bazarloader | 1a2ef4ec2183acab4212a862ac9a29fcee45ce79caeca9788bf8ed89d039d610

General

Target

3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe
Size

1.0MB
MD5

3b3d2699a679db2b32f56d27b3ec8e38
SHA1

dfdb6196a36b4e921006d17882e09d88d698b6d2
SHA256

1a2ef4ec2183acab4212a862ac9a29fcee45ce79caeca9788bf8ed89d039d610
SHA512

aba3f2e66425d2abc5005d577a5d13ab2b5c41c74d6a7c9c5c911b2d807d3b65b86d853a3325fe3410e0ef063f0cf359b946ab884d7904aabe549c519241d979
SSDEEP

3072:8sOv8fESTARqUUCFt9/Ns8QDCaExTV1NTTLQETTaEykC3/hC3/:ZOvk/E1TQmB6

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Extracted

Family

bazarloader

C2

34.221.125.90

34.209.41.233

dfegjlefggjo.bazar

bcfijmcchijp.bazar

aeghkkbeihkn.bazar

cfhgjldfjgjo.bazar

cehgkldejgko.bazar

efehilffghio.bazar

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\NAE6D44.exe	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

NAE6D44.exeNAE6D44.exe

pid process

2076 NAE6D44.exe
1524 NAE6D44.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.execmd.exe

pid process

608 cmd.exe
608 cmd.exe
1980 cmd.exe
1980 cmd.exe

pid	process
2076	NAE6D44.exe
1524	NAE6D44.exe

pid	process
608	cmd.exe
608	cmd.exe
1980	cmd.exe
1980	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NAE6D44.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\NE6UFKE9Q = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v N16BB7V4LU /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NAE6D44.exe\\\" HFB3DSQ\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\NAE6D44.exe\" HFB3DSQ"	NAE6D44.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2716 PING.EXE
1792 PING.EXE
2916 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe

pid process

2276 3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe

pid	process
2716	PING.EXE
1792	PING.EXE
2916	PING.EXE

pid	process
2276	3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.execmd.exe3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.execmd.exeNAE6D44.execmd.exe

description	pid	process	target process
PID 2276 wrote to memory of 2800	2276	3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe	cmd.exe
PID 2276 wrote to memory of 2800	2276	3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe	cmd.exe
PID 2276 wrote to memory of 2800	2276	3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe	cmd.exe
PID 2800 wrote to memory of 2716	2800	cmd.exe	PING.EXE
PID 2800 wrote to memory of 2716	2800	cmd.exe	PING.EXE
PID 2800 wrote to memory of 2716	2800	cmd.exe	PING.EXE
PID 2800 wrote to memory of 2624	2800	cmd.exe	3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe
PID 2800 wrote to memory of 2624	2800	cmd.exe	3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe
PID 2800 wrote to memory of 2624	2800	cmd.exe	3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe
PID 2624 wrote to memory of 608	2624	3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe	cmd.exe
PID 2624 wrote to memory of 608	2624	3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe	cmd.exe
PID 2624 wrote to memory of 608	2624	3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe	cmd.exe
PID 608 wrote to memory of 1792	608	cmd.exe	PING.EXE
PID 608 wrote to memory of 1792	608	cmd.exe	PING.EXE
PID 608 wrote to memory of 1792	608	cmd.exe	PING.EXE
PID 608 wrote to memory of 2076	608	cmd.exe	NAE6D44.exe
PID 608 wrote to memory of 2076	608	cmd.exe	NAE6D44.exe
PID 608 wrote to memory of 2076	608	cmd.exe	NAE6D44.exe
PID 2076 wrote to memory of 1980	2076	NAE6D44.exe	cmd.exe
PID 2076 wrote to memory of 1980	2076	NAE6D44.exe	cmd.exe
PID 2076 wrote to memory of 1980	2076	NAE6D44.exe	cmd.exe
PID 1980 wrote to memory of 2916	1980	cmd.exe	PING.EXE
PID 1980 wrote to memory of 2916	1980	cmd.exe	PING.EXE
PID 1980 wrote to memory of 2916	1980	cmd.exe	PING.EXE
PID 1980 wrote to memory of 1524	1980	cmd.exe	NAE6D44.exe
PID 1980 wrote to memory of 1524	1980	cmd.exe	NAE6D44.exe
PID 1980 wrote to memory of 1524	1980	cmd.exe	NAE6D44.exe

C:\Users\Admin\AppData\Local\Temp\3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\system32\cmd.exe
  cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe J3L6R
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\system32\PING.EXE
    ping 8.8.8.8 -n 2
    3⤵
    - Runs ping.exe
    PID:2716
- - C:\Users\Admin\AppData\Local\Temp\3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe J3L6R
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\system32\cmd.exe
      cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\NAE6D44.exe JANK
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:608
    - - C:\Windows\system32\PING.EXE
        
        ping 8.8.8.8 -n 2
        5⤵
        Runs ping.exe
        
        PID:1792
    - - C:\Users\Admin\AppData\Local\Temp\NAE6D44.exe
        
        C:\Users\Admin\AppData\Local\Temp\NAE6D44.exe JANK
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Windows\system32\cmd.exe
        
        cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\NAE6D44.exe HFB3DSQ
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\system32\PING.EXE
        
        ping 8.8.8.8 -n 2
        7⤵
        Runs ping.exe
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\NAE6D44.exe
        
        C:\Users\Admin\AppData\Local\Temp\NAE6D44.exe HFB3DSQ
        7⤵
        Executes dropped EXE
        
        PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NAE6D44.exe

Filesize
1.0MB

MD5
3b3d2699a679db2b32f56d27b3ec8e38

SHA1
dfdb6196a36b4e921006d17882e09d88d698b6d2

SHA256
1a2ef4ec2183acab4212a862ac9a29fcee45ce79caeca9788bf8ed89d039d610

SHA512
aba3f2e66425d2abc5005d577a5d13ab2b5c41c74d6a7c9c5c911b2d807d3b65b86d853a3325fe3410e0ef063f0cf359b946ab884d7904aabe549c519241d979

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads