Resubmissions
27-10-2024 20:10
241027-yxvfqssfjl 1027-10-2024 20:09
241027-yw56vasern 1012-10-2024 23:03
241012-21re2awemd 10Analysis
-
max time kernel
1798s -
max time network
1799s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
27-10-2024 20:09
General
-
Target
3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe
-
Size
178KB
-
MD5
3c7dc6cd19e758840ed1aa76c8571f67
-
SHA1
5f7b02bd8c8854adfb132817f0edae1771bcdb72
-
SHA256
1d005321c8b45f25e1d012496e4fea43544c6f02af84d28c2c348fd04724d45c
-
SHA512
ee9cf414295a9dbed765a290d6b6dd061e695149670c5809619ef4d3b38f7a1fb7a7e1273d1f3613db322d68e40d7770825eb70890c878b850c5f42477d9b15b
-
SSDEEP
3072:vNcsPrIDUfRgcnOzJn/hJYxqWlDDgbOsSrIf4+udEB:+Y1IJZGzlDtrIcdg
Malware Config
Signatures
-
BazarBackdoor 2 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Bazarbackdoor family
-
Contacts a large (5005) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Tries to connect to .bazar domain 1 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe"1⤵
- BazarBackdoor
-
C:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe {2495D0D2-591F-44DD-9FD4-2F18DC693899}1⤵