Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/02/2025, 10:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2025-02-24_d4ad85f9df962163805262b0e557efc0_smoke-loader_wapomi.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
General
-
Target
2025-02-24_d4ad85f9df962163805262b0e557efc0_smoke-loader_wapomi.exe
-
Size
203KB
-
MD5
d4ad85f9df962163805262b0e557efc0
-
SHA1
b3f538247b2a75f0300b7d4ece5141ca422f1058
-
SHA256
4eab01f195a931a5604c4639ff84f7b66621346f0f0a833512f9515d0c0e958e
-
SHA512
901e452adbf7936da7b292138ad63c10626d970a6a3e9adbdb7942baa53440aeba6c2045c2b5394dd39eb0e3162b91dd11453f23dca37bafa1661edc98d3c5d1
-
SSDEEP
3072:v1TlCN3DeL0dA/VkvpS6zpQDt0v2E6LGHxdOWTtDwqytR2TBf9AqqpUwIyGCH:BlGXd4OvDzewKLGHj0qTBlznBT
Malware Config
Extracted
Family
bdaejec
C2
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral1/memory/2400-17-0x0000000000090000-0x0000000000099000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral1/files/0x000b000000012245-10.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2400 ptjIGU.exe -
Loads dropped DLL 2 IoCs
pid Process 1628 2025-02-24_d4ad85f9df962163805262b0e557efc0_smoke-loader_wapomi.exe 1628 2025-02-24_d4ad85f9df962163805262b0e557efc0_smoke-loader_wapomi.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe ptjIGU.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe ptjIGU.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe ptjIGU.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe ptjIGU.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE ptjIGU.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE ptjIGU.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE ptjIGU.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe ptjIGU.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe ptjIGU.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe ptjIGU.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe ptjIGU.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe ptjIGU.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe ptjIGU.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe ptjIGU.exe File opened for modification C:\Program Files\Windows Mail\WinMail.exe ptjIGU.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe ptjIGU.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE ptjIGU.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe ptjIGU.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe ptjIGU.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe ptjIGU.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{5059450D-F254-431C-8EC5-1212E61F2D77}\chrome_installer.exe ptjIGU.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE ptjIGU.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE ptjIGU.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE ptjIGU.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe ptjIGU.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe ptjIGU.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe ptjIGU.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe ptjIGU.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe ptjIGU.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe ptjIGU.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe ptjIGU.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE ptjIGU.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE ptjIGU.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe ptjIGU.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe ptjIGU.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe ptjIGU.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe ptjIGU.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE ptjIGU.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE ptjIGU.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE ptjIGU.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe ptjIGU.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe ptjIGU.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-02-24_d4ad85f9df962163805262b0e557efc0_smoke-loader_wapomi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptjIGU.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2400 1628 2025-02-24_d4ad85f9df962163805262b0e557efc0_smoke-loader_wapomi.exe 30 PID 1628 wrote to memory of 2400 1628 2025-02-24_d4ad85f9df962163805262b0e557efc0_smoke-loader_wapomi.exe 30 PID 1628 wrote to memory of 2400 1628 2025-02-24_d4ad85f9df962163805262b0e557efc0_smoke-loader_wapomi.exe 30 PID 1628 wrote to memory of 2400 1628 2025-02-24_d4ad85f9df962163805262b0e557efc0_smoke-loader_wapomi.exe 30 PID 2400 wrote to memory of 2032 2400 ptjIGU.exe 34 PID 2400 wrote to memory of 2032 2400 ptjIGU.exe 34 PID 2400 wrote to memory of 2032 2400 ptjIGU.exe 34 PID 2400 wrote to memory of 2032 2400 ptjIGU.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-02-24_d4ad85f9df962163805262b0e557efc0_smoke-loader_wapomi.exe"C:\Users\Admin\AppData\Local\Temp\2025-02-24_d4ad85f9df962163805262b0e557efc0_smoke-loader_wapomi.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\ptjIGU.exeC:\Users\Admin\AppData\Local\Temp\ptjIGU.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\67550aa3.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2032
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD5a5828955b38ddfd1aa85abfe00cd9dc7
SHA1de78a91a29476ad35e7c17c37efd7bc634d0f18b
SHA25677b7beb24dfe0d4aeab8c1647e69498598d7ca6f1c9682f1e39401ba00cf579d
SHA5129fe2f14e729d124e8142cbd7fd1dea639d5951584c6bde7d85439ffdd1a0805735cd9d921c218f70a1f7536ebe3412ac236549de4502a6a805ffe4b9ae635d92
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e