Analysis Overview
SHA256
c0d47993f82059f010352d5f1dced0ffda0a7897f690a96225fa77dcb24987e8
Threat Level: Known bad
The file edc5fd90ab70a2e73243c06fbf4bbf42_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Bazar Loader
Bazar/Team9 Loader payload
Unsigned PE
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-04-11 15:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 15:42
Reported
2024-04-11 15:44
Platform
win7-20240221-en
Max time kernel
126s
Max time network
129s
Command Line
Signatures
Bazar Loader
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\edc5fd90ab70a2e73243c06fbf4bbf42_JaffaCakes118.dll
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\edc5fd90ab70a2e73243c06fbf4bbf42_JaffaCakes118.dll,DllRegisterServer {20E291A7-652C-48D9-A6A9-014FE48661F5}
Network
| Country | Destination | Domain | Proto |
| DE | 167.99.240.197:443 | tcp | |
| DE | 167.99.240.197:443 | tcp | |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.112.250.133:443 | microsoft.com | tcp |
| US | 20.112.250.133:443 | microsoft.com | tcp |
| DE | 167.99.240.197:443 | tcp | |
| DE | 167.99.240.197:443 | tcp | |
| DE | 167.99.240.197:443 | tcp | |
| DE | 167.99.240.197:443 | tcp |
Files
memory/2188-0-0x0000000001D90000-0x0000000001E82000-memory.dmp
memory/1612-1-0x0000000001DF0000-0x0000000001EE2000-memory.dmp
memory/1612-2-0x0000000001DF0000-0x0000000001EE2000-memory.dmp
memory/2188-3-0x0000000001D90000-0x0000000001E82000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 15:42
Reported
2024-04-11 15:44
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Bazar Loader
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\edc5fd90ab70a2e73243c06fbf4bbf42_JaffaCakes118.dll
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\edc5fd90ab70a2e73243c06fbf4bbf42_JaffaCakes118.dll,DllRegisterServer {629050E5-C4E1-4290-926F-997A9F610E29}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.112.250.133:443 | microsoft.com | tcp |
| DE | 167.99.240.197:443 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 133.250.112.20.in-addr.arpa | udp |
| BE | 2.21.17.194:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 194.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 167.99.240.197:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| DE | 167.99.240.197:443 | tcp | |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/2232-0-0x0000000002320000-0x0000000002412000-memory.dmp
memory/3028-1-0x000001FCCC3E0000-0x000001FCCC4D2000-memory.dmp
memory/3028-2-0x000001FCCC3E0000-0x000001FCCC4D2000-memory.dmp
memory/2232-3-0x0000000002320000-0x0000000002412000-memory.dmp