bazarloader | 0ea9cf0bd883474ef6ba82826db6dfc1b98c79a98f98a30af410daae7b99ed25

General

Target

e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe
Size

1.0MB
MD5

e764ff97ce442c538da37acf6b3b9350
SHA1

e5eecbc26df01d760907b77dcb90b1f0b98bffa3
SHA256

0ea9cf0bd883474ef6ba82826db6dfc1b98c79a98f98a30af410daae7b99ed25
SHA512

97037bafa297c13ee9e3e13614debb0d9f8841a0fab7dfa9f6ccf77c52aa747261662b6a286ebce441baa908081e2fa151b81215de42687f7241c1724bbb3a00
SSDEEP

3072:8sOv8fESTARqUUCFt9/Ns8QDCaExTV1NTTLQETTaEykC3/hC3/:ZOvk/E1TQmB6

Score

10^/10

bazarloader discovery dropper loader persistence

Malware Config

Extracted

Family

bazarloader

C2

34.221.125.90

34.209.41.233

dfegjlefggjo.bazar

bcfijmcchijp.bazar

aeghkkbeihkn.bazar

cfhgjldfjgjo.bazar

cehgkldejgko.bazar

efehilffghio.bazar

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RB876B2.exe	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

RB876B2.exeRB876B2.exe

pid process

2168 RB876B2.exe
3120 RB876B2.exe

pid	process
2168	RB876B2.exe
3120	RB876B2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RB876B2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\JV8RIBQJJ1N = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v VRJHXN66 /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RB876B2.exe\\\" PI12U\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RB876B2.exe\" PI12U"	RB876B2.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXEcmd.exePING.EXEcmd.exePING.EXE

pid process

2824 cmd.exe
3264 PING.EXE
1884 cmd.exe
4076 PING.EXE
2924 cmd.exe
4340 PING.EXE
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

3264 PING.EXE
4076 PING.EXE
4340 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe

pid process

4516 e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe
4516 e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe

pid	process
2824	cmd.exe
3264	PING.EXE
1884	cmd.exe
4076	PING.EXE
2924	cmd.exe
4340	PING.EXE

pid	process
3264	PING.EXE
4076	PING.EXE
4340	PING.EXE

pid	process
4516	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe
4516	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.execmd.exee764ff97ce442c538da37acf6b3b9350_JaffaCakes118.execmd.exeRB876B2.execmd.exe

description	pid	process	target process
PID 4516 wrote to memory of 2824	4516	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 2824	4516	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe	cmd.exe
PID 2824 wrote to memory of 3264	2824	cmd.exe	PING.EXE
PID 2824 wrote to memory of 3264	2824	cmd.exe	PING.EXE
PID 2824 wrote to memory of 2744	2824	cmd.exe	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe
PID 2824 wrote to memory of 2744	2824	cmd.exe	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe
PID 2744 wrote to memory of 1884	2744	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe	cmd.exe
PID 2744 wrote to memory of 1884	2744	e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe	cmd.exe
PID 1884 wrote to memory of 4076	1884	cmd.exe	PING.EXE
PID 1884 wrote to memory of 4076	1884	cmd.exe	PING.EXE
PID 1884 wrote to memory of 2168	1884	cmd.exe	RB876B2.exe
PID 1884 wrote to memory of 2168	1884	cmd.exe	RB876B2.exe
PID 2168 wrote to memory of 2924	2168	RB876B2.exe	cmd.exe
PID 2168 wrote to memory of 2924	2168	RB876B2.exe	cmd.exe
PID 2924 wrote to memory of 4340	2924	cmd.exe	PING.EXE
PID 2924 wrote to memory of 4340	2924	cmd.exe	PING.EXE
PID 2924 wrote to memory of 3120	2924	cmd.exe	RB876B2.exe
PID 2924 wrote to memory of 3120	2924	cmd.exe	RB876B2.exe

C:\Users\Admin\AppData\Local\Temp\e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe Z9WF7BB
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\system32\PING.EXE
    ping 8.8.8.8 -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3264
- - C:\Users\Admin\AppData\Local\Temp\e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\e764ff97ce442c538da37acf6b3b9350_JaffaCakes118.exe Z9WF7BB
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\RB876B2.exe S38V79
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:1884
    - - C:\Windows\system32\PING.EXE
        
        ping 8.8.8.8 -n 2
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4076
    - - C:\Users\Admin\AppData\Local\Temp\RB876B2.exe
        
        C:\Users\Admin\AppData\Local\Temp\RB876B2.exe S38V79
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2168
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\RB876B2.exe PI12U
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\system32\PING.EXE
        
        ping 8.8.8.8 -n 2
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\RB876B2.exe
        
        C:\Users\Admin\AppData\Local\Temp\RB876B2.exe PI12U
        7⤵
        Executes dropped EXE
        
        PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RB876B2.exe

Filesize
1.0MB

MD5
e764ff97ce442c538da37acf6b3b9350

SHA1
e5eecbc26df01d760907b77dcb90b1f0b98bffa3

SHA256
0ea9cf0bd883474ef6ba82826db6dfc1b98c79a98f98a30af410daae7b99ed25

SHA512
97037bafa297c13ee9e3e13614debb0d9f8841a0fab7dfa9f6ccf77c52aa747261662b6a286ebce441baa908081e2fa151b81215de42687f7241c1724bbb3a00

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads