berbew | 1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8

General

Target

1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe
Size

160KB
MD5

b059846442a3388781dc2caaf3b03064
SHA1

48d0f46654a3efb11dd24af1f3df8b832175c47b
SHA256

1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8
SHA512

2e0022781619b51a5039a2eba597fc703991b6c7d1efa4179f5e8211b3285ad8d476758d0f87ab335cbe94b9dfef9e44c7f3447aff2d57f82e37ea0e810c1f2f
SSDEEP

3072:oSqW1P+gSsZAURoItWGiYvgb3a3+X13XRzrgHq/Wp+YmKfxgQdxvr:NVWgJZA3mjo7aOl3BzrUmKyIxT

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcjdam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqnejaff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjficg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjficg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 4 IoCs

pid	Process
4972	Gcjdam32.exe
1204	Gqnejaff.exe
2424	Gjficg32.exe
2412	Gbmadd32.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gqnejaff.exe	Gcjdam32.exe
File opened for modification	C:\Windows\SysWOW64\Gqnejaff.exe	Gcjdam32.exe
File opened for modification	C:\Windows\SysWOW64\Gjficg32.exe	Gqnejaff.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gjficg32.exe
File created	C:\Windows\SysWOW64\Dmfbkh32.dll	1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe
File created	C:\Windows\SysWOW64\Ckfaapfi.dll	Gcjdam32.exe
File created	C:\Windows\SysWOW64\Gjficg32.exe	Gqnejaff.exe
File created	C:\Windows\SysWOW64\Emjnfn32.dll	Gqnejaff.exe
File created	C:\Windows\SysWOW64\Gbmadd32.exe	Gjficg32.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Gjficg32.exe
File created	C:\Windows\SysWOW64\Gcjdam32.exe	1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe
File opened for modification	C:\Windows\SysWOW64\Gcjdam32.exe	1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1148	2412	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcjdam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqnejaff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjficg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbmadd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gjficg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmfbkh32.dll"	1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjficg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjficg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfaapfi.dll"	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqnejaff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjnfn32.dll"	Gqnejaff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqnejaff.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 4972	768	1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe	87
PID 768 wrote to memory of 4972	768	1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe	87
PID 768 wrote to memory of 4972	768	1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe	87
PID 4972 wrote to memory of 1204	4972	Gcjdam32.exe	88
PID 4972 wrote to memory of 1204	4972	Gcjdam32.exe	88
PID 4972 wrote to memory of 1204	4972	Gcjdam32.exe	88
PID 1204 wrote to memory of 2424	1204	Gqnejaff.exe	89
PID 1204 wrote to memory of 2424	1204	Gqnejaff.exe	89
PID 1204 wrote to memory of 2424	1204	Gqnejaff.exe	89
PID 2424 wrote to memory of 2412	2424	Gjficg32.exe	90
PID 2424 wrote to memory of 2412	2424	Gjficg32.exe	90
PID 2424 wrote to memory of 2412	2424	Gjficg32.exe	90

C:\Users\Admin\AppData\Local\Temp\1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe
"C:\Users\Admin\AppData\Local\Temp\1bb43f67cbfffddb6da85446a601cc0a0aba7c4695d5f88a98a037fe658c4ce8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\SysWOW64\Gcjdam32.exe
  C:\Windows\system32\Gcjdam32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\SysWOW64\Gqnejaff.exe
    C:\Windows\system32\Gqnejaff.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\SysWOW64\Gjficg32.exe
      C:\Windows\system32\Gjficg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2412
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 412
        6⤵
        Program crash
        
        PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2412 -ip 2412
1⤵
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
160KB

MD5
8d384bf7bddc3129d31df35437952b96

SHA1
11f5720aa2b240cf414ed6e2b1ef91dd64f0288e

SHA256
201de16c885187b58b5a7b8a2e9d5825d29e77be25e9201ac65b521e2c1e188e

SHA512
8229c817dc63fdea8dcd1011a8373ca7d0a9009486ef99a53b684db06a4e6b29fa7be7b3e8b97c4335571ca34d21dbafd14289488eda0dfeeb40f969757d581c

Download Submit
C:\Windows\SysWOW64\Gcjdam32.exe

Filesize
160KB

MD5
7720803ec8e69fb8e75d8fcad0289605

SHA1
8f76784aadb027acf8f8285eefebc253a2d41cd6

SHA256
c2a2b9f6228ff86385bdc9927de76009951c291d87a873615f9b6c568bb2da3c

SHA512
fd0ec9ee6cd1668f793834c42d2c7e2f4f7d19b20a7c10b84d7892585899d5e9c842c273eb9f36bc895fe78eb8e7acfbd621bb8dbd82265cb64d88d9fa0f462c

Download Submit
C:\Windows\SysWOW64\Gjficg32.exe

Filesize
160KB

MD5
3d8186e8137bfd7d933a96212340d469

SHA1
4a3e640a6fc85541b36f29395048f1d351967ca9

SHA256
19f31a757bbdfc3be590086cab4d9e71b8185e7651954b3e2a89d3fd97fb0cc1

SHA512
10d01d39a2026794982b55d8b5e514a68e933e050413ba1ea2b5e38ab84eb244d293ee09c22ff1ba80ef03d53da2596d7fa48f54913e42bb9a9c8d9dd89adfd1

Download Submit
C:\Windows\SysWOW64\Gqnejaff.exe

Filesize
160KB

MD5
355a52a86132338aa5f6e9b06a665feb

SHA1
f012c84542dd3af0f60a196e3fea40254c9b3342

SHA256
93c79c6e8cd7a04946a46bdb820f03de06ef9f31773a9885c5d9994256bcd9b9

SHA512
5bbc82ce0dd04b2f640aa12733f9a562cbed80f0eeaa3c20a8acfbf763a939c2e5bceb413538a746f3591b2d9ad0ffebd95933aa3a513e4aa8ab166d82578921

Download Submit
memory/768-37-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/768-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1204-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1204-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2412-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2412-34-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2424-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2424-35-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4972-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4972-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads