Overview

overview

10

Static

static

5

JaffaCakes...30.exe

windows7-x64

10

JaffaCakes...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-01-2025 22:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_68b0b12f2c11a69b328dd5daccb2b630.exe

  • Size

    51KB

  • MD5

    68b0b12f2c11a69b328dd5daccb2b630

  • SHA1

    2ebc156bb93847d3ba00233b06b560046e1d1617

  • SHA256

    de1d475296a20b5b797576dfeb9f5b9936d5b0ca757c27637a63cec022d38e6f

  • SHA512

    4c23ccf54e5a4cce1a2d177432eaf58e44a0c9a97b47405650769752defafd04cece4670a303be7e7787209f1dc07b5ab7db89e7aef7ceebee69eb5ce17d7076

  • SSDEEP

    768:2aVccV3nL7FsbsrSCrtOtS6Y8cXB41VjsTaXx4ln3GahaU5YOFgzum64WDG9xzbz:2aVf3smSCZOtS6YhX0JlahaqYN1WDG

Score
10/10
bdaejecaspackv2backdoordiscoveryupx

Malware Config

Extracted

Family

bdaejec

C2

1.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

    backdoorbdaejec
  • Bdaejec family
    bdaejec
  • Detects Bdaejec Backdoor. 2 IoCs

    Bdaejec is backdoor written in C++.

  • Detected Nirsoft tools 1 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68b0b12f2c11a69b328dd5daccb2b630.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68b0b12f2c11a69b328dd5daccb2b630.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\7c470a2b.exe
      C:\7c470a2b.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\478e20a1.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\7c470a2b.exe
    Filesize

    15KB

    MD5

    7c78851bb457abba075130b87770bc9c

    SHA1

    d014455f399b9c55b8dd5b814cf0ec36d7be3dfc

    SHA256

    1b88641dbbf0ee8456d45ce2f7d5c9fb8ce000a116c867adcd5585a9a5fdc90d

    SHA512

    825fceae42b0de39a442f046bd3823133f0409fcb1aedb7fdb7fd3a2763e3c76742ec13b14d657b522f64c7f6d5577063f49913df43cbaf608a7fe9916f2ea56

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\478e20a1.bat
    Filesize

    129B

    MD5

    c6566bc8806c2215bf37d32ef2c607c9

    SHA1

    5e3fc0fe43edbc5a5e99abc316571e2fee1774b2

    SHA256

    d7fbb954572735ef8d36f47a239dcc0f0418563495a01b51be25a5bda506e6e4

    SHA512

    85de29cf35d6f27d43f874a90ad1d5deb8b052667284c494712c91ed97b75ffcaf195dae8ef50e3684216914025d86e7d3ac070fabd34727a064ad51de7e7196

    Download Submit

  • memory/2716-0-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2716-7-0x00000000002A0000-0x00000000002A9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2716-6-0x00000000002A0000-0x00000000002A9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2716-13-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2716-30-0x00000000002A0000-0x00000000002A9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2716-29-0x00000000002A0000-0x00000000002A9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2792-10-0x00000000002A0000-0x00000000002A9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2792-15-0x00000000002A0000-0x00000000002A9000-memory.dmp

    Filesize

    36KB

    Download