bazarloader | bb902ab59408d1f4b85cc88f99fbde34461a8a275ae91042350415d15a23fb04

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
28-07-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1acd4fde5b0ef693deaee1584c0373ba_JaffaCakes118.exe
Size

303KB
MD5

1acd4fde5b0ef693deaee1584c0373ba
SHA1

d65d225d23462b026d3def8a1ec79cc1f2c927d9
SHA256

bb902ab59408d1f4b85cc88f99fbde34461a8a275ae91042350415d15a23fb04
SHA512

7ba1ca8cc035d25f8d5ecc6f87ffbe83b066d6ddaf2123565fe140fdbfd2c304d99c95fa264729a7b2fd6124798c7ec520976f38f6dff849608b4378496b11cd
SSDEEP

6144:rtEZOZw6WAzssPKf0srIHSo5e83dawkzuAjyd0ao:raZuw6WAtyf0xrdawcuAjIW

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader 64 IoCs

Detected loader normally used to deploy BazarBackdoor malware.

loader dropper bazarloader

flow	ioc
290	bfehkmbkghks.bazar
60	bcehilbhghir.bazar
239	bcegjlbhggjr.bazar
256	ccfiilchhiir.bazar
175	achgklahjgkr.bazar
317	adeiikaigiiq.bazar
84	beegikbjggiq.bazar
139	defiildjhiir.bazar
249	bdfhilbihhir.bazar
281	bdghjmbiihjs.bazar
21	acehikahghiq.bazar
51	adeiilaigiir.bazar
80	cceijkchgijq.bazar
231	ccegikchggiq.bazar
278	bdghjmbiihjs.bazar
291	bfehkmbkghks.bazar
331	dcfgkkdhhgkq.bazar
89	beegikbjggiq.bazar
115	dcegkldhggkr.bazar
118	dcegkldhggkr.bazar
274	bdghjmbiihjs.bazar
129	acghklahihkr.bazar
261	aceijlahgijr.bazar
37	ddfgikdihgiq.bazar
44	bdeiimbigiis.bazar
117	dcegkldhggkr.bazar
179	dffgikdkhgiq.bazar
180	dffgikdkhgiq.bazar
329	afeijkakgijq.bazar
70	ceghjkcjihjq.bazar
127	acghklahihkr.bazar
134	ccghjlchihjr.bazar
69	ceghjkcjihjq.bazar
82	beegikbjggiq.bazar
195	bfggjlbkigjr.bazar
107	dcgijldhiijr.bazar
123	acghklahihkr.bazar
178	dffgikdkhgiq.bazar
330	dcfgkkdhhgkq.bazar
342	affgkmakhgks.bazar
94	dcfhjkdhhhjq.bazar
95	dcfhjkdhhhjq.bazar
152	ceegjlcjggjr.bazar
253	ccfiilchhiir.bazar
259	aceijlahgijr.bazar
24	acehikahghiq.bazar
61	bcehilbhghir.bazar
92	dcfhjkdhhhjq.bazar
284	cefgklcjhgkr.bazar
106	dcgijldhiijr.bazar
112	dcgijldhiijr.bazar
287	cefgklcjhgkr.bazar
109	dcgijldhiijr.bazar
147	ceegjlcjggjr.bazar
187	cfeiklckgikr.bazar
190	cfeiklckgikr.bazar
242	bdfhilbihhir.bazar
20	acehikahghiq.bazar
63	bcehilbhghir.bazar
66	ceghjkcjihjq.bazar
326	afeijkakgijq.bazar
93	dcfhjkdhhhjq.bazar
124	acghklahihkr.bazar
322	afeijkakgijq.bazar

Bazar/Team9 Loader payload 3 IoCs

resource	yara_rule
behavioral1/memory/2320-4-0x0000000180000000-0x000000018003F000-memory.dmp	BazarLoaderVar4
behavioral1/memory/2320-0-0x0000000001D80000-0x0000000001DBC000-memory.dmp	BazarLoaderVar4
behavioral1/memory/2320-9-0x0000000000320000-0x000000000035A000-memory.dmp	BazarLoaderVar4

