bazarloader | a3064bed5b34056187313decc580ff2bcb22724202f8add0d0e836ed7cfd91ac

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaad7777d588deef9db962f2863f8b9b_JaffaCakes118.exe
Size

393KB
MD5

eaad7777d588deef9db962f2863f8b9b
SHA1

3609ee852faacc43b5ed92f722405c7421e6ceac
SHA256

a3064bed5b34056187313decc580ff2bcb22724202f8add0d0e836ed7cfd91ac
SHA512

06bf19aa087998c4cbb4ceaad5cff8fead8e9cec36dd046bd78a7b8530030aafa88f23dd2eae72391adfc75027691b348e7932a3829cd49c9f98a49531902ead
SSDEEP

6144:m9MgMUl3ABcePxL2HH30NMOLLfvSmgpJUXiuDVl0fEyFBEilIsdrFrY:QMgTfePMX0mOHf5zDvWIGFrY

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

resource	yara_rule
behavioral1/memory/588-4-0x0000000180000000-0x000000018003F000-memory.dmp	BazarLoaderVar4
behavioral1/memory/588-9-0x0000000001C30000-0x0000000001C6A000-memory.dmp	BazarLoaderVar4
behavioral1/memory/588-0-0x0000000001C70000-0x0000000001CAC000-memory.dmp	BazarLoaderVar4

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

flow	ioc
64	ccggjkcfigjq.bazar
227	dfegikdiggiq.bazar
280	bfghjlbiihjr.bazar
202	bffijkbihijq.bazar
234	dfegikdiggiq.bazar
240	dcghildfihir.bazar
136	ccfhikcfhhiq.bazar
315	dchiildfjiir.bazar
20	ecfhilefhhir.bazar
23	ecfhilefhhir.bazar
54	bdggikbgigiq.bazar
102	eeggjlehigjr.bazar
119	dceijldfgijr.bazar
135	ccfhikcfhhiq.bazar
316	dchiildfjiir.bazar
61	ccggjkcfigjq.bazar
66	ccggjkcfigjq.bazar
39	cdfgjkcghgjq.bazar
95	aegiikahiiiq.bazar
107	cfghikciihiq.bazar
148	cefhilchhhir.bazar
289	bcehjkbfghjq.bazar
173	ccegjlcfggjr.bazar
249	defgjldhhgjr.bazar
24	ecfhilefhhir.bazar
32	dcfgjmdfhgjs.bazar
45	cfehklcighkr.bazar
53	bdggikbgigiq.bazar
57	bdggikbgigiq.bazar
68	ddgiimdgiiis.bazar
287	bcehjkbfghjq.bazar
312	beggjlbhigjr.bazar
237	dcghildfihir.bazar
19	ecfhilefhhir.bazar
27	dcfgjmdfhgjs.bazar
29	dcfgjmdfhgjs.bazar
199	bffijkbihijq.bazar
224	adgiilagiiir.bazar
232	dfegikdiggiq.bazar
114	cfghikciihiq.bazar
201	bffijkbihijq.bazar
35	cdfgjkcghgjq.bazar
208	aefgjlahhgjr.bazar
265	cefijlchhijr.bazar
295	bcegkkbfggkq.bazar
78	adghjkagihjq.bazar
33	dcfgjmdfhgjs.bazar
74	ddgiimdgiiis.bazar
89	ccggjlcfigjr.bazar
153	cefhilchhhir.bazar
166	adfhjlaghhjr.bazar
211	afggjlaiigjr.bazar
37	cdfgjkcghgjq.bazar
88	ccggjlcfigjr.bazar
99	eeggjlehigjr.bazar
218	afggjlaiigjr.bazar
266	cefijlchhijr.bazar
267	bcggilbfigir.bazar
38	cdfgjkcghgjq.bazar
139	ccgiikcfiiiq.bazar
167	adfhjlaghhjr.bazar
209	aefgjlahhgjr.bazar
225	adgiilagiiir.bazar
277	bfghjlbiihjr.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	193.183.98.66
Destination IP	94.16.114.254
Destination IP	51.254.25.115
Destination IP	151.80.222.79
Destination IP	51.254.25.115
Destination IP	192.71.245.208
Destination IP	195.10.195.195
Destination IP	151.80.222.79
Destination IP	195.10.195.195
Destination IP	176.126.70.119
Destination IP	195.10.195.195
Destination IP	151.80.222.79
Destination IP	51.254.25.115
Destination IP	192.71.245.208
Destination IP	192.71.245.208
Destination IP	95.174.65.241
Destination IP	94.16.114.254
Destination IP	94.16.114.254
Destination IP	176.126.70.119
Destination IP	151.80.222.79
Destination IP	192.71.245.208
Destination IP	94.16.114.254
Destination IP	193.183.98.66
Destination IP	193.183.98.66
Destination IP	51.254.25.115
Destination IP	195.10.195.195
Destination IP	192.71.245.208
Destination IP	94.16.114.254
Destination IP	192.71.245.208
Destination IP	192.71.245.208
Destination IP	151.80.222.79
Destination IP	95.174.65.241
Destination IP	51.254.25.115
Destination IP	94.16.114.254
Destination IP	176.126.70.119
Destination IP	192.71.245.208
Destination IP	192.71.245.208
Destination IP	151.80.222.79
Destination IP	195.10.195.195
Destination IP	176.126.70.119
Destination IP	192.71.245.208
Destination IP	95.174.65.241
Destination IP	176.126.70.119
Destination IP	151.80.222.79
Destination IP	51.254.25.115
Destination IP	95.174.65.241
Destination IP	193.183.98.66
Destination IP	151.80.222.79
Destination IP	94.16.114.254
Destination IP	192.71.245.208
Destination IP	94.16.114.254
Destination IP	192.71.245.208
Destination IP	176.126.70.119
Destination IP	195.10.195.195
Destination IP	51.254.25.115
Destination IP	193.183.98.66
Destination IP	192.71.245.208
Destination IP	95.174.65.241
Destination IP	176.126.70.119
Destination IP	94.16.114.254
Destination IP	95.174.65.241
Destination IP	151.80.222.79
Destination IP	176.126.70.119
Destination IP	195.10.195.195

C:\Users\Admin\AppData\Local\Temp\eaad7777d588deef9db962f2863f8b9b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaad7777d588deef9db962f2863f8b9b_JaffaCakes118.exe"
1⤵
PID:588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-4-0x0000000180000000-0x000000018003F000-memory.dmp

Filesize
252KB

Download
memory/588-9-0x0000000001C30000-0x0000000001C6A000-memory.dmp

Filesize
232KB

Download
memory/588-0-0x0000000001C70000-0x0000000001CAC000-memory.dmp

Filesize
240KB

Download