bazarloader | 6e04778b2a2cc3bd6fc6a9f551f5b4d6db673870334ebf9fd62e5d6acd9c8c0d

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
29-07-2024 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cde0389d78f2e3ca8d2202d605f18ec_JaffaCakes118.exe
Size

323KB
MD5

2cde0389d78f2e3ca8d2202d605f18ec
SHA1

565111741da7b1a9cfebb3032ab4cd8c05388ee3
SHA256

6e04778b2a2cc3bd6fc6a9f551f5b4d6db673870334ebf9fd62e5d6acd9c8c0d
SHA512

df48fde6b0d0a9e9be4c7c809ea2f4d993c6b9d0349d8d4515838f930e305100476a70502caa0338bb2b2bbce6cf2c21dbde8dc44c3655ae6f1afdd4ac6ba463
SSDEEP

6144:cI2KOympXst+asjCpeIFieYhUnUJSbH7rU/uWje6H9vA:cqOl9sGjY7uFmrzg9vA

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader 64 IoCs

Detected loader normally used to deploy BazarBackdoor malware.

loader dropper bazarloader

description	flow	ioc
	119	ccfgjkchhgjq.bazar
	156	befgikbjhgiq.bazar
	164	bfegjkbkggjq.bazar
	194	aeeijkajgijq.bazar
	272	cehhjlcjjhjr.bazar
	307	deghjldjihjr.bazar
	337	dcfhildhhhir.bazar
	71	cdhikkcijikq.bazar
	73	cdhikkcijikq.bazar
	102	ddfgildihgir.bazar
	159	befgikbjhgiq.bazar
	207	cfeiikckgiiq.bazar
	289	bdfijmbihijs.bazar
	334	dcfhildhhhir.bazar
	41	bdegilbiggir.bazar
	172	acghjkahihjq.bazar
	181	bdfhikbihhiq.bazar
	295	cefhikcjhhiq.bazar
	62	defijkdjhijq.bazar
	74	aeggjkajigjq.bazar
	285	bdfijmbihijs.bazar
	123	dcegjkdhggjq.bazar
	171	acghjkahihjq.bazar
	232	dcggjkdhigjq.bazar
	64	defijkdjhijq.bazar
	67	cdhikkcijikq.bazar
	152	adegkkaiggkq.bazar
	230	dcggjkdhigjq.bazar
	236	cefhilcjhhir.bazar
	319	bdhgjkbijgjq.bazar
	331	dcfhildhhhir.bazar
	50	ceggjkcjigjq.bazar
	165	bfegjkbkggjq.bazar
	202	cfeiikckgiiq.bazar
	214	dcfgjkdhhgjq.bazar
	225	bfghikbkihiq.bazar
	338	cdegjlciggjr.bazar
	24	dcegkkdhggkq.bazar
	150	adegkkaiggkq.bazar
	168	bfegjkbkggjq.bazar
	254	adggilaiigir.bazar
	60	defijkdjhijq.bazar
	136	bcehklbhghkr.bazar
	182	bdfhikbihhiq.bazar
	189	afgikmakiiks.bazar
	231	dcggjkdhigjq.bazar
	324	befikkbjhikq.bazar
	20	dcegkkdhggkq.bazar
	128	dcegjkdhggjq.bazar
	133	bcehklbhghkr.bazar
	205	cfeiikckgiiq.bazar
	237	cefhilcjhhir.bazar
	288	bdfijmbihijs.bazar
HTTP URL	8	https://46.17.107.111/api/v202
	36	bdegilbiggir.bazar
	126	dcegjkdhggjq.bazar
	144	bcehikbhghiq.bazar
	162	bfegjkbkggjq.bazar
	291	cefhikcjhhiq.bazar
	306	deghjldjihjr.bazar
	35	bdegilbiggir.bazar
	81	aeggjkajigjq.bazar
	141	bcehikbhghiq.bazar
	305	cdfiikcihiiq.bazar

Bazar/Team9 Loader payload 3 IoCs

resource	yara_rule
behavioral1/memory/3064-5-0x0000000180000000-0x000000018003F000-memory.dmp	BazarLoaderVar4
behavioral1/memory/3064-0-0x0000000001F40000-0x0000000001F7C000-memory.dmp	BazarLoaderVar4
behavioral1/memory/3064-9-0x0000000001E50000-0x0000000001E8A000-memory.dmp	BazarLoaderVar4

