bazarloader | 0db1c5081359c780e9adde34299e521e460ebf36b58d7bcb4f3731b410ad6158

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 12:19

Target

08764c451d5b319de5995c00aa344db6_JaffaCakes118.exe
Size

164KB
MD5

08764c451d5b319de5995c00aa344db6
SHA1

3f384d4a99b1cf098089459463099bb0929598db
SHA256

0db1c5081359c780e9adde34299e521e460ebf36b58d7bcb4f3731b410ad6158
SHA512

f19f84786ae266b840599a4c97cf4102d5ebf3be9719818596a55ef26a82eef35f9eb79dfdcd32ef23dddea288517d182eaef471bdd76d201ce1223c8fa41560
SSDEEP

3072:x6ZAKZaNLNLNLNLNLNLNLNLNLNLNLNLNLNLNLNLNxWda8yShOT/FdS2WBSe3UMdn:x6ZFAWd/I9dS2WBSekMz1

Score

10^/10

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

resource	yara_rule
behavioral1/memory/2940-6-0x0000000000370000-0x0000000000381000-memory.dmp	BazarLoaderVar1
behavioral1/memory/2940-2-0x0000000000390000-0x00000000003A4000-memory.dmp	BazarLoaderVar1
behavioral1/memory/2940-7-0x0000000000430000-0x0000000000446000-memory.dmp	BazarLoaderVar1

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2940	08764c451d5b319de5995c00aa344db6_JaffaCakes118.exe
2940	08764c451d5b319de5995c00aa344db6_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\08764c451d5b319de5995c00aa344db6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08764c451d5b319de5995c00aa344db6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2940

memory/2940-0-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/2940-6-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/2940-2-0x0000000000390000-0x00000000003A4000-memory.dmp

Filesize
80KB

Download
memory/2940-7-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download
memory/2940-16-0x0000000003260000-0x00000000033BC000-memory.dmp

Filesize
1.4MB

Download