bdaejec | e88ad222b67ee218a7371500949ce9917d59f4cdf94d54f6fdd20000351ab817

Analysis

max time kernel
130s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
24/02/2025, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-24_39a783677500d7d0aa61935d742a2060_mafia_wapomi.exe
Size

187KB
MD5

39a783677500d7d0aa61935d742a2060
SHA1

be14a4db64147ff65786cbedb576e4e628cadf35
SHA256

e88ad222b67ee218a7371500949ce9917d59f4cdf94d54f6fdd20000351ab817
SHA512

543cfea947f79d5e2d51e4aa136633cc23b3d07d9436a7f37cb24741bbf84a55daa1872bc7a5378ae82924ab83f8c96b752d15bbdc981165b8ad860241ebd1f9
SSDEEP

3072:uLKCpw8DA3Yr3mUOJfXEEZnRCI3AXny/Hj8LG4MVj/FIgW6dvn3mxIOUGCH:e83YLmUOFXEEZnRCI3AXny/Hj8LG4ujs

Score

10^/10

bdaejec aspackv2 backdoor discovery

Malware Config

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec
Bdaejec family
bdaejec

Detects Bdaejec Backdoor. 1 IoCs

Bdaejec is backdoor written in C++.

resource	yara_rule
behavioral1/memory/2232-20-0x0000000000B20000-0x0000000000B29000-memory.dmp	family_bdaejec_backdoor

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00460000000120f4-9.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2232	IzXWxt.exe

Loads dropped DLL 2 IoCs

pid	Process
2260	2025-02-24_39a783677500d7d0aa61935d742a2060_mafia_wapomi.exe
2260	2025-02-24_39a783677500d7d0aa61935d742a2060_mafia_wapomi.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{06715A9D-70D2-4C5C-9F8A-D2392905D83D}\chrome_installer.exe	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	IzXWxt.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sidebar.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	IzXWxt.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	IzXWxt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	IzXWxt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-24_39a783677500d7d0aa61935d742a2060_mafia_wapomi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IzXWxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2232	2260	2025-02-24_39a783677500d7d0aa61935d742a2060_mafia_wapomi.exe	31
PID 2260 wrote to memory of 2232	2260	2025-02-24_39a783677500d7d0aa61935d742a2060_mafia_wapomi.exe	31
PID 2260 wrote to memory of 2232	2260	2025-02-24_39a783677500d7d0aa61935d742a2060_mafia_wapomi.exe	31
PID 2260 wrote to memory of 2232	2260	2025-02-24_39a783677500d7d0aa61935d742a2060_mafia_wapomi.exe	31
PID 2232 wrote to memory of 1284	2232	IzXWxt.exe	35
PID 2232 wrote to memory of 1284	2232	IzXWxt.exe	35
PID 2232 wrote to memory of 1284	2232	IzXWxt.exe	35
PID 2232 wrote to memory of 1284	2232	IzXWxt.exe	35

C:\Users\Admin\AppData\Local\Temp\2025-02-24_39a783677500d7d0aa61935d742a2060_mafia_wapomi.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-24_39a783677500d7d0aa61935d742a2060_mafia_wapomi.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\IzXWxt.exe
  C:\Users\Admin\AppData\Local\Temp\IzXWxt.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\6b623693.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6b623693.bat

Filesize
187B

MD5
ecd064c07b6635ff965a8a692ff85bf2

SHA1
7a03e3626cb89b20e9b324e82c04e77d1abe4c53

SHA256
2aa9cce1b66482550daf90be268f5035670b2f6ca739f4a7a536dcfd8e5486d0

SHA512
c16d6a12219b59496971b63ece252824c85fb3561cca2055b5aa4271b411a64e5067b52f182e7c4f36d92ddf633f36e2f0a974782a462993ae1805bbf931aea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IzXWxt.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/2232-10-0x0000000000B20000-0x0000000000B29000-memory.dmp

Filesize
36KB

Download
memory/2232-20-0x0000000000B20000-0x0000000000B29000-memory.dmp

Filesize
36KB

Download
memory/2260-0-0x0000000000A60000-0x0000000000A95000-memory.dmp

Filesize
212KB

Download
memory/2260-8-0x0000000000A60000-0x0000000000A95000-memory.dmp

Filesize
212KB

Download