Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-01-2025 18:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2025-01-22_cd4de5071219ab738d2e99f38b6a51fe_smoke-loader_wapomi.exe
Resource
win7-20241010-en
windows7-x64
11 signatures
150 seconds
General
-
Target
2025-01-22_cd4de5071219ab738d2e99f38b6a51fe_smoke-loader_wapomi.exe
-
Size
36KB
-
MD5
cd4de5071219ab738d2e99f38b6a51fe
-
SHA1
061f86a2842deab17dd6a3a72e3c86e0ee4db727
-
SHA256
b2f8cdc583de0550643191b494af87f97e26947e673d4b8d43d12bebe5013313
-
SHA512
4e915636ea29bd363a57ef5233e152a46a055921b33378e5427a88041aea07be6fbe0601b32604448dd09c48e08c4dd7aa82c1813d7ee63d31b90f1d1281db9f
-
SSDEEP
768:aA+m41HKUpOv068E4Mf4MMRt4MtV2n5+uQGPL4vzZq2o9W7GsxBbPr:aA+m6qqOcVEP87T2n5+VGCq2iW7z
Malware Config
Extracted
Family
bdaejec
C2
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 2 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral1/memory/2316-12-0x0000000000820000-0x0000000000829000-memory.dmp family_bdaejec_backdoor behavioral1/memory/2316-16-0x0000000000820000-0x0000000000829000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral1/files/0x0003000000018334-4.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2316 bnDSGr.exe -
Loads dropped DLL 2 IoCs
pid Process 1064 2025-01-22_cd4de5071219ab738d2e99f38b6a51fe_smoke-loader_wapomi.exe 1064 2025-01-22_cd4de5071219ab738d2e99f38b6a51fe_smoke-loader_wapomi.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe bnDSGr.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE bnDSGr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe bnDSGr.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe bnDSGr.exe File opened for modification C:\Program Files\Windows Mail\wab.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE bnDSGr.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe bnDSGr.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe bnDSGr.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE bnDSGr.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE bnDSGr.exe File opened for modification C:\Program Files\7-Zip\7zG.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe bnDSGr.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE bnDSGr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE bnDSGr.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe bnDSGr.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe bnDSGr.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe bnDSGr.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe bnDSGr.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{C3A4D3BC-D67A-4D2A-B0ED-B4E62D27E02C}\chrome_installer.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE bnDSGr.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe bnDSGr.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE bnDSGr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe bnDSGr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE bnDSGr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe bnDSGr.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe bnDSGr.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe bnDSGr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-22_cd4de5071219ab738d2e99f38b6a51fe_smoke-loader_wapomi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnDSGr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1064 2025-01-22_cd4de5071219ab738d2e99f38b6a51fe_smoke-loader_wapomi.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1064 wrote to memory of 2316 1064 2025-01-22_cd4de5071219ab738d2e99f38b6a51fe_smoke-loader_wapomi.exe 30 PID 1064 wrote to memory of 2316 1064 2025-01-22_cd4de5071219ab738d2e99f38b6a51fe_smoke-loader_wapomi.exe 30 PID 1064 wrote to memory of 2316 1064 2025-01-22_cd4de5071219ab738d2e99f38b6a51fe_smoke-loader_wapomi.exe 30 PID 1064 wrote to memory of 2316 1064 2025-01-22_cd4de5071219ab738d2e99f38b6a51fe_smoke-loader_wapomi.exe 30 PID 2316 wrote to memory of 2464 2316 bnDSGr.exe 34 PID 2316 wrote to memory of 2464 2316 bnDSGr.exe 34 PID 2316 wrote to memory of 2464 2316 bnDSGr.exe 34 PID 2316 wrote to memory of 2464 2316 bnDSGr.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-22_cd4de5071219ab738d2e99f38b6a51fe_smoke-loader_wapomi.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-22_cd4de5071219ab738d2e99f38b6a51fe_smoke-loader_wapomi.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\bnDSGr.exeC:\Users\Admin\AppData\Local\Temp\bnDSGr.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0ac96be3.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2464
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD5f3a430d388ff3397a6efd6c93357c12b
SHA1ed6a333554884db66bc025e57f4bd1b4100fb23a
SHA256e77c6e174e98548c5d74f92aa1c7056003cfa1f3532f11556f54d431515defcd
SHA512d6c0c8a6b6eb326b4a6e0a5193726bb4409adb2563fe889776038c1461e61529beadc109fdcc878a358bae81132f320455e710a37b77cf730d29e0f93f16d1b8
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e