Analysis
-
max time kernel
85s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12-04-2023 03:29
Behavioral task
behavioral1
Sample
jre-8u351-windows-x64.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
jre-8u351-windows-x64.exe
Resource
win10v2004-20230220-en
General
-
Target
jre-8u351-windows-x64.exe
-
Size
84.5MB
-
MD5
7542ec421a2f6e90751e8b64c22e0542
-
SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba
-
SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6
-
SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc
-
SSDEEP
1572864:ugyqUvFZpZDQBTgcJ5pWuqHRAOLut/+EDSSXXfDS2ZVw:ugzUnvDHq5pW1xAwutGEDxXXfGP
Malware Config
Signatures
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Bazar/Team9 Backdoor payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jds240563859.tmp\jre-8u351-windows-x64.exe BazarBackdoorVar3 C:\Users\Admin\AppData\Local\Temp\jds240563859.tmp\jre-8u351-windows-x64.exe BazarBackdoorVar3 -
Executes dropped EXE 1 IoCs
Processes:
jre-8u351-windows-x64.exepid process 2652 jre-8u351-windows-x64.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
jre-8u351-windows-x64.exepid process 2652 jre-8u351-windows-x64.exe 2652 jre-8u351-windows-x64.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
jre-8u351-windows-x64.exedescription pid process target process PID 5104 wrote to memory of 2652 5104 jre-8u351-windows-x64.exe jre-8u351-windows-x64.exe PID 5104 wrote to memory of 2652 5104 jre-8u351-windows-x64.exe jre-8u351-windows-x64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\jre-8u351-windows-x64.exe"C:\Users\Admin\AppData\Local\Temp\jre-8u351-windows-x64.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\jds240563859.tmp\jre-8u351-windows-x64.exe"C:\Users\Admin\AppData\Local\Temp\jds240563859.tmp\jre-8u351-windows-x64.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2652
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jds240563859.tmp\jre-8u351-windows-x64.exeFilesize
84.1MB
MD5dfcfc788d67437530a50177164db42b0
SHA12d9ed0dc5671a358186dcf83abb74bfe39c40e9f
SHA256a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1
SHA512dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3
-
C:\Users\Admin\AppData\Local\Temp\jds240563859.tmp\jre-8u351-windows-x64.exeFilesize
84.1MB
MD5dfcfc788d67437530a50177164db42b0
SHA12d9ed0dc5671a358186dcf83abb74bfe39c40e9f
SHA256a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1
SHA512dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
267KB
MD54d3c55c5088ef338f1922ca3d9a50321
SHA130be4de3fe7eb5c1d6acf563616afe6562502345
SHA256176cd6c7743742fa313099729683c2263093907a3993aaaa44ea3e570fe70552
SHA512f1624ca15cf605e668ff2ca902aefbfe959159f6bfddd03da520e1e6991dc1b6382261b79e706793719d6b157aa09b0bb1c6bce803a1084b7081acf24a25265a
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
267KB
MD5f92127386c183506fc4ebdf7997b733b
SHA1b2ee3cd11bad35243bda8b1561daa19c5e0d1ac5
SHA256f8309cd2cec3c06b99f2d39870627ea3e93c617cd478b0069b8bd54ab0a9d28e
SHA512fa0420bab004532e29a40e4f9956b45e382df79b389aae349404b1784c43d314cb1fa19f2a788f5dab970f2eb590a2abcbcf291a69880708a5d830d8f917540d
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
285KB
MD56839a373b686263b9a0ddbcb374c6726
SHA15c24571cb794c2f4cec44adb636d09d4beabc445
SHA2563f99c42e63e6fd3a3d9fa01266eb6c21d2e457787df5d273b8c30f80cf4973c8
SHA512c08c56f3082290bbedaf38dc765f95e949cf35232fd48c2af483dcc45a5002f4f3ac69bc8677c6c45a9532d8f7f1c5b90d1233cb3fe4f3e7f81d1ecb2f17c1c3