Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-01-2025 21:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_7bc389ac07539c93fd25d5693a4d45a0.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
General
-
Target
JaffaCakes118_7bc389ac07539c93fd25d5693a4d45a0.exe
-
Size
26KB
-
MD5
7bc389ac07539c93fd25d5693a4d45a0
-
SHA1
a7e0f7acf74a72a1ee970ab7dbdae0efbc30477a
-
SHA256
988d1264a79fd5cf58e798451e97f8aab7f99b4cdfea06cf1a33d316442cf2a5
-
SHA512
9809780bf8c5cfb48444ea85afa6fd8b57bc1352109d32c2e07b1c550bf4b2019eb1f9632baaa562fa2e40b91934a31025a057fd42c62420ee574e5cd9d14a0d
-
SSDEEP
768:UdKs0+2vhZRQGPL4vzZq2o9W7GsxBbPr:Zf5hZWGCq2iW7z
Malware Config
Extracted
Family
bdaejec
C2
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral2/memory/2056-8-0x0000000000250000-0x0000000000259000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral2/files/0x000a000000023c08-3.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation LDmRmJm.exe -
Executes dropped EXE 1 IoCs
pid Process 2056 LDmRmJm.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE LDmRmJm.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe LDmRmJm.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe LDmRmJm.exe File opened for modification C:\Program Files\Windows Mail\wab.exe LDmRmJm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe LDmRmJm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe LDmRmJm.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe LDmRmJm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe LDmRmJm.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe LDmRmJm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe LDmRmJm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe LDmRmJm.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe LDmRmJm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE LDmRmJm.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe LDmRmJm.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe LDmRmJm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe LDmRmJm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe LDmRmJm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe LDmRmJm.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe LDmRmJm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe LDmRmJm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe LDmRmJm.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe LDmRmJm.exe File opened for modification C:\Program Files\7-Zip\7z.exe LDmRmJm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE LDmRmJm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE LDmRmJm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe LDmRmJm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe LDmRmJm.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe LDmRmJm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe LDmRmJm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe LDmRmJm.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe LDmRmJm.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe LDmRmJm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE LDmRmJm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE LDmRmJm.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe LDmRmJm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe LDmRmJm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe LDmRmJm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe LDmRmJm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe LDmRmJm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE LDmRmJm.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe LDmRmJm.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe LDmRmJm.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe LDmRmJm.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe LDmRmJm.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe LDmRmJm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe LDmRmJm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7bc389ac07539c93fd25d5693a4d45a0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LDmRmJm.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1100 wrote to memory of 2056 1100 JaffaCakes118_7bc389ac07539c93fd25d5693a4d45a0.exe 82 PID 1100 wrote to memory of 2056 1100 JaffaCakes118_7bc389ac07539c93fd25d5693a4d45a0.exe 82 PID 1100 wrote to memory of 2056 1100 JaffaCakes118_7bc389ac07539c93fd25d5693a4d45a0.exe 82 PID 2056 wrote to memory of 2972 2056 LDmRmJm.exe 92 PID 2056 wrote to memory of 2972 2056 LDmRmJm.exe 92 PID 2056 wrote to memory of 2972 2056 LDmRmJm.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bc389ac07539c93fd25d5693a4d45a0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bc389ac07539c93fd25d5693a4d45a0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\LDmRmJm.exeC:\Users\Admin\AppData\Local\Temp\LDmRmJm.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\144c5285.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2972
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189B
MD5c3671d4eb76c97af9d796839f027dea8
SHA1f8c1b3b4cf2612a75bccb5f2aabf5d7404edca07
SHA25612027eb6314c2976336a9325c7eedd46710e6a2330344505729698aaf71c4639
SHA512fe50ed8eaf3dc201cdc6455f7ab00e44f0444cf0729849e300fa9b2913c578d8f28877de4f0dfadbc3efdf1155be0cdfb939aefac8481074e50f559d6e7d606c
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e