bazaloader | 160e446ae73cb863d4b03ae61fc19412c40ff3c54801fee7688717869c782dd1

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c46a2af1bddbb0eca275e471a8b97bd3_JaffaCakes118.exe
Size

990KB
MD5

c46a2af1bddbb0eca275e471a8b97bd3
SHA1

03503ee5df73a99678c517dcaf658b5112d50185
SHA256

160e446ae73cb863d4b03ae61fc19412c40ff3c54801fee7688717869c782dd1
SHA512

5ba6854d8f6562a6bf4cf8632109a85f8d9246a48fdf571e7f0d472c98d09350bf37e327ba3fd296da88bdc5a7ab518bee0cffb9893b2fd5c566f63e9ea25e72
SSDEEP

24576:qAOcZuXPw5FUAD5JQfBo8qzPq3XFQYcqa6lCKCz:QeF3QazPWX6Kta

Score

10^/10

bazaloader warzonerat discovery infostealer persistence rat trojan

Malware Config

Extracted

Family

warzonerat

45.162.228.171:26112

Signatures

Bazaloader family
bazaloader

Detects BazaLoader malware 3 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.

trojan

resource	yara_rule
behavioral1/memory/2760-64-0x0000000000370000-0x00000000008F0000-memory.dmp	BazaLoader
behavioral1/memory/2760-66-0x0000000000370000-0x00000000008F0000-memory.dmp	BazaLoader
behavioral1/memory/2760-68-0x0000000000370000-0x00000000008F0000-memory.dmp	BazaLoader

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2760-64-0x0000000000370000-0x00000000008F0000-memory.dmp	warzonerat
behavioral1/memory/2760-66-0x0000000000370000-0x00000000008F0000-memory.dmp	warzonerat
behavioral1/memory/2760-68-0x0000000000370000-0x00000000008F0000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

pid	Process
2824	qflwxm.pif
2760	RegSvcs.exe

Loads dropped DLL 5 IoCs

pid	Process
2688	c46a2af1bddbb0eca275e471a8b97bd3_JaffaCakes118.exe
2688	c46a2af1bddbb0eca275e471a8b97bd3_JaffaCakes118.exe
2688	c46a2af1bddbb0eca275e471a8b97bd3_JaffaCakes118.exe
2688	c46a2af1bddbb0eca275e471a8b97bd3_JaffaCakes118.exe
2824	qflwxm.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hl4q5gkwOzkP1N = "C:\\Users\\Admin\\AppData\\Roaming\\91305724\\qflwxm.pif C:\\Users\\Admin\\AppData\\Roaming\\91305724\\coxabch.pwt"	qflwxm.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2824 set thread context of 2760	2824	qflwxm.pif	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qflwxm.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c46a2af1bddbb0eca275e471a8b97bd3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	qflwxm.pif
2824	qflwxm.pif
2760	RegSvcs.exe
2824	qflwxm.pif
2824	qflwxm.pif
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2824	qflwxm.pif
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2824	qflwxm.pif
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2824	qflwxm.pif
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2824	qflwxm.pif
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2824	qflwxm.pif
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2824	qflwxm.pif
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2824	qflwxm.pif
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2824	qflwxm.pif
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2824	qflwxm.pif
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2824	qflwxm.pif
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2824	qflwxm.pif
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2760	RegSvcs.exe
2824	qflwxm.pif

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1212	Explorer.EXE

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2824	2688	c46a2af1bddbb0eca275e471a8b97bd3_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2824	2688	c46a2af1bddbb0eca275e471a8b97bd3_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2824	2688	c46a2af1bddbb0eca275e471a8b97bd3_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2824	2688	c46a2af1bddbb0eca275e471a8b97bd3_JaffaCakes118.exe	31
PID 2824 wrote to memory of 2656	2824	qflwxm.pif	32
PID 2824 wrote to memory of 2656	2824	qflwxm.pif	32
PID 2824 wrote to memory of 2656	2824	qflwxm.pif	32
PID 2824 wrote to memory of 2656	2824	qflwxm.pif	32
PID 2824 wrote to memory of 2308	2824	qflwxm.pif	33
PID 2824 wrote to memory of 2308	2824	qflwxm.pif	33
PID 2824 wrote to memory of 2308	2824	qflwxm.pif	33
PID 2824 wrote to memory of 2308	2824	qflwxm.pif	33
PID 2824 wrote to memory of 908	2824	qflwxm.pif	34
PID 2824 wrote to memory of 908	2824	qflwxm.pif	34
PID 2824 wrote to memory of 908	2824	qflwxm.pif	34
PID 2824 wrote to memory of 908	2824	qflwxm.pif	34
PID 2824 wrote to memory of 2388	2824	qflwxm.pif	35
PID 2824 wrote to memory of 2388	2824	qflwxm.pif	35
PID 2824 wrote to memory of 2388	2824	qflwxm.pif	35
PID 2824 wrote to memory of 2388	2824	qflwxm.pif	35
PID 2824 wrote to memory of 828	2824	qflwxm.pif	36
PID 2824 wrote to memory of 828	2824	qflwxm.pif	36
PID 2824 wrote to memory of 828	2824	qflwxm.pif	36
PID 2824 wrote to memory of 828	2824	qflwxm.pif	36
PID 2824 wrote to memory of 1252	2824	qflwxm.pif	37
PID 2824 wrote to memory of 1252	2824	qflwxm.pif	37
PID 2824 wrote to memory of 1252	2824	qflwxm.pif	37
PID 2824 wrote to memory of 1252	2824	qflwxm.pif	37
PID 2824 wrote to memory of 2784	2824	qflwxm.pif	38
PID 2824 wrote to memory of 2784	2824	qflwxm.pif	38
PID 2824 wrote to memory of 2784	2824	qflwxm.pif	38
PID 2824 wrote to memory of 2784	2824	qflwxm.pif	38
PID 2824 wrote to memory of 2760	2824	qflwxm.pif	39
PID 2824 wrote to memory of 2760	2824	qflwxm.pif	39
PID 2824 wrote to memory of 2760	2824	qflwxm.pif	39
PID 2824 wrote to memory of 2760	2824	qflwxm.pif	39
PID 2824 wrote to memory of 2760	2824	qflwxm.pif	39
PID 2824 wrote to memory of 2760	2824	qflwxm.pif	39
PID 2824 wrote to memory of 2760	2824	qflwxm.pif	39
PID 2824 wrote to memory of 2760	2824	qflwxm.pif	39
PID 2824 wrote to memory of 2760	2824	qflwxm.pif	39
PID 2760 wrote to memory of 1212	2760	RegSvcs.exe	21
PID 2760 wrote to memory of 1212	2760	RegSvcs.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212
- C:\Users\Admin\AppData\Local\Temp\c46a2af1bddbb0eca275e471a8b97bd3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c46a2af1bddbb0eca275e471a8b97bd3_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Roaming\91305724\qflwxm.pif
    "C:\Users\Admin\AppData\Roaming\91305724\qflwxm.pif" coxabch.pwt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2656
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2308
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:908
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2388
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:828
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1252
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\91305724\imrgkhud.exe

Filesize
368KB

MD5
969368babb963ede6100120d4ece245e

SHA1
c6d1e24dde9ccb60cba291f56efa4286f7f7d3f5

SHA256
d09763cf25ea0980904252e995bdf6db533b223558cf2bc889f40c37be49c3c8

SHA512
c437a80f3cc5702e35bdbf95536c6fecf1c17fba361f86b1f26340a15ce4d21aaad4d6093346fb8a342cd943540d1ee2ed075159667823640d016e9630ceef24

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Roaming\91305724\qflwxm.pif

Filesize
646KB

MD5
cdbb08d4234736c4a052dc3f181e66f2

SHA1
6801a805b6dcb760e8bf399a7d3ad0489fec7bfb

SHA256
07e5f6d7ec7ccbc3d742658e9161d799934c6f7f6a3ebf560f361b4ee1730b6a

SHA512
1ebd1a546e64d4b36d4f143ff7211d953f8db8e74c739db5e9c0939a6eb010a461fd1368f8a7813a8a2da804de6993010075ac21e4917d74d3f9394eaebafdfb

Download Submit
memory/1212-69-0x0000000004F40000-0x0000000005040000-memory.dmp

Filesize
1024KB

Download
memory/1212-71-0x0000000002AE0000-0x0000000002AE6000-memory.dmp

Filesize
24KB

Download
memory/1212-77-0x0000000002AE0000-0x0000000002AE6000-memory.dmp

Filesize
24KB

Download
memory/1212-70-0x0000000004F40000-0x0000000005040000-memory.dmp

Filesize
1024KB

Download
memory/2760-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-61-0x0000000000370000-0x00000000008F0000-memory.dmp

Filesize
5.5MB

Download
memory/2760-64-0x0000000000370000-0x00000000008F0000-memory.dmp

Filesize
5.5MB

Download
memory/2760-66-0x0000000000370000-0x00000000008F0000-memory.dmp

Filesize
5.5MB

Download
memory/2760-68-0x0000000000370000-0x00000000008F0000-memory.dmp

Filesize
5.5MB

Download