bazarloader | 1a2ef4ec2183acab4212a862ac9a29fcee45ce79caeca9788bf8ed89d039d610

General

Target

3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe
Size

1.0MB
MD5

3b3d2699a679db2b32f56d27b3ec8e38
SHA1

dfdb6196a36b4e921006d17882e09d88d698b6d2
SHA256

1a2ef4ec2183acab4212a862ac9a29fcee45ce79caeca9788bf8ed89d039d610
SHA512

aba3f2e66425d2abc5005d577a5d13ab2b5c41c74d6a7c9c5c911b2d807d3b65b86d853a3325fe3410e0ef063f0cf359b946ab884d7904aabe549c519241d979
SSDEEP

3072:8sOv8fESTARqUUCFt9/Ns8QDCaExTV1NTTLQETTaEykC3/hC3/:ZOvk/E1TQmB6

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Extracted

Family

bazarloader

C2

34.221.125.90

34.209.41.233

dfegjlefggjo.bazar

bcfijmcchijp.bazar

aeghkkbeihkn.bazar

cfhgjldfjgjo.bazar

cehgkldejgko.bazar

efehilffghio.bazar

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0004000000016943-2.dat	BazarLoaderVar1

Executes dropped EXE 2 IoCs

pid	Process
1700	V8G6CFD.exe
3936	V8G6CFD.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\H2CZA6O1WBH = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v B7O0XZI2 /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\V8G6CFD.exe\\\" B6MMU\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\V8G6CFD.exe\" B6MMU"	V8G6CFD.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
5052	PING.EXE
4244	PING.EXE
1508	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4992	3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe
4992	3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 5056	4992	3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe	88
PID 4992 wrote to memory of 5056	4992	3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe	88
PID 5056 wrote to memory of 5052	5056	cmd.exe	90
PID 5056 wrote to memory of 5052	5056	cmd.exe	90
PID 5056 wrote to memory of 3884	5056	cmd.exe	91
PID 5056 wrote to memory of 3884	5056	cmd.exe	91
PID 3884 wrote to memory of 2916	3884	3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe	93
PID 3884 wrote to memory of 2916	3884	3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe	93
PID 2916 wrote to memory of 4244	2916	cmd.exe	95
PID 2916 wrote to memory of 4244	2916	cmd.exe	95
PID 2916 wrote to memory of 1700	2916	cmd.exe	96
PID 2916 wrote to memory of 1700	2916	cmd.exe	96
PID 1700 wrote to memory of 1756	1700	V8G6CFD.exe	97
PID 1700 wrote to memory of 1756	1700	V8G6CFD.exe	97
PID 1756 wrote to memory of 1508	1756	cmd.exe	99
PID 1756 wrote to memory of 1508	1756	cmd.exe	99
PID 1756 wrote to memory of 3936	1756	cmd.exe	100
PID 1756 wrote to memory of 3936	1756	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe XD7QB5R
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\system32\PING.EXE
    ping 8.8.8.8 -n 2
    3⤵
    - Runs ping.exe
    PID:5052
- - C:\Users\Admin\AppData\Local\Temp\3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\3b3d2699a679db2b32f56d27b3ec8e38_JaffaCakes118.exe XD7QB5R
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\V8G6CFD.exe JRWGGV
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\system32\PING.EXE
        
        ping 8.8.8.8 -n 2
        5⤵
        Runs ping.exe
        
        PID:4244
    - - C:\Users\Admin\AppData\Local\Temp\V8G6CFD.exe
        
        C:\Users\Admin\AppData\Local\Temp\V8G6CFD.exe JRWGGV
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\V8G6CFD.exe B6MMU
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\system32\PING.EXE
        
        ping 8.8.8.8 -n 2
        7⤵
        Runs ping.exe
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\V8G6CFD.exe
        
        C:\Users\Admin\AppData\Local\Temp\V8G6CFD.exe B6MMU
        7⤵
        Executes dropped EXE
        
        PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\V8G6CFD.exe

Filesize
1.0MB

MD5
3b3d2699a679db2b32f56d27b3ec8e38

SHA1
dfdb6196a36b4e921006d17882e09d88d698b6d2

SHA256
1a2ef4ec2183acab4212a862ac9a29fcee45ce79caeca9788bf8ed89d039d610

SHA512
aba3f2e66425d2abc5005d577a5d13ab2b5c41c74d6a7c9c5c911b2d807d3b65b86d853a3325fe3410e0ef063f0cf359b946ab884d7904aabe549c519241d979

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads