bazaloader | 9d93b56e51a529ff6fab37769c2c69007b59cd22df05dcc6926e5722003a64d8 | Triage

Submit
Reports

Overview

overview

Static

static

1

d02f651baa...18.exe

windows7-x64

d02f651baa...18.exe

windows10-2004-x64

Sharing

General

Target

d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118
Size

5.1MB
Sample

241207-cn7ttawmgl
MD5

d02f651baa63b69474cac03c4a2edfa6
SHA1

0501c07e93d1abc3d31d1f1200f8ff7d79198172
SHA256

9d93b56e51a529ff6fab37769c2c69007b59cd22df05dcc6926e5722003a64d8
SHA512

8309c6435001f8356a17e7e91863db3ba731558cb2ded400878ff16c087b36a84624b20b6017e7c97b1e41b07033e7eedadf9e8a3a51727f489820ef63981226
SSDEEP

49152:D6mrLDAiPcTlyoMbH7l/EaRkXfnNhdDAB4swOqZIeQlMO9nfWXhREvFFP1Pc1rRI:TmniBdfjsTveQCmiIRvf/2tq56aA

Score

10^/10

bazaloader evasion execution persistence privilege_escalation trojan

Static task

static1

Behavioral task

behavioral1

Sample

d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe

Resource

win7-20240903-en

bazaloader evasion execution persistence privilege_escalation trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe

Resource

win10v2004-20241007-en

bazaloader evasion execution persistence privilege_escalation trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118
- Size
  
  5.1MB
- MD5
  
  d02f651baa63b69474cac03c4a2edfa6
- SHA1
  
  0501c07e93d1abc3d31d1f1200f8ff7d79198172
- SHA256
  
  9d93b56e51a529ff6fab37769c2c69007b59cd22df05dcc6926e5722003a64d8
- SHA512
  
  8309c6435001f8356a17e7e91863db3ba731558cb2ded400878ff16c087b36a84624b20b6017e7c97b1e41b07033e7eedadf9e8a3a51727f489820ef63981226
- SSDEEP
  
  49152:D6mrLDAiPcTlyoMbH7l/EaRkXfnNhdDAB4swOqZIeQlMO9nfWXhREvFFP1Pc1rRI:TmniBdfjsTveQCmiIRvf/2tq56aA
Score

10^/10

bazaloader evasion execution persistence privilege_escalation trojan
- Bazaloader family
  bazaloader
- Detects BazaLoader malware
  BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.
  trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bazaloaderevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

bazaloaderevasionexecutionpersistenceprivilege_escalationtrojan

© 2018-2025

Terms | Privacy