Analysis Overview
SHA256
3046cb75e9053a061c37009415b4b3313d605210f51bc48fe2621498264dbcd0
Threat Level: Known bad
The file c412873533f1978bb4ae8f7a1e2fc364_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Bazar Loader
Bazarloader family
Bazar/Team9 Loader payload
Unsigned PE
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-04 19:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-04 19:36
Reported
2024-12-04 19:39
Platform
win7-20240903-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Bazar Loader
Bazarloader family
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c412873533f1978bb4ae8f7a1e2fc364_JaffaCakes118.dll
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\c412873533f1978bb4ae8f7a1e2fc364_JaffaCakes118.dll,StartW {95414734-EC0A-42DD-800E-4E24892692A1}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | microsoft.com | udp |
| NL | 20.76.201.171:443 | microsoft.com | tcp |
| NL | 20.76.201.171:443 | microsoft.com | tcp |
| NL | 104.248.91.231:443 | tcp | |
| NL | 104.248.91.231:443 | tcp | |
| NL | 104.248.91.231:443 | tcp | |
| NL | 104.248.91.231:443 | tcp |
Files
memory/2112-0-0x00000000001D0000-0x00000000001E4000-memory.dmp
memory/2112-1-0x00000000001D0000-0x00000000001E4000-memory.dmp
memory/2624-2-0x0000000000110000-0x0000000000124000-memory.dmp
memory/2624-3-0x0000000000110000-0x0000000000124000-memory.dmp
memory/2624-4-0x0000000000110000-0x0000000000124000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-04 19:36
Reported
2024-12-04 19:39
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Bazar Loader
Bazarloader family
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c412873533f1978bb4ae8f7a1e2fc364_JaffaCakes118.dll
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\c412873533f1978bb4ae8f7a1e2fc364_JaffaCakes118.dll,StartW {40AA4638-CF0B-43A4-975C-6027257DA3DF}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.112.250.133:443 | microsoft.com | tcp |
| NL | 104.248.91.231:443 | tcp | |
| NL | 104.248.91.231:443 | tcp | |
| NL | 104.248.91.231:443 | tcp | |
| US | 8.8.8.8:53 | 231.91.248.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.250.112.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 144.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| NL | 104.248.91.231:443 | tcp | |
| NL | 104.248.91.231:443 | tcp | |
| NL | 104.248.91.231:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| NL | 104.248.91.231:443 | tcp | |
| NL | 104.248.91.231:443 | tcp | |
| NL | 104.248.91.231:443 | tcp |
Files
memory/4152-0-0x0000000002880000-0x0000000002894000-memory.dmp
memory/4152-1-0x0000000002880000-0x0000000002894000-memory.dmp
memory/4856-2-0x000002179B5D0000-0x000002179B5E4000-memory.dmp
memory/4856-3-0x000002179B5D0000-0x000002179B5E4000-memory.dmp