Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-12-2024 16:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-12-30_e97546fd54449defcddfb83bcda3a054_smoke-loader_wapomi.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
General
-
Target
2024-12-30_e97546fd54449defcddfb83bcda3a054_smoke-loader_wapomi.exe
-
Size
36KB
-
MD5
e97546fd54449defcddfb83bcda3a054
-
SHA1
c1426b46a3fb091b330309e43cc7b25f49ffe389
-
SHA256
03b2ed45adef265a57d65250a6e7091583bd620284312e036aa6433ecdc5ac71
-
SHA512
d6d7b3050a4583676d9383b445ddbbff13a4a654aa6d5082326e8ac36b0e73a7104bef1151395806beab3dcb3076318e31b8e6330d164f4d137a49b9dbbe6744
-
SSDEEP
768:aA+m41HKUpOv068E4Mf4MMRt4MtV2n5NzQGPL4vzZq2o9W7GsxBbPr:aA+m6qqOcVEP87T2n5NkGCq2iW7z
Malware Config
Extracted
Family
bdaejec
C2
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral1/memory/3032-16-0x00000000001C0000-0x00000000001C9000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral1/files/0x000700000001211a-4.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 3032 qdNbMo.exe -
Loads dropped DLL 2 IoCs
pid Process 2908 2024-12-30_e97546fd54449defcddfb83bcda3a054_smoke-loader_wapomi.exe 2908 2024-12-30_e97546fd54449defcddfb83bcda3a054_smoke-loader_wapomi.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe qdNbMo.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe qdNbMo.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE qdNbMo.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe qdNbMo.exe File opened for modification C:\Program Files\7-Zip\7z.exe qdNbMo.exe File opened for modification C:\Program Files\7-Zip\7zG.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe qdNbMo.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe qdNbMo.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE qdNbMo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe qdNbMo.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe qdNbMo.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE qdNbMo.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe qdNbMo.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe qdNbMo.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe qdNbMo.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe qdNbMo.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe qdNbMo.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe qdNbMo.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe qdNbMo.exe File opened for modification C:\Program Files\Windows Mail\WinMail.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe qdNbMo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE qdNbMo.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe qdNbMo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-30_e97546fd54449defcddfb83bcda3a054_smoke-loader_wapomi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qdNbMo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2908 2024-12-30_e97546fd54449defcddfb83bcda3a054_smoke-loader_wapomi.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2908 wrote to memory of 3032 2908 2024-12-30_e97546fd54449defcddfb83bcda3a054_smoke-loader_wapomi.exe 28 PID 2908 wrote to memory of 3032 2908 2024-12-30_e97546fd54449defcddfb83bcda3a054_smoke-loader_wapomi.exe 28 PID 2908 wrote to memory of 3032 2908 2024-12-30_e97546fd54449defcddfb83bcda3a054_smoke-loader_wapomi.exe 28 PID 2908 wrote to memory of 3032 2908 2024-12-30_e97546fd54449defcddfb83bcda3a054_smoke-loader_wapomi.exe 28 PID 3032 wrote to memory of 1684 3032 qdNbMo.exe 33 PID 3032 wrote to memory of 1684 3032 qdNbMo.exe 33 PID 3032 wrote to memory of 1684 3032 qdNbMo.exe 33 PID 3032 wrote to memory of 1684 3032 qdNbMo.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-30_e97546fd54449defcddfb83bcda3a054_smoke-loader_wapomi.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-30_e97546fd54449defcddfb83bcda3a054_smoke-loader_wapomi.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\qdNbMo.exeC:\Users\Admin\AppData\Local\Temp\qdNbMo.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4752451d.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:1684
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD5735d0cd7a508822455cc3955800bc830
SHA1e93598551fecf3cc01ce601f4e03625d02592fb5
SHA2563872d4e8acf20fba38e2b3d192cee9628707485d86c22b856f15c5b0020cd0a6
SHA5125080eab6e34dec74a1953930e4af27acb3c9b60ef90d9cffa2970ef0433722eef8e0a8a6f152097d69f29ce64e54cce04ad3761047ef5696a7b260562471ed72
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e