bazarloader | c72dd826f8b887fa4969ebc23711826491f1fb16cbc4de67cf0d4790a1328589

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-07-2024 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bf5a111fa8a0275000c133b187cbb4a_JaffaCakes118.exe
Size

407KB
MD5

5bf5a111fa8a0275000c133b187cbb4a
SHA1

7d66fd23316b04fa73999315f3499879a1c88c4c
SHA256

c72dd826f8b887fa4969ebc23711826491f1fb16cbc4de67cf0d4790a1328589
SHA512

c359be090cb0c3d8b02236f61d762a9011b09e64b00132321439006d6dfe21306b2e42d0e39d8f7f96f8dcd32aa89cd7bb285ea7cb01c6eeb662b026869e11b6
SSDEEP

6144:y36J/AIrknTH8nrMy63ZOZw6WAzssPKf0srIHSo5e83dawkzuAjyd0ak:O6tkTHD3Zuw6WAtyf0xrdawcuAjIe

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader 64 IoCs

Detected loader normally used to deploy BazarBackdoor malware.

loader dropper bazarloader

flow	ioc
57	ddghjkdiihjq.bazar
142	ccegikchggiq.bazar
213	acggjkahigjq.bazar
237	beghkmbjihks.bazar
241	beghkmbjihks.bazar
268	acfgilahhgir.bazar
293	ddfikmdihiks.bazar
317	bcfiikbhhiiq.bazar
323	cdghikciihiq.bazar
141	ccegikchggiq.bazar
279	ccehklchghkr.bazar
63	ddehjldighjr.bazar
89	dceiikdhgiiq.bazar
143	ccegikchggiq.bazar
187	deegjldjggjr.bazar
195	adfhikaihhiq.bazar
218	cdeiilcigiir.bazar
220	cdeiilcigiir.bazar
246	cdeiilcigiir.bazar
82	dceiikdhgiiq.bazar
199	adfhikaihhiq.bazar
207	bffhilbkhhir.bazar
296	ddfikmdihiks.bazar
299	ceehklcjghkr.bazar
46	afggilakigir.bazar
149	bdhgjkbijgjq.bazar
193	deegjldjggjr.bazar
287	ceegjkcjggjq.bazar
334	ddgijkdiiijq.bazar
145	ccegikchggiq.bazar
88	dceiikdhgiiq.bazar
24	cdfgjlcihgjr.bazar
70	bcegjlbhggjr.bazar
112	bdghjlbiihjr.bazar
138	ccegikchggiq.bazar
219	cdeiilcigiir.bazar
227	aeehjlajghjr.bazar
233	aeehjlajghjr.bazar
69	bcegjlbhggjr.bazar
129	eceikkehgikq.bazar
162	bdggikbiigiq.bazar
191	deegjldjggjr.bazar
197	adfhikaihhiq.bazar
243	cdeiilcigiir.bazar
254	aeegjkajggjq.bazar
322	cdghikciihiq.bazar
337	ddgijkdiiijq.bazar
35	affgjlakhgjr.bazar
188	deegjldjggjr.bazar
201	adfhikaihhiq.bazar
204	bffhilbkhhir.bazar
236	beghkmbjihks.bazar
301	ceehklcjghkr.bazar
304	ceehklcjghkr.bazar
87	dceiikdhgiiq.bazar
109	bdghjlbiihjr.bazar
173	bdfgjlbihgjr.bazar
265	aeggikajigiq.bazar
284	ceegjkcjggjq.bazar
311	bcggikbhigiq.bazar
321	bcfiikbhhiiq.bazar
113	bdghjlbiihjr.bazar
167	bdggikbiigiq.bazar
168	bdggikbiigiq.bazar

Bazar/Team9 Loader payload 3 IoCs

resource	yara_rule
behavioral1/memory/2296-0-0x00000000041C0000-0x00000000041FC000-memory.dmp	BazarLoaderVar4
behavioral1/memory/2296-4-0x0000000180000000-0x000000018003F000-memory.dmp	BazarLoaderVar4
behavioral1/memory/2296-9-0x0000000001DC0000-0x0000000001DFA000-memory.dmp	BazarLoaderVar4

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

flow	ioc
25	cdfgjlcihgjr.bazar
65	ddehjldighjr.bazar
93	dcfhkkdhhhkq.bazar
283	ceegjkcjggjq.bazar
295	ddfikmdihiks.bazar
45	afggilakigir.bazar
57	ddghjkdiihjq.bazar
151	bdhgjkbijgjq.bazar
244	cdeiilcigiir.bazar
95	dcfhkkdhhhkq.bazar
116	acegilahggir.bazar
133	befhimbjhhis.bazar
149	bdhgjkbijgjq.bazar
38	affgjlakhgjr.bazar
63	ddehjldighjr.bazar
75	ccfhjkchhhjq.bazar
89	dceiikdhgiiq.bazar
161	adghjkaiihjq.bazar
178	ddghjldiihjr.bazar
237	beghkmbjihks.bazar
300	ceehklcjghkr.bazar
83	dceiikdhgiiq.bazar
134	befhimbjhhis.bazar
246	cdeiilcigiir.bazar
336	ddgijkdiiijq.bazar
225	cdeiilcigiir.bazar
236	beghkmbjihks.bazar
317	bcfiikbhhiiq.bazar
43	afggilakigir.bazar
127	eceikkehgikq.bazar
168	bdggikbiigiq.bazar
245	cdeiilcigiir.bazar
207	bffhilbkhhir.bazar
240	beghkmbjihks.bazar
124	eceikkehgikq.bazar
129	eceikkehgikq.bazar
150	bdhgjkbijgjq.bazar
153	bdhgjkbijgjq.bazar
68	bcegjlbhggjr.bazar
143	ccegikchggiq.bazar
290	ddfikmdihiks.bazar
313	bcggikbhigiq.bazar
58	ddehjldighjr.bazar
72	bcegjlbhggjr.bazar
222	cdeiilcigiir.bazar
278	ccehklchghkr.bazar
196	adfhikaihhiq.bazar
285	ceegjkcjggjq.bazar
296	ddfikmdihiks.bazar
327	cdghikciihiq.bazar
60	ddehjldighjr.bazar
73	bcegjlbhggjr.bazar
99	dcggjldhigjr.bazar
111	bdghjlbiihjr.bazar
328	cdghikciihiq.bazar
238	beghkmbjihks.bazar
254	aeegjkajggjq.bazar
255	aeegjkajggjq.bazar
297	ddfikmdihiks.bazar
20	cdfgjlcihgjr.bazar
147	bdhgjkbijgjq.bazar
202	bffhilbkhhir.bazar
215	acggjkahigjq.bazar
316	bcfiikbhhiiq.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	192.71.245.208
Destination IP	195.10.195.195
Destination IP	193.183.98.66
Destination IP	51.254.25.115
Destination IP	94.16.114.254
Destination IP	151.80.222.79
Destination IP	176.126.70.119
Destination IP	95.174.65.241
Destination IP	51.254.25.115
Destination IP	151.80.222.79
Destination IP	193.183.98.66
Destination IP	176.126.70.119
Destination IP	192.71.245.208
Destination IP	192.71.245.208
Destination IP	192.71.245.208
Destination IP	195.10.195.195
Destination IP	192.71.245.208
Destination IP	151.80.222.79
Destination IP	95.174.65.241
Destination IP	95.174.65.241
Destination IP	95.174.65.241
Destination IP	176.126.70.119
Destination IP	95.174.65.241
Destination IP	176.126.70.119
Destination IP	95.174.65.241
Destination IP	95.174.65.241
Destination IP	94.16.114.254
Destination IP	94.16.114.254
Destination IP	95.174.65.241
Destination IP	193.183.98.66
Destination IP	193.183.98.66
Destination IP	151.80.222.79
Destination IP	195.10.195.195
Destination IP	94.16.114.254
Destination IP	176.126.70.119
Destination IP	192.71.245.208
Destination IP	151.80.222.79
Destination IP	51.254.25.115
Destination IP	195.10.195.195
Destination IP	151.80.222.79
Destination IP	176.126.70.119
Destination IP	193.183.98.66
Destination IP	94.16.114.254
Destination IP	51.254.25.115
Destination IP	195.10.195.195
Destination IP	95.174.65.241
Destination IP	176.126.70.119
Destination IP	151.80.222.79
Destination IP	195.10.195.195
Destination IP	151.80.222.79
Destination IP	192.71.245.208
Destination IP	193.183.98.66
Destination IP	51.254.25.115
Destination IP	195.10.195.195
Destination IP	176.126.70.119
Destination IP	95.174.65.241
Destination IP	94.16.114.254
Destination IP	151.80.222.79
Destination IP	51.254.25.115
Destination IP	95.174.65.241
Destination IP	195.10.195.195
Destination IP	195.10.195.195
Destination IP	51.254.25.115
Destination IP	192.71.245.208

C:\Users\Admin\AppData\Local\Temp\5bf5a111fa8a0275000c133b187cbb4a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5bf5a111fa8a0275000c133b187cbb4a_JaffaCakes118.exe"
1⤵
PID:2296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB379.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBCB0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2296-0-0x00000000041C0000-0x00000000041FC000-memory.dmp

Filesize
240KB

Download
memory/2296-4-0x0000000180000000-0x000000018003F000-memory.dmp

Filesize
252KB

Download
memory/2296-9-0x0000000001DC0000-0x0000000001DFA000-memory.dmp

Filesize
232KB

Download