bazarloader | 50e7cac04c4d3f31241b93bec7db97abe98b7f0190f1ac2fbaf176300a0c8041

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
31-07-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7abcb63b0a632cdafa0c31a3acbec8e3_JaffaCakes118.exe
Size

427KB
MD5

7abcb63b0a632cdafa0c31a3acbec8e3
SHA1

e2478aa9e42b3d79f3bd7eae9ad7edf8b17e36b3
SHA256

50e7cac04c4d3f31241b93bec7db97abe98b7f0190f1ac2fbaf176300a0c8041
SHA512

1d8bbb6e45adc20cda90daeff2cb93731e08a6a5ed5e78f50af28c174a91f3c37fb221fca60b005a805286950068ee4357aafae9448c07fca94a226b312cac06
SSDEEP

6144:ezV2kSicmkeRnrzKKOUmyYc9LKd15qYZZCSXvpaf3f5xmoEBjzMolaiTrm/U:ez1czePOUmyYc9KpdCSBafPngC/U

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader 64 IoCs

Detected loader normally used to deploy BazarBackdoor malware.

loader dropper bazarloader

description	flow	ioc
	158	acggikahigiq.bazar
	203	defgimdjhgis.bazar
	298	bdeiimbigiis.bazar
	300	bdeiimbigiis.bazar
	21	acgijkahiijq.bazar
	59	adfiilaihiir.bazar
	68	acfhimahhhis.bazar
	168	bdeijkbigijq.bazar
	239	affikkakhikq.bazar
	290	aeeijkajgijq.bazar
	29	dcfhikdhhhiq.bazar
	84	dfghildkihir.bazar
	89	dfghildkihir.bazar
	118	befhjlbjhhjr.bazar
	220	degiildjiiir.bazar
HTTP URL	3	https://46.17.107.111/api/v202
	63	adfiilaihiir.bazar
	112	ccfgjkchhgjq.bazar
	146	aceiikahgiiq.bazar
	164	bdeijkbigijq.bazar
	91	bcehjmbhghjs.bazar
	96	bcehjmbhghjs.bazar
	120	befhjlbjhhjr.bazar
	109	ccfgjkchhgjq.bazar
	123	cdegikciggiq.bazar
	145	deehildjghir.bazar
	179	dcgijkdhiijq.bazar
	262	dceiikdhgiiq.bazar
	30	dcfhikdhhhiq.bazar
	46	bdggilbiigir.bazar
	76	bfegilbkggir.bazar
	311	dfegimdkggis.bazar
	259	dceiikdhgiiq.bazar
	33	dcfhikdhhhiq.bazar
	178	dcgijkdhiijq.bazar
	233	defgkldjhgkr.bazar
	99	adggjlaiigjr.bazar
HTTP URL	7	https://46.17.107.111/api/v202
	34	acggkkahigkq.bazar
	66	acfhimahhhis.bazar
	223	degiildjiiir.bazar
	281	acggjkahigjq.bazar
	299	bdeiimbigiis.bazar
	208	defgimdjhgis.bazar
	214	beegilbjggir.bazar
	18	acgijkahiijq.bazar
	94	bcehjmbhghjs.bazar
	193	cdggjmciigjs.bazar
	132	adggkkaiigkq.bazar
	163	bdeijkbigijq.bazar
	192	cdggjmciigjs.bazar
	229	defgkldjhgkr.bazar
	258	dceiikdhgiiq.bazar
	67	acfhimahhhis.bazar
	102	adggjlaiigjr.bazar
	104	adggjlaiigjr.bazar
	276	acggjkahigjq.bazar
	225	degiildjiiir.bazar
	61	adfiilaihiir.bazar
	144	deehildjghir.bazar
	222	degiildjiiir.bazar
	317	bffhilbkhhir.bazar
	135	adggkkaiigkq.bazar
	167	bdeijkbigijq.bazar

Bazar/Team9 Loader payload 3 IoCs

resource	yara_rule
behavioral1/memory/2312-4-0x0000000180000000-0x000000018003F000-memory.dmp	BazarLoaderVar4
behavioral1/memory/2312-0-0x0000000000360000-0x000000000039C000-memory.dmp	BazarLoaderVar4
behavioral1/memory/2312-9-0x0000000000320000-0x000000000035A000-memory.dmp	BazarLoaderVar4

