bdaejec | e13c94e813fd3da26f23f6029e6b46d607a0a465fc4f898f4893e927e7a8b205

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/02/2025, 03:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe
Size

24KB
MD5

fe92ccb3a6f9d06f24cadd44211525d2
SHA1

a392460b01e5a41bf26ac70261a55a82308d2d92
SHA256

e13c94e813fd3da26f23f6029e6b46d607a0a465fc4f898f4893e927e7a8b205
SHA512

fe45e6410730d20fb44bdd3719f300c77d2378c8c04c1289f8b001c3c75b42ebd0b04ff0c863d13d45a7067df78dc37f6a53bb47dd7a26bfcec7ddde507877c7
SSDEEP

384:vVMEEDYM3MVAgrgBScXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9Pffr:vGE4YM32A4H8QGPL4vzZq2o9W7GsxBbz

Score

10^/10

bdaejec aspackv2 backdoor discovery

Malware Config

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec
Bdaejec family
bdaejec

Detects Bdaejec Backdoor. 2 IoCs

Bdaejec is backdoor written in C++.

resource	yara_rule
behavioral1/memory/3068-12-0x0000000000B50000-0x0000000000B59000-memory.dmp	family_bdaejec_backdoor
behavioral1/memory/3068-15-0x0000000000B50000-0x0000000000B59000-memory.dmp	family_bdaejec_backdoor

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00080000000120fb-2.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
3068	IvxcQ.exe

Loads dropped DLL 2 IoCs

pid	Process
2404	2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe
2404	2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	IvxcQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	IvxcQ.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	IvxcQ.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	IvxcQ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	IvxcQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	IvxcQ.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	IvxcQ.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	IvxcQ.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	IvxcQ.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	IvxcQ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	IvxcQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	IvxcQ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	IvxcQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	IvxcQ.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	IvxcQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	IvxcQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	IvxcQ.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	IvxcQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	IvxcQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	IvxcQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	IvxcQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	IvxcQ.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	IvxcQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IvxcQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 3068	2404	2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe	30
PID 2404 wrote to memory of 3068	2404	2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe	30
PID 2404 wrote to memory of 3068	2404	2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe	30
PID 2404 wrote to memory of 3068	2404	2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe	30
PID 3068 wrote to memory of 2312	3068	IvxcQ.exe	33
PID 3068 wrote to memory of 2312	3068	IvxcQ.exe	33
PID 3068 wrote to memory of 2312	3068	IvxcQ.exe	33
PID 3068 wrote to memory of 2312	3068	IvxcQ.exe	33

C:\Users\Admin\AppData\Local\Temp\2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\IvxcQ.exe
  C:\Users\Admin\AppData\Local\Temp\IvxcQ.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1285060a.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312

Network

DNS

ddos.dnsnb8.net

IvxcQ.exe

Remote address:

8.8.8.8:53

Request

ddos.dnsnb8.net

IN A

Response

ddos.dnsnb8.net

IN A

44.221.84.105

44.221.84.105:799

ddos.dnsnb8.net

IvxcQ.exe

152 B
3
44.221.84.105:799

ddos.dnsnb8.net

IvxcQ.exe

152 B
3
44.221.84.105:799

ddos.dnsnb8.net

IvxcQ.exe

152 B
3
44.221.84.105:799

ddos.dnsnb8.net

IvxcQ.exe

152 B
3
44.221.84.105:799

ddos.dnsnb8.net

IvxcQ.exe

152 B
3

8.8.8.8:53

ddos.dnsnb8.net

dns

IvxcQ.exe

61 B
77 B
1
1

DNS Request

ddos.dnsnb8.net

DNS Response

44.221.84.105

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1285060a.bat

Filesize
185B

MD5
397844dde6acd2b811c266806f2a2dab

SHA1
f227279a995714dc624a80e69c3f1068568db4a3

SHA256
28d5a30f36ec0faa3f402d57264272a1ad20411cf99ec81238698b9d6f8ead2f

SHA512
598eb6c11a07394db66db0ef34ede4d9b056a9786b4890ccad0c1656e0404ae11b88f37e74c447eb71804e3206aeea0fee5f66fc52dac8b6c07052d682b79b88

Download Submit
\Users\Admin\AppData\Local\Temp\IvxcQ.exe

Filesize
15KB

MD5
f7d21de5c4e81341eccd280c11ddcc9a

SHA1
d4e9ef10d7685d491583c6fa93ae5d9105d815bd

SHA256
4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

SHA512
e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

Download Submit
memory/2404-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2404-3-0x0000000000B50000-0x0000000000B59000-memory.dmp

Filesize
36KB

Download
memory/2404-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3068-12-0x0000000000B50000-0x0000000000B59000-memory.dmp

Filesize
36KB

Download
memory/3068-15-0x0000000000B50000-0x0000000000B59000-memory.dmp

Filesize
36KB

Download