bazarloader | f84743453a41f1d1f844eb322519f4d009a6ccd0548cb30233504dba70546973

Analysis

max time kernel
150s
max time network
159s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
30-07-2024 14:51

Target

757d03cfa2c8f8b0e69ad134e943196f_JaffaCakes118.exe
Size

409KB
MD5

757d03cfa2c8f8b0e69ad134e943196f
SHA1

521fe485d1b8ea57c5722cfdef740c0f734064e0
SHA256

f84743453a41f1d1f844eb322519f4d009a6ccd0548cb30233504dba70546973
SHA512

3632d3dd2d44409b5aff218c90b7b5bc7471009ef3fb0598ae5c23eb76bce8d8f64dc7f7f6b182c24809c41b3d4ba8c9a0ad796e5906d7ec18b3c2d1854f789c
SSDEEP

6144:v9+gMUl3ABcePxWVKOzzPmazk5UXfeBCQlXpZkNPP9TD2sQy3sNyiY:F+gTfeP7Omik5UCl5ZkVVDj3AJY

Score

10^/10

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2304-4-0x0000000180000000-0x000000018003F000-memory.dmp	BazarLoaderVar4
behavioral1/memory/2304-9-0x0000000000220000-0x000000000025A000-memory.dmp	BazarLoaderVar4
behavioral1/memory/2304-0-0x0000000000260000-0x000000000029C000-memory.dmp	BazarLoaderVar4

Tries to connect to .bazar domain 9 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

Unexpected DNS network traffic destination 17 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

C:\Users\Admin\AppData\Local\Temp\757d03cfa2c8f8b0e69ad134e943196f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\757d03cfa2c8f8b0e69ad134e943196f_JaffaCakes118.exe"
1⤵
PID:2304

memory/2304-4-0x0000000180000000-0x000000018003F000-memory.dmp

Filesize
252KB

Download
memory/2304-9-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/2304-0-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download