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

flow	ioc
126	acghklahihkr.bazar
139	defiildjhiir.bazar
206	ceggjkcjigjq.bazar
322	afeijkakgijq.bazar
33	ddfijmdihijs.bazar
79	cceijkchgijq.bazar
244	bdfhilbihhir.bazar
303	beeiikbjgiiq.bazar
311	eefhikejhhiq.bazar
331	dcfgkkdhhgkq.bazar
51	adeiilaigiir.bazar
100	dcehjkdhghjq.bazar
169	affhjlakhhjr.bazar
182	dffgikdkhgiq.bazar
309	eefhikejhhiq.bazar
60	bcehilbhghir.bazar
113	dcgijldhiijr.bazar
157	cehhilcjjhir.bazar
340	affgkmakhgks.bazar
337	dcfgkkdhhgkq.bazar
178	dffgikdkhgiq.bazar
187	cfeiklckgikr.bazar
237	bcegjlbhggjr.bazar
261	aceijlahgijr.bazar
280	bdghjmbiihjs.bazar
291	bfehkmbkghks.bazar
324	afeijkakgijq.bazar
76	cceijkchgijq.bazar
318	adeiikaigiiq.bazar
320	adeiikaigiiq.bazar
41	ddfgikdihgiq.bazar
54	adeiilaigiir.bazar
87	beegikbjggiq.bazar
222	defgkldjhgkr.bazar
223	defgkldjhgkr.bazar
31	ddfijmdihijs.bazar
47	bdeiimbigiis.bazar
67	ceghjkcjihjq.bazar
175	achgklahjgkr.bazar
277	bdghjmbiihjs.bazar
38	ddfgikdihgiq.bazar
94	dcfhjkdhhhjq.bazar
148	ceegjlcjggjr.bazar
202	ceggjkcjigjq.bazar
262	aceijlahgijr.bazar
24	acehikahghiq.bazar
162	affhjlakhhjr.bazar
165	affhjlakhhjr.bazar
172	achgklahjgkr.bazar
201	bfggjlbkigjr.bazar
319	adeiikaigiiq.bazar
336	dcfgkkdhhgkq.bazar
77	cceijkchgijq.bazar
213	befhjkbjhhjq.bazar
265	aceijlahgijr.bazar
333	dcfgkkdhhgkq.bazar
18	acehikahghiq.bazar
101	dcehjkdhghjq.bazar
123	acghklahihkr.bazar
174	achgklahjgkr.bazar
347	dcfhjmdhhhjs.bazar
146	ceegjlcjggjr.bazar
225	defgkldjhgkr.bazar
312	eefhikejhhiq.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	192.71.245.208
Destination IP	94.16.114.254
Destination IP	51.254.25.115
Destination IP	51.254.25.115
Destination IP	151.80.222.79
Destination IP	193.183.98.66
Destination IP	151.80.222.79
Destination IP	192.71.245.208
Destination IP	195.10.195.195
Destination IP	151.80.222.79
Destination IP	94.16.114.254
Destination IP	94.16.114.254
Destination IP	151.80.222.79
Destination IP	192.71.245.208
Destination IP	193.183.98.66
Destination IP	195.10.195.195
Destination IP	192.71.245.208
Destination IP	195.10.195.195
Destination IP	94.16.114.254
Destination IP	193.183.98.66
Destination IP	95.174.65.241
Destination IP	176.126.70.119
Destination IP	95.174.65.241
Destination IP	51.254.25.115
Destination IP	195.10.195.195
Destination IP	192.71.245.208
Destination IP	195.10.195.195
Destination IP	193.183.98.66
Destination IP	51.254.25.115
Destination IP	192.71.245.208
Destination IP	94.16.114.254
Destination IP	192.71.245.208
Destination IP	51.254.25.115
Destination IP	151.80.222.79
Destination IP	95.174.65.241
Destination IP	94.16.114.254
Destination IP	95.174.65.241
Destination IP	193.183.98.66
Destination IP	195.10.195.195
Destination IP	176.126.70.119
Destination IP	151.80.222.79
Destination IP	192.71.245.208
Destination IP	151.80.222.79
Destination IP	151.80.222.79
Destination IP	195.10.195.195
Destination IP	51.254.25.115
Destination IP	94.16.114.254
Destination IP	176.126.70.119
Destination IP	95.174.65.241
Destination IP	193.183.98.66
Destination IP	195.10.195.195
Destination IP	176.126.70.119
Destination IP	193.183.98.66
Destination IP	176.126.70.119
Destination IP	192.71.245.208
Destination IP	195.10.195.195
Destination IP	94.16.114.254
Destination IP	94.16.114.254
Destination IP	192.71.245.208
Destination IP	195.10.195.195
Destination IP	95.174.65.241
Destination IP	193.183.98.66
Destination IP	176.126.70.119
Destination IP	192.71.245.208

C:\Users\Admin\AppData\Local\Temp\1acd4fde5b0ef693deaee1584c0373ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1acd4fde5b0ef693deaee1584c0373ba_JaffaCakes118.exe"
1⤵
PID:2320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabE256.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEE79.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2320-4-0x0000000180000000-0x000000018003F000-memory.dmp

Filesize
252KB

Download
memory/2320-0-0x0000000001D80000-0x0000000001DBC000-memory.dmp

Filesize
240KB

Download
memory/2320-9-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download