bazarbackdoor | 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

General

Target

jre-8u351-windows-x64.exe
Size

84.5MB
MD5

7542ec421a2f6e90751e8b64c22e0542
SHA1

d207d221a28ede5c2c8415f82c555989aa7068ba
SHA256

188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6
SHA512

8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc
SSDEEP

1572864:ugyqUvFZpZDQBTgcJ5pWuqHRAOLut/+EDSSXXfDS2ZVw:ugzUnvDHq5pW1xAwutGEDxXXfGP

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\jds7082445.tmp\jre-8u351-windows-x64.exe	BazarBackdoorVar3
C:\Users\Admin\AppData\Local\Temp\jds7082445.tmp\jre-8u351-windows-x64.exe	BazarBackdoorVar3
C:\Users\Admin\AppData\Local\Temp\jds7082445.tmp\jre-8u351-windows-x64.exe	BazarBackdoorVar3
\Users\Admin\AppData\Local\Temp\jds7082445.tmp\jre-8u351-windows-x64.exe	BazarBackdoorVar3
\Users\Admin\AppData\Local\Temp\jds7082445.tmp\jre-8u351-windows-x64.exe	BazarBackdoorVar3

Executes dropped EXE 1 IoCs

Processes:

jre-8u351-windows-x64.exe

pid process

860 jre-8u351-windows-x64.exe
Loads dropped DLL 3 IoCs

Processes:

jre-8u351-windows-x64.exe

pid process

1484 jre-8u351-windows-x64.exe
1212
1212

pid	process
860	jre-8u351-windows-x64.exe

pid	process
1484	jre-8u351-windows-x64.exe
1212
1212

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

jre-8u351-windows-x64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	jre-8u351-windows-x64.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

jre-8u351-windows-x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	jre-8u351-windows-x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	jre-8u351-windows-x64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

jre-8u351-windows-x64.exe

pid process

860 jre-8u351-windows-x64.exe
860 jre-8u351-windows-x64.exe

pid	process
860	jre-8u351-windows-x64.exe
860	jre-8u351-windows-x64.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

jre-8u351-windows-x64.exe

description	pid	process	target process
PID 1484 wrote to memory of 860	1484	jre-8u351-windows-x64.exe	jre-8u351-windows-x64.exe
PID 1484 wrote to memory of 860	1484	jre-8u351-windows-x64.exe	jre-8u351-windows-x64.exe
PID 1484 wrote to memory of 860	1484	jre-8u351-windows-x64.exe	jre-8u351-windows-x64.exe

C:\Users\Admin\AppData\Local\Temp\jre-8u351-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jre-8u351-windows-x64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\jds7082445.tmp\jre-8u351-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jds7082445.tmp\jre-8u351-windows-x64.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jds7082445.tmp\jre-8u351-windows-x64.exe
Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7082445.tmp\jre-8u351-windows-x64.exe
Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
1KB

MD5
691700201195a12bc224c39f1b2e9cc3

SHA1
386812029e0c8ea15803c1be43f4cf6fbc3ab0a3

SHA256
b22240ba81271326b38577800d0f55834438acd9fb506feb3a03f400d0c0ebf2

SHA512
97dfede0359743bf41505c33f9c575b1680556ca33fc3dccfcb47dbba641b3d16aa7828d5d157da425a347833cca752e2dff410b0d929a7f8c95bff90e5e0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
4KB

MD5
682bb3d7010e1f2c735e1c0d1958de06

SHA1
296ca0eb769276c0bfaaf9f3cade05ac734df4ae

SHA256
bf5c4df24e0da8dbebf1203d11f545c06a50f57110a2d1f4dd0d550f1de80997

SHA512
ef4f819ee6fd02d64bf596fdadc423136e2180dd4f8543d987aa8762a31e51f3b506e9cf166fd1a1b12071e844913d39130eeba4ff7ad40efb41579e922c0652

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
4KB

MD5
6b6e7016e23631991177ccfec1b60e50

SHA1
5c46d5be468e3e10291dd0d1ceec6cca9cb9494f

SHA256
65da5e77e0e68f8e49db95f51821a758ea97b87b10d89fb296c20c5629a8e673

SHA512
89a52483a3b29d2e057032a8fc445428392bedfd18b1299b19471967d3b3afc9bba1ce27673c55cabb993b941add216965d58a387b7aec0c762e1e660eaa11d6

Download Submit
\Users\Admin\AppData\Local\Temp\jds7082445.tmp\jre-8u351-windows-x64.exe
Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jds7082445.tmp\jre-8u351-windows-x64.exe
Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jds7082445.tmp\jre-8u351-windows-x64.exe
Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads