bazarloader | 0ea9cf0bd883474ef6ba82826db6dfc1b98c79a98f98a30af410daae7b99ed25

General

Target

e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe
Size

1.0MB
MD5

e764ff97ce442c538da37acf6b3b9350
SHA1

e5eecbc26df01d760907b77dcb90b1f0b98bffa3
SHA256

0ea9cf0bd883474ef6ba82826db6dfc1b98c79a98f98a30af410daae7b99ed25
SHA512

97037bafa297c13ee9e3e13614debb0d9f8841a0fab7dfa9f6ccf77c52aa747261662b6a286ebce441baa908081e2fa151b81215de42687f7241c1724bbb3a00
SSDEEP

3072:8sOv8fESTARqUUCFt9/Ns8QDCaExTV1NTTLQETTaEykC3/hC3/:ZOvk/E1TQmB6

Score

10^/10

bazarloader discovery dropper loader persistence

Malware Config

Extracted

Family

bazarloader

C2

34.221.125.90

34.209.41.233

dfegjlefggjo.bazar

bcfijmcchijp.bazar

aeghkkbeihkn.bazar

cfhgjldfjgjo.bazar

cehgkldejgko.bazar

efehilffghio.bazar

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\QJ9B6F0.exe	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

QJ9B6F0.exeQJ9B6F0.exe

pid process

2632 QJ9B6F0.exe
400 QJ9B6F0.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.execmd.exe

pid process

2784 cmd.exe
2784 cmd.exe
2360 cmd.exe
2360 cmd.exe

pid	process
2632	QJ9B6F0.exe
400	QJ9B6F0.exe

pid	process
2784	cmd.exe
2784	cmd.exe
2360	cmd.exe
2360	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

QJ9B6F0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\EJ9FVL6BII = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v YQZW1KDZE /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\QJ9B6F0.exe\\\" TDM1\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QJ9B6F0.exe\" TDM1"	QJ9B6F0.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXEcmd.exePING.EXEcmd.exePING.EXE

pid process

2156 cmd.exe
2724 PING.EXE
2784 cmd.exe
2900 PING.EXE
2360 cmd.exe
2664 PING.EXE
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2724 PING.EXE
2900 PING.EXE
2664 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe

pid process

764 e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe

pid	process
2156	cmd.exe
2724	PING.EXE
2784	cmd.exe
2900	PING.EXE
2360	cmd.exe
2664	PING.EXE

pid	process
2724	PING.EXE
2900	PING.EXE
2664	PING.EXE

pid	process
764	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.execmd.exee764ff97ce442c538da37acf6b3b9350_JaffaCakes118.execmd.exeQJ9B6F0.execmd.exe

description	pid	process	target process
PID 764 wrote to memory of 2156	764	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe	cmd.exe
PID 764 wrote to memory of 2156	764	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe	cmd.exe
PID 764 wrote to memory of 2156	764	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe	cmd.exe
PID 2156 wrote to memory of 2724	2156	cmd.exe	PING.EXE
PID 2156 wrote to memory of 2724	2156	cmd.exe	PING.EXE
PID 2156 wrote to memory of 2724	2156	cmd.exe	PING.EXE
PID 2156 wrote to memory of 2892	2156	cmd.exe	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe
PID 2156 wrote to memory of 2892	2156	cmd.exe	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe
PID 2156 wrote to memory of 2892	2156	cmd.exe	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe
PID 2892 wrote to memory of 2784	2892	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe	cmd.exe
PID 2892 wrote to memory of 2784	2892	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe	cmd.exe
PID 2892 wrote to memory of 2784	2892	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe	cmd.exe
PID 2784 wrote to memory of 2900	2784	cmd.exe	PING.EXE
PID 2784 wrote to memory of 2900	2784	cmd.exe	PING.EXE
PID 2784 wrote to memory of 2900	2784	cmd.exe	PING.EXE
PID 2784 wrote to memory of 2632	2784	cmd.exe	QJ9B6F0.exe
PID 2784 wrote to memory of 2632	2784	cmd.exe	QJ9B6F0.exe
PID 2784 wrote to memory of 2632	2784	cmd.exe	QJ9B6F0.exe
PID 2632 wrote to memory of 2360	2632	QJ9B6F0.exe	cmd.exe
PID 2632 wrote to memory of 2360	2632	QJ9B6F0.exe	cmd.exe
PID 2632 wrote to memory of 2360	2632	QJ9B6F0.exe	cmd.exe
PID 2360 wrote to memory of 2664	2360	cmd.exe	PING.EXE
PID 2360 wrote to memory of 2664	2360	cmd.exe	PING.EXE
PID 2360 wrote to memory of 2664	2360	cmd.exe	PING.EXE
PID 2360 wrote to memory of 400	2360	cmd.exe	QJ9B6F0.exe
PID 2360 wrote to memory of 400	2360	cmd.exe	QJ9B6F0.exe
PID 2360 wrote to memory of 400	2360	cmd.exe	QJ9B6F0.exe

C:\Users\Admin\AppData\Local\Temp\e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\system32\cmd.exe
  cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe YNW0OB
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\system32\PING.EXE
    ping 8.8.8.8 -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe YNW0OB
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\system32\cmd.exe
      cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\QJ9B6F0.exe G265PYV
      4⤵
      Loads dropped DLL
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\system32\PING.EXE
        
        ping 8.8.8.8 -n 2
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2900
    - - C:\Users\Admin\AppData\Local\Temp\QJ9B6F0.exe
        
        C:\Users\Admin\AppData\Local\Temp\QJ9B6F0.exe G265PYV
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\system32\cmd.exe
        
        cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\QJ9B6F0.exe TDM1
        6⤵
        Loads dropped DLL
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\system32\PING.EXE
        
        ping 8.8.8.8 -n 2
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\QJ9B6F0.exe
        
        C:\Users\Admin\AppData\Local\Temp\QJ9B6F0.exe TDM1
        7⤵
        Executes dropped EXE
        
        PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\QJ9B6F0.exe

Filesize
1.0MB

MD5
e764ff97ce442c538da37acf6b3b9350

SHA1
e5eecbc26df01d760907b77dcb90b1f0b98bffa3

SHA256
0ea9cf0bd883474ef6ba82826db6dfc1b98c79a98f98a30af410daae7b99ed25

SHA512
97037bafa297c13ee9e3e13614debb0d9f8841a0fab7dfa9f6ccf77c52aa747261662b6a286ebce441baa908081e2fa151b81215de42687f7241c1724bbb3a00

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads