Overview

overview

10

Static

static

5

JaffaCakes...30.exe

windows7-x64

10

JaffaCakes...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-01-2025 22:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_68b0b12f2c11a69b328dd5daccb2b630.exe

  • Size

    51KB

  • MD5

    68b0b12f2c11a69b328dd5daccb2b630

  • SHA1

    2ebc156bb93847d3ba00233b06b560046e1d1617

  • SHA256

    de1d475296a20b5b797576dfeb9f5b9936d5b0ca757c27637a63cec022d38e6f

  • SHA512

    4c23ccf54e5a4cce1a2d177432eaf58e44a0c9a97b47405650769752defafd04cece4670a303be7e7787209f1dc07b5ab7db89e7aef7ceebee69eb5ce17d7076

  • SSDEEP

    768:2aVccV3nL7FsbsrSCrtOtS6Y8cXB41VjsTaXx4ln3GahaU5YOFgzum64WDG9xzbz:2aVf3smSCZOtS6YhX0JlahaqYN1WDG

Score
10/10
bdaejecaspackv2backdoordiscoveryupx

Malware Config

Extracted

Family

bdaejec

C2

1.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

    backdoorbdaejec
  • Bdaejec family
    bdaejec
  • Detects Bdaejec Backdoor. 1 IoCs

    Bdaejec is backdoor written in C++.

  • Detected Nirsoft tools 1 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68b0b12f2c11a69b328dd5daccb2b630.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68b0b12f2c11a69b328dd5daccb2b630.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\7c470a2b.exe
      C:\7c470a2b.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3544
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\32d04e9d.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\7c470a2b.exe
    Filesize

    15KB

    MD5

    7c78851bb457abba075130b87770bc9c

    SHA1

    d014455f399b9c55b8dd5b814cf0ec36d7be3dfc

    SHA256

    1b88641dbbf0ee8456d45ce2f7d5c9fb8ce000a116c867adcd5585a9a5fdc90d

    SHA512

    825fceae42b0de39a442f046bd3823133f0409fcb1aedb7fdb7fd3a2763e3c76742ec13b14d657b522f64c7f6d5577063f49913df43cbaf608a7fe9916f2ea56

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\32d04e9d.bat
    Filesize

    129B

    MD5

    4c9b280d82170c30dc6e567010fab369

    SHA1

    098e11bbbc7746533c24790c24b4396b02746102

    SHA256

    0d1192188c1e1db3ffe6f7d81da1c0f911312a2f8cba43c2ded69f196f6c04f6

    SHA512

    07f56737fa4d2dca2272f3d7fbfe8d656dd35fb698fbf4efa13e0141d4d299fd603d64c07ce6b70a87d43d2e270702d64a232734ba5021d609657ba7af0726d2

    Download Submit

  • memory/1760-0-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1760-7-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3544-4-0x0000000000A60000-0x0000000000A69000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3544-9-0x0000000000A60000-0x0000000000A69000-memory.dmp

    Filesize

    36KB

    Download