Resubmissions
27-10-2024 20:10
241027-yxvfqssfjl 1027-10-2024 20:09
241027-yw56vasern 1012-10-2024 23:03
241012-21re2awemd 10Analysis
-
max time kernel
1798s -
max time network
1799s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-10-2024 20:09
Static task
static1
Behavioral task
behavioral1
Sample
3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe
Resource
win11-20241007-en
General
-
Target
3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe
-
Size
178KB
-
MD5
3c7dc6cd19e758840ed1aa76c8571f67
-
SHA1
5f7b02bd8c8854adfb132817f0edae1771bcdb72
-
SHA256
1d005321c8b45f25e1d012496e4fea43544c6f02af84d28c2c348fd04724d45c
-
SHA512
ee9cf414295a9dbed765a290d6b6dd061e695149670c5809619ef4d3b38f7a1fb7a7e1273d1f3613db322d68e40d7770825eb70890c878b850c5f42477d9b15b
-
SSDEEP
3072:vNcsPrIDUfRgcnOzJn/hJYxqWlDDgbOsSrIf4+udEB:+Y1IJZGzlDtrIcdg
Malware Config
Signatures
-
BazarBackdoor 2 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
description flow ioc Process Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\SystemCertificates\CA 3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe 12 zirabuo.bazar Process not Found -
Bazarbackdoor family
-
Contacts a large (5005) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Tries to connect to .bazar domain 1 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
flow ioc 12 zirabuo.bazar -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe"1⤵
- BazarBackdoor
PID:2460
-
C:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe {2495D0D2-591F-44DD-9FD4-2F18DC693899}1⤵PID:3008