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

description	flow	ioc
	176	acghjkahihjq.bazar
	179	bdfhikbihhiq.bazar
	244	ddhgkldijgkr.bazar
HTTP URL	8	https://46.17.107.111/api/v202
	43	cdfhilcihhir.bazar
	72	cdhikkcijikq.bazar
	96	dcfhjldhhhjr.bazar
	150	adegkkaiggkq.bazar
	325	befikkbjhikq.bazar
	92	dcfhjldhhhjr.bazar
	93	dcfhjldhhhjr.bazar
	237	cefhilcjhhir.bazar
	336	dcfhildhhhir.bazar
	203	cfeiikckgiiq.bazar
	212	dcfgjkdhhgjq.bazar
	270	cehhjlcjjhjr.bazar
	294	cefhikcjhhiq.bazar
	332	dcfhildhhhir.bazar
	129	dcegjkdhggjq.bazar
	201	aeeijkajgijq.bazar
	228	dcggjkdhigjq.bazar
	269	cehhjlcjjhjr.bazar
	320	bdhgjkbijgjq.bazar
	27	adfgjkaihgjq.bazar
	77	aeggjkajigjq.bazar
	289	bdfijmbihijs.bazar
	309	deghjldjihjr.bazar
	222	bfghikbkihiq.bazar
	313	deghjldjihjr.bazar
	323	befikkbjhikq.bazar
	328	befikkbjhikq.bazar
	207	cfeiikckgiiq.bazar
	210	dcfgjkdhhgjq.bazar
	235	cefhilcjhhir.bazar
	65	defijkdjhijq.bazar
	68	cdhikkcijikq.bazar
	99	ddfgildihgir.bazar
	137	bcehklbhghkr.bazar
	138	bcehikbhghiq.bazar
	253	adggilaiigir.bazar
	299	cdfiikcihiiq.bazar
	175	acghjkahihjq.bazar
	232	dcggjkdhigjq.bazar
	265	bdhgimbijgis.bazar
	307	deghjldjihjr.bazar
	73	cdhikkcijikq.bazar
	89	bfehikbkghiq.bazar
	145	bcehikbhghiq.bazar
	46	cdfhilcihhir.bazar
	78	aeggjkajigjq.bazar
	151	adegkkaiggkq.bazar
	330	dcfhildhhhir.bazar
	106	bdfiikbihiiq.bazar
	173	acghjkahihjq.bazar
	312	deghjldjihjr.bazar
	318	bdhgjkbijgjq.bazar
	339	cdegjlciggjr.bazar
	329	befikkbjhikq.bazar
	186	afgikmakiiks.bazar
	187	afgikmakiiks.bazar
	227	dcggjkdhigjq.bazar
	266	cehhjlcjjhjr.bazar
	286	bdfijmbihijs.bazar
	189	afgikmakiiks.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	95.174.65.241
Destination IP	151.80.222.79
Destination IP	195.10.195.195
Destination IP	95.174.65.241
Destination IP	95.174.65.241
Destination IP	195.10.195.195
Destination IP	151.80.222.79
Destination IP	192.71.245.208
Destination IP	193.183.98.66
Destination IP	95.174.65.241
Destination IP	94.16.114.254
Destination IP	51.254.25.115
Destination IP	94.16.114.254
Destination IP	176.126.70.119
Destination IP	51.254.25.115
Destination IP	195.10.195.195
Destination IP	192.71.245.208
Destination IP	95.174.65.241
Destination IP	192.71.245.208
Destination IP	151.80.222.79
Destination IP	195.10.195.195
Destination IP	176.126.70.119
Destination IP	176.126.70.119
Destination IP	51.254.25.115
Destination IP	192.71.245.208
Destination IP	51.254.25.115
Destination IP	176.126.70.119
Destination IP	195.10.195.195
Destination IP	176.126.70.119
Destination IP	151.80.222.79
Destination IP	192.71.245.208
Destination IP	151.80.222.79
Destination IP	95.174.65.241
Destination IP	94.16.114.254
Destination IP	193.183.98.66
Destination IP	192.71.245.208
Destination IP	95.174.65.241
Destination IP	192.71.245.208
Destination IP	95.174.65.241
Destination IP	192.71.245.208
Destination IP	195.10.195.195
Destination IP	193.183.98.66
Destination IP	176.126.70.119
Destination IP	193.183.98.66
Destination IP	51.254.25.115
Destination IP	94.16.114.254
Destination IP	94.16.114.254
Destination IP	176.126.70.119
Destination IP	51.254.25.115
Destination IP	176.126.70.119
Destination IP	94.16.114.254
Destination IP	176.126.70.119
Destination IP	151.80.222.79
Destination IP	94.16.114.254
Destination IP	192.71.245.208
Destination IP	51.254.25.115
Destination IP	51.254.25.115
Destination IP	95.174.65.241
Destination IP	51.254.25.115
Destination IP	176.126.70.119
Destination IP	51.254.25.115
Destination IP	193.183.98.66
Destination IP	95.174.65.241
Destination IP	195.10.195.195

C:\Users\Admin\AppData\Local\Temp\2cde0389d78f2e3ca8d2202d605f18ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2cde0389d78f2e3ca8d2202d605f18ec_JaffaCakes118.exe"
1⤵
PID:3064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabFCE7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar15B7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/3064-5-0x0000000180000000-0x000000018003F000-memory.dmp

Filesize
252KB

Download
memory/3064-0-0x0000000001F40000-0x0000000001F7C000-memory.dmp

Filesize
240KB

Download
memory/3064-9-0x0000000001E50000-0x0000000001E8A000-memory.dmp

Filesize
232KB

Download