bazarloader | acc5957c07d8d302762f4d3e4d8e602787f6be66a9ce97e3154741bd982ec004

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 16:50

Target

c939adb5ef55b0cda2bb5f2222ca6874_JaffaCakes118.exe
Size

375KB
MD5

c939adb5ef55b0cda2bb5f2222ca6874
SHA1

b7b79b059f08b8c57ba3f3c67c66a71537fcddee
SHA256

acc5957c07d8d302762f4d3e4d8e602787f6be66a9ce97e3154741bd982ec004
SHA512

8fe7fa1f223f9a20b6448ae2868cfcb9a7734ec84fb86cb71da568b33001a159a7ecbdfd07b7ce014aea046d015c18620c86e97017a581c905b3fd1628f859b7
SSDEEP

6144:dGwakA0JZlZ5gKO8Wqboa5C5ySd0UlcnjD+XflOXzkBSaYDnrpBNCOChgFMp4PzD:5ajIO8WSChPij+cXz1DnrpS+FMGP3

Score

10^/10

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

resource	yara_rule
behavioral1/memory/2620-5-0x0000000000230000-0x000000000026A000-memory.dmp	BazarLoaderVar4
behavioral1/memory/2620-4-0x0000000180000000-0x000000018003F000-memory.dmp	BazarLoaderVar4
behavioral1/memory/2620-0-0x0000000000270000-0x00000000002AC000-memory.dmp	BazarLoaderVar4

Tries to connect to .bazar domain 27 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Unexpected DNS network traffic destination 35 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

C:\Users\Admin\AppData\Local\Temp\c939adb5ef55b0cda2bb5f2222ca6874_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c939adb5ef55b0cda2bb5f2222ca6874_JaffaCakes118.exe"
1⤵
PID:2620

memory/2620-5-0x0000000000230000-0x000000000026A000-memory.dmp

Filesize
232KB

Download
memory/2620-4-0x0000000180000000-0x000000018003F000-memory.dmp

Filesize
252KB

Download
memory/2620-0-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download