bazarloader | ea6e22b9a982aa171355c84fb43df42a314672c60315ee676b1289f1377968be

General

Target

c33bdeb366add979da8358ebfdfb6aa2_JaffaCakes118.exe
Size

323KB
MD5

c33bdeb366add979da8358ebfdfb6aa2
SHA1

914416480c1e7e6ecbff4fee73714358f2017ce4
SHA256

ea6e22b9a982aa171355c84fb43df42a314672c60315ee676b1289f1377968be
SHA512

b6346e2086e9581cc6e1c3298c699b6f9d99264453881c66f36f5621f94776fa42b51adc6b908e8de3c3c63874741e84b15a811266c376104213904628d10eb0
SSDEEP

6144:r4jKO3myYc9LKd15qYZZCSXvpaf3f5xmoEBjzMolaiTrm/k3:rpO3myYc9KpdCSBafPngC/k3

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader 64 IoCs

Detected loader normally used to deploy BazarBackdoor malware.

loader dropper bazarloader

Processes:

flow	ioc
149	deghjldiihjr.bazar
220	begikmbiiiks.bazar
319	ccfikkcghikq.bazar
HTTP URL	8	https://46.17.107.111/api/v202
19	dcegjldgggjr.bazar
88	deghildiihir.bazar
95	beehilbighir.bazar
100	bffhkkbjhhkq.bazar
111	dffhkmdjhhks.bazar
155	deehkkdighkq.bazar
237	ddghjldhihjr.bazar
318	ccfikkcghikq.bazar
163	ccfhikcghhiq.bazar
245	ccfhkmcghhks.bazar
145	deggimdiigis.bazar
241	ddghjldhihjr.bazar
254	edggjmehigjs.bazar
40	ceghklciihkr.bazar
79	dcfhjldghhjr.bazar
179	bcfgjlbghgjr.bazar
323	aegiilaiiiir.bazar
47	ddghildhihir.bazar
103	bffhkkbjhhkq.bazar
200	dehijldijijr.bazar
57	affgikajhgiq.bazar
62	cdgiimchiiis.bazar
113	dffhkmdjhhks.bazar
183	bcfgjlbghgjr.bazar
326	aegiilaiiiir.bazar
329	aegiilaiiiir.bazar
18	dcegjldgggjr.bazar
91	beehilbighir.bazar
130	behiilbijiir.bazar
159	deehkkdighkq.bazar
243	ccfhkmcghhks.bazar
307	ceegkmciggks.bazar
337	dfegkmdjggks.bazar
76	dcfhjldghhjr.bazar
82	deghildiihir.bazar
93	beehilbighir.bazar
247	ccfhkmcghhks.bazar
278	ddggjldhigjr.bazar
294	deghjldiihjr.bazar
299	befijlbihijr.bazar
30	deegikdiggiq.bazar
109	dffhkmdjhhks.bazar
311	ceegkmciggks.bazar
77	dcfhjldghhjr.bazar
99	bffhkkbjhhkq.bazar
135	behiilbijiir.bazar
147	deghjldiihjr.bazar
20	dcegjldgggjr.bazar
133	behiilbijiir.bazar
156	deehkkdighkq.bazar
180	bcfgjlbghgjr.bazar
196	dehijldijijr.bazar
199	dehijldijijr.bazar
213	deggkmdiigks.bazar
240	ddghjldhihjr.bazar
290	deghjldiihjr.bazar
119	adegjkahggjq.bazar
207	cdghkkchihkq.bazar
229	cefhimcihhis.bazar
260	deggildiigir.bazar

Bazar/Team9 Loader payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2904-0-0x0000000000280000-0x00000000002BC000-memory.dmp	BazarLoaderVar4
behavioral1/memory/2904-6-0x0000000000230000-0x000000000026A000-memory.dmp	BazarLoaderVar4
behavioral1/memory/2904-4-0x0000000180000000-0x000000018003F000-memory.dmp	BazarLoaderVar4

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
275	ddggjldhigjr.bazar
112	dffhkmdjhhks.bazar
123	aefiikaihiiq.bazar
201	dehijldijijr.bazar
219	begikmbiiiks.bazar
230	cefhimcihhis.bazar
253	edggjmehigjs.bazar
88	deghildiihir.bazar
103	bffhkkbjhhkq.bazar
150	deghjldiihjr.bazar
180	bcfgjlbghgjr.bazar
HTTP URL	8	https://46.17.107.111/api/v202
100	bffhkkbjhhkq.bazar
132	behiilbijiir.bazar
145	deggimdiigis.bazar
236	ddghjldhihjr.bazar
89	deghildiihir.bazar
280	ddggjldhigjr.bazar
309	ceegkmciggks.bazar
58	cdgiimchiiis.bazar
84	deghildiihir.bazar
259	deggildiigir.bazar
152	deghjldiihjr.bazar
155	deehkkdighkq.bazar
213	deggkmdiigks.bazar
247	ccfhkmcghhks.bazar
263	deggildiigir.bazar
312	ceegkmciggks.bazar
40	ceghklciihkr.bazar
161	deehkkdighkq.bazar
175	aefiilaihiir.bazar
301	befijlbihijr.bazar
306	ceegkmciggks.bazar
274	ddggjldhigjr.bazar
286	cceijkcggijq.bazar
67	ceehjmcighjs.bazar
156	deehkkdighkq.bazar
157	deehkkdighkq.bazar
159	deehkkdighkq.bazar
174	aefiilaihiir.bazar
190	dfeijldjgijr.bazar
318	ccfikkcghikq.bazar
336	dfegkmdjggks.bazar
311	ceegkmciggks.bazar
25	dcegjldgggjr.bazar
61	cdgiimchiiis.bazar
111	dffhkmdjhhks.bazar
162	ccfhikcghhiq.bazar
193	dfeijldjgijr.bazar
282	cceijkcggijq.bazar
21	dcegjldgggjr.bazar
23	dcegjldgggjr.bazar
36	ceghklciihkr.bazar
116	adegjkahggjq.bazar
158	deehkkdighkq.bazar
47	ddghildhihir.bazar
63	cdgiimchiiis.bazar
140	deggimdiigis.bazar
262	deggildiigir.bazar
289	cceijkcggijq.bazar
327	aegiilaiiiir.bazar
114	adegjkahggjq.bazar
198	dehijldijijr.bazar
225	begikmbiiiks.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	95.174.65.241
Destination IP	195.10.195.195
Destination IP	192.71.245.208
Destination IP	94.16.114.254
Destination IP	192.71.245.208
Destination IP	94.16.114.254
Destination IP	94.16.114.254
Destination IP	151.80.222.79
Destination IP	94.16.114.254
Destination IP	193.183.98.66
Destination IP	195.10.195.195
Destination IP	151.80.222.79
Destination IP	192.71.245.208
Destination IP	95.174.65.241
Destination IP	94.16.114.254
Destination IP	51.254.25.115
Destination IP	192.71.245.208
Destination IP	151.80.222.79
Destination IP	195.10.195.195
Destination IP	94.16.114.254
Destination IP	94.16.114.254
Destination IP	195.10.195.195
Destination IP	176.126.70.119
Destination IP	193.183.98.66
Destination IP	195.10.195.195
Destination IP	151.80.222.79
Destination IP	94.16.114.254
Destination IP	151.80.222.79
Destination IP	176.126.70.119
Destination IP	193.183.98.66
Destination IP	151.80.222.79
Destination IP	95.174.65.241
Destination IP	195.10.195.195
Destination IP	195.10.195.195
Destination IP	94.16.114.254
Destination IP	95.174.65.241
Destination IP	95.174.65.241
Destination IP	195.10.195.195
Destination IP	151.80.222.79
Destination IP	151.80.222.79
Destination IP	193.183.98.66
Destination IP	51.254.25.115
Destination IP	195.10.195.195
Destination IP	195.10.195.195
Destination IP	51.254.25.115
Destination IP	151.80.222.79
Destination IP	192.71.245.208
Destination IP	95.174.65.241
Destination IP	95.174.65.241
Destination IP	193.183.98.66
Destination IP	192.71.245.208
Destination IP	195.10.195.195
Destination IP	95.174.65.241
Destination IP	95.174.65.241
Destination IP	193.183.98.66
Destination IP	192.71.245.208
Destination IP	95.174.65.241
Destination IP	176.126.70.119
Destination IP	195.10.195.195
Destination IP	176.126.70.119
Destination IP	94.16.114.254
Destination IP	94.16.114.254
Destination IP	95.174.65.241
Destination IP	51.254.25.115

C:\Users\Admin\AppData\Local\Temp\c33bdeb366add979da8358ebfdfb6aa2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c33bdeb366add979da8358ebfdfb6aa2_JaffaCakes118.exe"
1⤵
PID:2904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB186.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBAAD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2904-0-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/2904-6-0x0000000000230000-0x000000000026A000-memory.dmp

Filesize
232KB

Download
memory/2904-4-0x0000000180000000-0x000000018003F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads