491540fd42dfec638cf_mafia_wapomi.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
General
-
Target
2024-12-28_ac90e952b3508491540fd42dfec638cf_mafia_wapomi.exe
-
Size
187KB
-
MD5
ac90e952b3508491540fd42dfec638cf
-
SHA1
aebe6fe632a0edcab4ee320d7de3b0a691373336
-
SHA256
8dab5f1113bde28029437a289054e66212202e3490664562f16833dfdbe174a7
-
SHA512
83f5769910737f8aecb41dcc0c8afbf90af36503102999badb7a0bd59a53b603cfea530aafaddd986318fa510081d54b3e510439bcf877352f77f0090664eee3
-
SSDEEP
3072:uLKCpw8DA3Yr3mUOJfXEEZnRCI3AXny/Hj8LG4MVj/FIgW6dvn3mxIO3GCH:e83YLmUOFXEEZnRCI3AXny/Hj8LG4ujb
Malware Config
Extracted
Family
bdaejec
C2
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 2 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral1/memory/996-12-0x0000000000860000-0x0000000000869000-memory.dmp family_bdaejec_backdoor behavioral1/memory/996-15-0x0000000000860000-0x0000000000869000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral1/files/0x00080000000120f9-2.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 996 Srkhxf.exe -
Loads dropped DLL 2 IoCs
pid Process 2148 2024-12-28_ac90e952b3508491540fd42dfec638cf_mafia_wapomi.exe 2148 2024-12-28_ac90e952b3508491540fd42dfec638cf_mafia_wapomi.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe Srkhxf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe Srkhxf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe Srkhxf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe Srkhxf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE Srkhxf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE Srkhxf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE Srkhxf.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe Srkhxf.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe Srkhxf.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe Srkhxf.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe Srkhxf.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe Srkhxf.exe File opened for modification C:\Program Files\Windows Mail\wab.exe Srkhxf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE Srkhxf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe Srkhxf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE Srkhxf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe Srkhxf.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe Srkhxf.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe Srkhxf.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe Srkhxf.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe Srkhxf.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe Srkhxf.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe Srkhxf.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe Srkhxf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE Srkhxf.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe Srkhxf.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe Srkhxf.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe Srkhxf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe Srkhxf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE Srkhxf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe Srkhxf.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Srkhxf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe Srkhxf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE Srkhxf.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe Srkhxf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe Srkhxf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe Srkhxf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-28_ac90e952b3508491540fd42dfec638cf_mafia_wapomi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Srkhxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2148 wrote to memory of 996 2148 2024-12-28_ac90e952b3508491540fd42dfec638cf_mafia_wapomi.exe 31 PID 2148 wrote to memory of 996 2148 2024-12-28_ac90e952b3508491540fd42dfec638cf_mafia_wapomi.exe 31 PID 2148 wrote to memory of 996 2148 2024-12-28_ac90e952b3508491540fd42dfec638cf_mafia_wapomi.exe 31 PID 2148 wrote to memory of 996 2148 2024-12-28_ac90e952b3508491540fd42dfec638cf_mafia_wapomi.exe 31 PID 996 wrote to memory of 1612 996 Srkhxf.exe 35 PID 996 wrote to memory of 1612 996 Srkhxf.exe 35 PID 996 wrote to memory of 1612 996 Srkhxf.exe 35 PID 996 wrote to memory of 1612 996 Srkhxf.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-28_ac90e952b3508491540fd42dfec638cf_mafia_wapomi.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-28_ac90e952b3508491540fd42dfec638cf_mafia_wapomi.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\Srkhxf.exeC:\Users\Admin\AppData\Local\Temp\Srkhxf.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3a421de6.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:1612
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD59ec9d1b616c175abd382bc167e96a603
SHA18c401de27f20896b61358ad3d63fd8409e2e039d
SHA25641b0ee1d8a67d5b961a11119a5e4e0adc33259e6972a3a70ae43f9afda3baafd
SHA5129589832efb0e83f3915765c352222f741c97ff60bf6cf407129b718fe662b6fe34e8507af1d0184fa065041cd78fa3f72e88aab9373913eaae271965bd5347f3
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e