Analysis
-
max time kernel
131s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 17:56
Behavioral task
behavioral1
Sample
e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
e764ff97ce442c538da37acf6b3b9350
-
SHA1
e5eecbc26df01d760907b77dcb90b1f0b98bffa3
-
SHA256
0ea9cf0bd883474ef6ba82826db6dfc1b98c79a98f98a30af410daae7b99ed25
-
SHA512
97037bafa297c13ee9e3e13614debb0d9f8841a0fab7dfa9f6ccf77c52aa747261662b6a286ebce441baa908081e2fa151b81215de42687f7241c1724bbb3a00
-
SSDEEP
3072:8sOv8fESTARqUUCFt9/Ns8QDCaExTV1NTTLQETTaEykC3/hC3/:ZOvk/E1TQmB6
Malware Config
Extracted
bazarloader
34.221.125.90
34.209.41.233
dfegjlefggjo.bazar
bcfijmcchijp.bazar
aeghkkbeihkn.bazar
cfhgjldfjgjo.bazar
cehgkldejgko.bazar
efehilffghio.bazar
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RB876B2.exe BazarLoaderVar1 -
Executes dropped EXE 2 IoCs
Processes:
RB876B2.exeRB876B2.exepid process 2168 RB876B2.exe 3120 RB876B2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RB876B2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\JV8RIBQJJ1N = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v VRJHXN66 /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RB876B2.exe\\\" PI12U\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RB876B2.exe\" PI12U" RB876B2.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEcmd.exePING.EXEcmd.exePING.EXEpid process 2824 cmd.exe 3264 PING.EXE 1884 cmd.exe 4076 PING.EXE 2924 cmd.exe 4340 PING.EXE -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 3264 PING.EXE 4076 PING.EXE 4340 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exepid process 4516 e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe 4516 e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.execmd.exee764ff97ce442c538da37acf6b3b9350_JaffaCakes118.execmd.exeRB876B2.execmd.exedescription pid process target process PID 4516 wrote to memory of 2824 4516 e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe cmd.exe PID 4516 wrote to memory of 2824 4516 e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe cmd.exe PID 2824 wrote to memory of 3264 2824 cmd.exe PING.EXE PID 2824 wrote to memory of 3264 2824 cmd.exe PING.EXE PID 2824 wrote to memory of 2744 2824 cmd.exe e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe PID 2824 wrote to memory of 2744 2824 cmd.exe e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe PID 2744 wrote to memory of 1884 2744 e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe cmd.exe PID 2744 wrote to memory of 1884 2744 e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe cmd.exe PID 1884 wrote to memory of 4076 1884 cmd.exe PING.EXE PID 1884 wrote to memory of 4076 1884 cmd.exe PING.EXE PID 1884 wrote to memory of 2168 1884 cmd.exe RB876B2.exe PID 1884 wrote to memory of 2168 1884 cmd.exe RB876B2.exe PID 2168 wrote to memory of 2924 2168 RB876B2.exe cmd.exe PID 2168 wrote to memory of 2924 2168 RB876B2.exe cmd.exe PID 2924 wrote to memory of 4340 2924 cmd.exe PING.EXE PID 2924 wrote to memory of 4340 2924 cmd.exe PING.EXE PID 2924 wrote to memory of 3120 2924 cmd.exe RB876B2.exe PID 2924 wrote to memory of 3120 2924 cmd.exe RB876B2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe Z9WF7BB2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3264
-
-
C:\Users\Admin\AppData\Local\Temp\e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe Z9WF7BB3⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\RB876B2.exe S38V794⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4076
-
-
C:\Users\Admin\AppData\Local\Temp\RB876B2.exeC:\Users\Admin\AppData\Local\Temp\RB876B2.exe S38V795⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\RB876B2.exe PI12U6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4340
-
-
C:\Users\Admin\AppData\Local\Temp\RB876B2.exeC:\Users\Admin\AppData\Local\Temp\RB876B2.exe PI12U7⤵
- Executes dropped EXE
PID:3120
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5e764ff97ce442c538da37acf6b3b9350
SHA1e5eecbc26df01d760907b77dcb90b1f0b98bffa3
SHA2560ea9cf0bd883474ef6ba82826db6dfc1b98c79a98f98a30af410daae7b99ed25
SHA51297037bafa297c13ee9e3e13614debb0d9f8841a0fab7dfa9f6ccf77c52aa747261662b6a286ebce441baa908081e2fa151b81215de42687f7241c1724bbb3a00