Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
30-07-2024 13:52
Static task
static1
Behavioral task
behavioral1
Sample
72772c28db7c14d1f81da1f5df502439_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
72772c28db7c14d1f81da1f5df502439_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
72772c28db7c14d1f81da1f5df502439_JaffaCakes118.exe
-
Size
375KB
-
MD5
72772c28db7c14d1f81da1f5df502439
-
SHA1
a0e533364c7655ced5e5127e773fdc5a4f5292fe
-
SHA256
1f9b80c987136f489f7ec6f86dc3c5e4da3f52b7b335d45f3812320aa8f87ed7
-
SHA512
37cdbb18052b796d359d2a2046ec2a2b09f3cad78aa0b324c1dfd3a414ed2cb0ae82b9f0b341921cc1a0498f21385757538e0611908ea3cfa72f46bbeb25cecd
-
SSDEEP
6144:HC1LxiVVJ5FEUgKO14SQyGH+Gjhl14YtD0MeFVszJBwmEOke:aLUVpO1rQyyftl14YtLeFiXv
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
resource yara_rule behavioral1/memory/2028-4-0x0000000180000000-0x000000018003F000-memory.dmp BazarLoaderVar4 behavioral1/memory/2028-0-0x0000000000270000-0x00000000002AC000-memory.dmp BazarLoaderVar4 behavioral1/memory/2028-9-0x0000000000230000-0x000000000026A000-memory.dmp BazarLoaderVar4 -
Tries to connect to .bazar domain 22 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
flow ioc 25 aeggimajigis.bazar 27 aeggimajigis.bazar 30 defikldjhikr.bazar 33 defikldjhikr.bazar 22 aeggimajigis.bazar 24 aeggimajigis.bazar 29 defikldjhikr.bazar 35 defikldjhikr.bazar 39 ddgiimdiiiis.bazar 42 ddgiimdiiiis.bazar 38 ddgiimdiiiis.bazar 21 aeggimajigis.bazar 26 aeggimajigis.bazar 28 aeggimajigis.bazar 31 defikldjhikr.bazar 32 defikldjhikr.bazar 36 defikldjhikr.bazar 37 ddgiimdiiiis.bazar 40 ddgiimdiiiis.bazar 41 ddgiimdiiiis.bazar 23 aeggimajigis.bazar 34 defikldjhikr.bazar -
Unexpected DNS network traffic destination 30 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 195.10.195.195 Destination IP 193.183.98.66 Destination IP 193.183.98.66 Destination IP 94.16.114.254 Destination IP 151.80.222.79 Destination IP 195.10.195.195 Destination IP 151.80.222.79 Destination IP 176.126.70.119 Destination IP 95.174.65.241 Destination IP 192.71.245.208 Destination IP 192.71.245.208 Destination IP 192.71.245.208 Destination IP 192.71.245.208 Destination IP 151.80.222.79 Destination IP 195.10.195.195 Destination IP 94.16.114.254 Destination IP 176.126.70.119 Destination IP 95.174.65.241 Destination IP 176.126.70.119 Destination IP 94.16.114.254 Destination IP 193.183.98.66 Destination IP 176.126.70.119 Destination IP 193.183.98.66 Destination IP 51.254.25.115 Destination IP 95.174.65.241 Destination IP 51.254.25.115 Destination IP 195.10.195.195 Destination IP 151.80.222.79 Destination IP 94.16.114.254 Destination IP 51.254.25.115