Overview

overview

10

Static

static

5

7927418bca...18.exe

windows7-x64

10

7927418bca...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2024 10:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe

  • Size

    657KB

  • MD5

    7927418bcafbad559d3f8c797ed92f3d

  • SHA1

    da32eb5e9388db9c14bf1e4dcc4fb3dd01b4465b

  • SHA256

    f73e7197dfe5928ba7c7d153c5daf947e559dec9f54d40d278d5ac728d46f360

  • SHA512

    3476344e363bc7aadd5676e4778ac2b433348dcebee500825eb2ac8dd558fd0448ce1c7e4b43ec3421564317da6def527e38087a286117b1a9a26d4cfc297dd6

  • SSDEEP

    12288:Hch76VXueiN6FcTElGm4ttxI+9Zumsvlpu0UvaGAlOBzZ1zssdwmeTvYy9Ue87vv:8t1f3o9G6+WTzZwAlOBzZ5dwmeTvYgUH

Score
10/10
bazaloaderdiscoverypersistencetrojanupx

Malware Config

Signatures

  • Bazaloader family
    bazaloader
  • Detects BazaLoader malware 15 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.

    trojan
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 40 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3556
    • C:\windows\system\svchost.exe
      "C:\windows\system\svchost.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4492
      • C:\Windows\System\rundll32.exe
        "C:\Windows\System\rundll32.exe" mIRC
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\mirc.ini
    Filesize

    2KB

    MD5

    b42233a40613a395aea88954bfc231f4

    SHA1

    46f40abfebc6864a077af95c7cc3dd8b732eb739

    SHA256

    8cbaf5ca727fa328e027409c34f826f4bb7c1dc759593ca1b6d6c8277282b639

    SHA512

    63c30a4d4a1f5ad862954ba44c87b4e875ee3a79c15036c1ef75134e90fa205e45ba2f124c3d174c3b9964275ac1db1c66aa6acf02a636a628a07eb76a68455e

    Download Submit

  • C:\Windows\System\mirc.ini
    Filesize

    2KB

    MD5

    820bd72514ac09434a0f3826785766c9

    SHA1

    bb15d0f065dce59bdaa03d3f6c657a666701e7d1

    SHA256

    23181558061bf739ff8f8052d806d2c0d2230a672c965f6845f18cbc16fdfd05

    SHA512

    3dcaf609c6f7fbfcc46d2496e6758834c4899e1df93fe3cc08daff27c8bb419fc8af7f271c5f02d72d3c59cf077f1616f07198fc5fb8e15f23c39e3ae2cc8d74

    Download Submit

  • C:\Windows\System\mirc.ini
    Filesize

    2KB

    MD5

    33dd12929f1844669547f138ffdb7ff7

    SHA1

    a2dc17576e815b62ac519f8d43163240e2f9ae4c

    SHA256

    f7966534009cc4b9e9d2b757ff77f333ccd0a1adbd49f8f35831a90b49d2b72f

    SHA512

    3ded7f1bf5bc4483b31bc56dc77f88bb2546c7bce448bb2e62a4d603cfc265678f721816acd82ba2c6c570075c73ca0cf3a5afa76f073fcbedb43a441e8bc80d

    Download Submit

  • C:\Windows\System\mirc.ini
    Filesize

    2KB

    MD5

    fc49db1b0fabebef68ff62f04535200f

    SHA1

    a00f71f4fdfa577525cbdc75a8d7fce15cab762a

    SHA256

    d87b06b11e30ba4100e7eaf00a76acf7264780d1c5e058b03f5379a433e6045c

    SHA512

    f284632e515c0af841b9c02456d873f19a57d800fe199db1ccf5fc06791295ed4832783435bfdf730da0aad692b25cc5e6e38813f4ddba7e4cb315f2daf56bf2

    Download Submit

  • C:\Windows\System\mirc.ini
    Filesize

    2KB

    MD5

    4c2540552ca2bfe19146a2ee99bfc22d

    SHA1

    36b6a454f9059730a0dadc36996bc4ab2d2f7d5e

    SHA256

    bcf3524b91cb972cb299bf79a89206dab0760423eeceb00d04634f12356086f0

    SHA512

    0502e24b31ada2846c6fa98d676410aa49deda4a0166a69cacdeff8ddd391c734db0065ad9771571d7725676ea95ad3b4eda76ef9220794ce4676fcb3a548786

    Download Submit

  • C:\Windows\System\mirc.ini
    Filesize

    2KB

    MD5

    655e0684515464ef4eb7939e75aa5342

    SHA1

    6a3b84cd8b0880a7bc6a3a0dc05eca9b16135a00

    SHA256

    e019635ba0b3da9d3f4bf9963684fcfcad71caff6125cd3d12b4572b8abc874b

    SHA512

    788aa964bcacac4cd3fe80e9a294acc0a189a8421c9a1d7736f7eac96f6fed79ee0bf2e12e374464aabedf44433a3308957a2054bbdec51c52b80f72949df1d2

    Download Submit

  • C:\Windows\System\mirc.ini
    Filesize

    2KB

    MD5

    06b0db7349af2ed6667f0a84d2671d19

    SHA1

    470c5d74780c1a0364618ec0130538c13cec34b4

    SHA256

    f9cce3e9f927849a0932100c24099b039a0fa2b73f9dff22d250a2fed62f4391

    SHA512

    41153966ad85dfcd446f914700073576d8992b90f9f86bdf91084087cd06da9d707ecc1ea2c7ea238f04a720d0a5f7b84f1b3a3b4453c79e5fe279c9b6f56f04

    Download Submit

  • C:\Windows\System\mirc.ini
    Filesize

    2KB

    MD5

    871e39ab626016d18014e8edc4c475dd

    SHA1

    d98a0551a719720a64f2ca17a897f072fe8c27d0

    SHA256

    3b5cf294038dcc3ec528e395c17f95d73e4ebec9b96503861dfdc9e2788ddcb3

    SHA512

    38c474423f81eceb60c442bf774c0ef4af5e9b11aca5d693b8b506f4c203537e3fa3713e2728a4b3062200a98bfec9abaa24e7667c9c651d4b01feb82659d781

    Download Submit

  • C:\Windows\System\rundll32.exe
    Filesize

    22KB

    MD5

    ad335b0089e0237487b54ccd56a0c889

    SHA1

    e73ea38359a3634b470808f5b71703d38c596337

    SHA256

    97fc1f5adb202b78bf10a6989209a99691b475e37d8e7cada20341cce7a2802b

    SHA512

    7615b8d70bac4f5af6b9034154ecbe71f4b103418e044e104278ed33fba47a64457938de332cacefda5b69060c569ad4315887a786f36592800551bffaefd75c

    Download Submit

  • C:\Windows\System\svchost.exe
    Filesize

    496KB

    MD5

    dd6dab5797b43d121af479e22ca82f23

    SHA1

    c8a1272a3ab60958ce8635a7bdd9757ec729961f

    SHA256

    eb7ef5cce7f820fa1b7f64abe70f61f4367e462a9aaed28f166f89456e6ac75e

    SHA512

    058c69b8fb33e34700b9d72aff1898cc66c7062e76d37048a073b61f76e6019ef31895f34bf4cdd20d347f4e419b34e01f845df78f006fb9ea5105c2d790c3ca

    Download Submit

  • \??\c:\windows\system\id.exe
    Filesize

    1KB

    MD5

    4b9a3a5c2cd007d4cbb624c1fc75c0d3

    SHA1

    144e882065ddb3fcf6baa2797a93922e9925236d

    SHA256

    dc7c04cb3f32b138b7dce376de40327578f13a638683a8ab7db461ae298accd0

    SHA512

    27cea94048617ae1bc2c92bd66788e9a20d1c27bb47d6e45929e0eaedab8bcef4144a4397d4bf9de27367c509232f3a3f837d4aef54a993c11853bad54af2afd

    Download Submit

  • \??\c:\windows\system\mirc.ini
    Filesize

    2KB

    MD5

    08f3072bc15db831e83dc11fbe7fd10b

    SHA1

    f3d7047d59cfbc4b335ef49b96fe37e9ba02fe9c

    SHA256

    f7b4088b2c29f53c1b05b4559abf3f6919fcae0daec990e3746f90b0f4ce2be2

    SHA512

    b920676f6f09d28116e6b7732c5293b02b0e9c61d02186a124b9b2ae80516dee23d304802756d36ce88d700a86cd15337aa766251bebeb8070d1aeac82dad20b

    Download Submit

  • \??\c:\windows\system\reg.dll
    Filesize

    84KB

    MD5

    8650e5a54f7df9d47b7fa8c5236eccba

    SHA1

    7493e00f932b39edd35fccb25a75b4b41e2f5009

    SHA256

    4a4532f7b9cff5115fafa2489286b12a0e98850edf56d62daea85bb1d3f604e5

    SHA512

    2e5f7178cc1f1ef3f35ae5c05cd5bcce9b390fe7b72f001606398133ef5e10ddac32aa7050086f3eb117e03a30c637fb5064e4f8b7dc467f9dbe1eaa289a8046

    Download Submit

  • \??\c:\windows\system\remote.ini
    Filesize

    190B

    MD5

    06535661fe48aa27f6619e8ba78fa364

    SHA1

    a9e6ba26d19601f3b1d0a47df9f0ce00ec9936aa

    SHA256

    fd89ad1e5345504bc9fcd08389f070a61c9fdeae04540b7f5c36718451992765

    SHA512

    2be20cf4ae2bd71d477678a99461c56df0bbe7f6d82a9656afedf3d3c1e13383f28e4bd982cf1af3f6c2bcfdde78006aaa71e9842fc4c4803ad00b9b749b900e

    Download Submit

  • \??\c:\windows\system\rundll.exe
    Filesize

    64B

    MD5

    06369cdd770a6599496b8b2b2c29d3e3

    SHA1

    ada913d8fd4c1a23375d566c2eb13b77bb24265a

    SHA256

    7f49f1cee8d86ff033e9755abfa73929005845210acc4ef538eab115806c348f

    SHA512

    20aa41b881edc7fde532b93a1b246dacc73a50710cab4e340cea97b74abd83e2af4c0da948ab15d23dddc1c1ace54f468e081fd8dc66c845955ab36523919faf

    Download Submit

  • \??\c:\windows\system\vir.exe
    Filesize

    14KB

    MD5

    b1707b5489b2f9f4b75a74ab1f34c1f0

    SHA1

    bdec94f058facf6532afb71324ac560e9f79a26f

    SHA256

    6ed9bbe27339b249a87d686716d495305ac827aadf114c39608cbc7289753d93

    SHA512

    994e1a6caf6a668ff05f581bf967e83bb968b3bf227c5ac85b228764f94c912f8e8a6900f32270ffb2d743b42cc0e5b40ca5febd41929688213ed64ae43592c9

    Download Submit

  • \??\c:\windows\system\win.com
    Filesize

    602B

    MD5

    b87aaa83fb7ed7fa6ed3435cd1e6caaf

    SHA1

    5f57e3490072dc6b832195ad4be78e1e8e5f6f00

    SHA256

    a3acda35804662e8bf45cd444be3a77e9067d33deb65c8cdbd9742b7e782de70

    SHA512

    2d425ddf896d978291d5fe55bc63213305eddfff9e9d5bf6060285dbb8c8adc830b24ac34b5a0bec69309f8ff95da8b99dbe0789b3a7c939e1cc573899845ac9

    Download Submit

  • \??\c:\windows\system\win.exe
    Filesize

    10KB

    MD5

    bf7b0d04c032ae098d5eb00c688702ed

    SHA1

    004df1d8fbcb1f13fe5eb74985faa9c5a4847a5b

    SHA256

    5ae44a7110343dc6c059efd30585003dc32a2882bdd9f3993319e1049956bce6

    SHA512

    999f392928130f628bc4cdcf800164f2c5823bda983cd11a9fafd8baace7f486e16f93082707b74a74ce5ece6ed5ae1dd46bf2f6041238267e5e09f5cc349166

    Download Submit

  • memory/3264-129-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3264-153-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3264-155-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3556-158-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3556-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4492-200-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4492-233-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4492-195-0x00000000048D0000-0x00000000048D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4492-196-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4492-197-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/4492-198-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4492-130-0x00000000048D0000-0x00000000048D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4492-202-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4492-204-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4492-131-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/4492-231-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4492-194-0x00000000013C0000-0x00000000013C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4492-235-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4492-236-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4492-238-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4492-240-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4492-32-0x00000000013C0000-0x00000000013C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4492-31-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4492-297-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4492-299-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4492-301-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4492-303-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download