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

flow	ioc
19	acgijkahiijq.bazar
20	acgijkahiijq.bazar
41	acggkkahigkq.bazar
70	acfhimahhhis.bazar
75	bfegilbkggir.bazar
289	eehhjlejjhjr.bazar
302	bdeiimbigiis.bazar
201	adehklaighkr.bazar
269	eeehilejghir.bazar
58	adfiilaihiir.bazar
71	acfhimahhhis.bazar
117	befhjlbjhhjr.bazar
122	cdegikciggiq.bazar
158	acggikahigiq.bazar
327	dcegjldhggjr.bazar
36	acggkkahigkq.bazar
46	bdggilbiigir.bazar
64	adfiilaihiir.bazar
130	adggkkaiigkq.bazar
147	aceiikahgiiq.bazar
161	acggikahigiq.bazar
186	cdggjmciigjs.bazar
256	deegkkdjggkq.bazar
318	bffhilbkhhir.bazar
73	acfhimahhhis.bazar
94	bcehjmbhghjs.bazar
105	adggjlaiigjr.bazar
152	aceiikahgiiq.bazar
225	degiildjiiir.bazar
252	deegkkdjggkq.bazar
160	acggikahigiq.bazar
251	deegkkdjggkq.bazar
267	eeehilejghir.bazar
270	eeehilejghir.bazar
283	eehhjlejjhjr.bazar
132	adggkkaiigkq.bazar
164	bdeijkbigijq.bazar
208	defgimdjhgis.bazar
231	defgkldjhgkr.bazar
84	dfghildkihir.bazar
118	befhjlbjhhjr.bazar
305	bdeiimbigiis.bazar
332	cdgiimciiiis.bazar
22	acgijkahiijq.bazar
141	deehildjghir.bazar
178	dcgijkdhiijq.bazar
213	beegilbjggir.bazar
79	bfegilbkggir.bazar
92	bcehjmbhghjs.bazar
129	cdegikciggiq.bazar
188	cdggjmciigjs.bazar
234	affikkakhikq.bazar
238	affikkakhikq.bazar
97	bcehjmbhghjs.bazar
113	ccfgjkchhgjq.bazar
175	cefgikcjhgiq.bazar
204	defgimdjhgis.bazar
292	aeeijkajgijq.bazar
28	dcfhikdhhhiq.bazar
33	dcfhikdhhhiq.bazar
247	begiklbjiikr.bazar
257	deegkkdjggkq.bazar
261	dceiikdhgiiq.bazar
77	bfegilbkggir.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	195.10.195.195
Destination IP	176.126.70.119
Destination IP	51.254.25.115
Destination IP	151.80.222.79
Destination IP	151.80.222.79
Destination IP	192.71.245.208
Destination IP	95.174.65.241
Destination IP	193.183.98.66
Destination IP	192.71.245.208
Destination IP	176.126.70.119
Destination IP	193.183.98.66
Destination IP	95.174.65.241
Destination IP	192.71.245.208
Destination IP	176.126.70.119
Destination IP	95.174.65.241
Destination IP	151.80.222.79
Destination IP	151.80.222.79
Destination IP	176.126.70.119
Destination IP	176.126.70.119
Destination IP	176.126.70.119
Destination IP	95.174.65.241
Destination IP	176.126.70.119
Destination IP	193.183.98.66
Destination IP	94.16.114.254
Destination IP	95.174.65.241
Destination IP	51.254.25.115
Destination IP	94.16.114.254
Destination IP	151.80.222.79
Destination IP	95.174.65.241
Destination IP	192.71.245.208
Destination IP	151.80.222.79
Destination IP	94.16.114.254
Destination IP	176.126.70.119
Destination IP	94.16.114.254
Destination IP	193.183.98.66
Destination IP	94.16.114.254
Destination IP	195.10.195.195
Destination IP	151.80.222.79
Destination IP	95.174.65.241
Destination IP	192.71.245.208
Destination IP	176.126.70.119
Destination IP	51.254.25.115
Destination IP	176.126.70.119
Destination IP	95.174.65.241
Destination IP	192.71.245.208
Destination IP	193.183.98.66
Destination IP	193.183.98.66
Destination IP	193.183.98.66
Destination IP	193.183.98.66
Destination IP	95.174.65.241
Destination IP	192.71.245.208
Destination IP	51.254.25.115
Destination IP	193.183.98.66
Destination IP	193.183.98.66
Destination IP	176.126.70.119
Destination IP	195.10.195.195
Destination IP	192.71.245.208
Destination IP	151.80.222.79
Destination IP	94.16.114.254
Destination IP	192.71.245.208
Destination IP	51.254.25.115
Destination IP	51.254.25.115
Destination IP	151.80.222.79
Destination IP	192.71.245.208

C:\Users\Admin\AppData\Local\Temp\7abcb63b0a632cdafa0c31a3acbec8e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7abcb63b0a632cdafa0c31a3acbec8e3_JaffaCakes118.exe"
1⤵
PID:2312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabDC9B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE5D2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2312-4-0x0000000180000000-0x000000018003F000-memory.dmp

Filesize
252KB

Download
memory/2312-0-0x0000000000360000-0x000000000039C000-memory.dmp

Filesize
240KB

Download
memory/2312-9-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download