Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-01-2025 04:42
Behavioral task
behavioral1
Sample
JaffaCakes118_6a4d9da58e77bfcc0a29c2005f6f4d10.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
General
-
Target
JaffaCakes118_6a4d9da58e77bfcc0a29c2005f6f4d10.exe
-
Size
583KB
-
MD5
6a4d9da58e77bfcc0a29c2005f6f4d10
-
SHA1
0ac0130463faa523d1855fafa1ba6011159c00e2
-
SHA256
d9c82ca8aff109ea72072c57e3e03c5f8401c14d01ec4ae4cbcad35920ca9347
-
SHA512
12dc75c0f18efeeecd37245939bbcd852a804cb53ce038c0bd11e37666da89cb9703759188271ef1cdd2b6e40b20e189f8823378e1cebbcbe6fc76e544f90fc5
-
SSDEEP
12288:ZgCYxPVQ1KRLLIyDASbumfbKFsdrojwSzunLEjzaQ/K1V+qr:ZgCYQ1LGum4sx8Kofd/uV+w
Malware Config
Extracted
Family
bdaejec
C2
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral2/memory/2472-15-0x0000000000620000-0x0000000000629000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral2/files/0x0008000000023c93-3.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation piUAvN.exe -
Executes dropped EXE 1 IoCs
pid Process 2472 piUAvN.exe -
resource yara_rule behavioral2/memory/2004-0-0x0000000000400000-0x0000000000586000-memory.dmp upx behavioral2/memory/2004-14-0x0000000000400000-0x0000000000586000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe piUAvN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe piUAvN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe piUAvN.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe piUAvN.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe piUAvN.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE piUAvN.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe piUAvN.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe piUAvN.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe piUAvN.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe piUAvN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe piUAvN.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe piUAvN.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE piUAvN.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe piUAvN.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe piUAvN.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe piUAvN.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe piUAvN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe piUAvN.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe piUAvN.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe piUAvN.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe piUAvN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe piUAvN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe piUAvN.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe piUAvN.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE piUAvN.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe piUAvN.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe piUAvN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe piUAvN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe piUAvN.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe piUAvN.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe piUAvN.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe piUAvN.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe piUAvN.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe piUAvN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe piUAvN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe piUAvN.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE piUAvN.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe piUAvN.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe piUAvN.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe piUAvN.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE piUAvN.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe piUAvN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe piUAvN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe piUAvN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe piUAvN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe piUAvN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe piUAvN.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE piUAvN.exe File opened for modification C:\Program Files\Windows Mail\wab.exe piUAvN.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe piUAvN.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe piUAvN.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe piUAvN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe piUAvN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe piUAvN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe piUAvN.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe piUAvN.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe piUAvN.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe piUAvN.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe piUAvN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe piUAvN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe piUAvN.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe piUAvN.exe File opened for modification C:\Program Files\dotnet\dotnet.exe piUAvN.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe piUAvN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6a4d9da58e77bfcc0a29c2005f6f4d10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language piUAvN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2004 JaffaCakes118_6a4d9da58e77bfcc0a29c2005f6f4d10.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2004 wrote to memory of 2472 2004 JaffaCakes118_6a4d9da58e77bfcc0a29c2005f6f4d10.exe 83 PID 2004 wrote to memory of 2472 2004 JaffaCakes118_6a4d9da58e77bfcc0a29c2005f6f4d10.exe 83 PID 2004 wrote to memory of 2472 2004 JaffaCakes118_6a4d9da58e77bfcc0a29c2005f6f4d10.exe 83 PID 2472 wrote to memory of 5032 2472 piUAvN.exe 100 PID 2472 wrote to memory of 5032 2472 piUAvN.exe 100 PID 2472 wrote to memory of 5032 2472 piUAvN.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a4d9da58e77bfcc0a29c2005f6f4d10.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a4d9da58e77bfcc0a29c2005f6f4d10.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\piUAvN.exeC:\Users\Admin\AppData\Local\Temp\piUAvN.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\15b2661b.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:5032
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD559229b6810471162a7c4cbfc089de51c
SHA103fcbc71f9691a2efc1c348e1ff2a07811a4c11b
SHA25645b178444351af284e2414e86164fa9d4f165ea9f5f5a2a0c206884984194a8e
SHA512fca2f2514678b2ceb9c0bf364aecab4d81b8ad704528ba8e2438f0faf137e3c4d7d035e6ab01b5be38e9fdda5f019eebb8ac680a314f6d7eb209da10a85da484
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e