bazarloader | 1f9f8cf325ff2de752478ff0623086019ebd1ffbce1d1c2f60e0b70149279f10

General

Target

7162fdf107c2d36f99c59d5435a4d399_JaffaCakes118.dll
Size

363KB
MD5

7162fdf107c2d36f99c59d5435a4d399
SHA1

b4ffeac7e7b25409b709377430dfe8821ca21e6e
SHA256

1f9f8cf325ff2de752478ff0623086019ebd1ffbce1d1c2f60e0b70149279f10
SHA512

4098f01ba4da3742e96a70cf2478c26d8a24db1c97b048d27c40cb4f28c221c180ae356536b5bda41d9d041aa029dc951a90cd7fa038a5a7bc4c4d27a7fa95f8
SSDEEP

6144:RM8CPvvwq0YslcteDNCfgQ/Fkp8HuubxwHdy/6E6OuUNkTf:kvvwTYslTMIQQubxTNkD

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Extracted

Family

bazarloader

C2

167.172.108.158

64.227.66.10

134.209.91.22

167.172.108.213

blackrain15.bazar

reddew28c.bazar

bluehail.bazar

whitestorm9p.bazar

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tishmjnhioanlnokantlrwudm = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\7162fdf107c2d36f99c59d5435a4d399_JaffaCakes118.dll\", #1 pfabigas lbbuvrfdt pemnpsldukcq"	reg.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1092 timeout.exe
572 timeout.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3348 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1012 rundll32.exe
1012 rundll32.exe

pid	process
1092	timeout.exe
572	timeout.exe

pid	process
3348	reg.exe

pid	process
1012	rundll32.exe
1012	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.execmd.exerundll32.execmd.execmd.exe

description	pid	process	target process
PID 3360 wrote to memory of 336	3360	rundll32.exe	cmd.exe
PID 3360 wrote to memory of 336	3360	rundll32.exe	cmd.exe
PID 336 wrote to memory of 1092	336	cmd.exe	timeout.exe
PID 336 wrote to memory of 1092	336	cmd.exe	timeout.exe
PID 336 wrote to memory of 1012	336	cmd.exe	rundll32.exe
PID 336 wrote to memory of 1012	336	cmd.exe	rundll32.exe
PID 1012 wrote to memory of 4424	1012	rundll32.exe	cmd.exe
PID 1012 wrote to memory of 4424	1012	rundll32.exe	cmd.exe
PID 4424 wrote to memory of 3348	4424	cmd.exe	reg.exe
PID 4424 wrote to memory of 3348	4424	cmd.exe	reg.exe
PID 1012 wrote to memory of 4636	1012	rundll32.exe	cmd.exe
PID 1012 wrote to memory of 4636	1012	rundll32.exe	cmd.exe
PID 4636 wrote to memory of 572	4636	cmd.exe	timeout.exe
PID 4636 wrote to memory of 572	4636	cmd.exe	timeout.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7162fdf107c2d36f99c59d5435a4d399_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\system32\cmd.exe
cmd /c timeout 10 & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\7162fdf107c2d36f99c59d5435a4d399_JaffaCakes118.dll", #1 pfabigas liarrrav & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\timeout.exe
timeout 10
3⤵
- Delays execution with timeout.exe
PID:1092

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\7162fdf107c2d36f99c59d5435a4d399_JaffaCakes118.dll", #1 pfabigas liarrrav
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v tishmjnhioanlnokantlrwudm /t REG_SZ /d "\"C:\Windows\system32\rundll32.exe\" \"C:\Users\Admin\AppData\Local\Temp\7162fdf107c2d36f99c59d5435a4d399_JaffaCakes118.dll\", #1 pfabigas lbbuvrfdt pemnpsldukcq"
4⤵
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\system32\reg.exe
reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v tishmjnhioanlnokantlrwudm /t REG_SZ /d "\"C:\Windows\system32\rundll32.exe\" \"C:\Users\Admin\AppData\Local\Temp\7162fdf107c2d36f99c59d5435a4d399_JaffaCakes118.dll\", #1 pfabigas lbbuvrfdt pemnpsldukcq"
5⤵
- Adds Run key to start application
- Modifies registry key
PID:3348

C:\Windows\system32\cmd.exe
cmd /c timeout 8 /nobreak > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\7162fdf107c2d36f99c59d5435a4d399_JaffaCakes118.dll", #1 pfabigas lbbuvrfdt pemnpsldukcq & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\system32\timeout.exe
timeout 8 /nobreak
5⤵
- Delays execution with timeout.exe
PID:572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3916 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1012-3-0x0000014C91780000-0x0000014C9179F000-memory.dmp

Filesize
124KB

Download
memory/1012-4-0x0000014C91780000-0x0000014C9179F000-memory.dmp

Filesize
124KB

Download
memory/3360-0-0x0000022411670000-0x000002241168F000-memory.dmp

Filesize
124KB

Download
memory/3360-1-0x0000022411670000-0x000002241168F000-memory.dmp

Filesize
124KB

Download
memory/3360-2-0x0000022411670000-0x000002241168F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads