bazaloader | 9d93b56e51a529ff6fab37769c2c69007b59cd22df05dcc6926e5722003a64d8

General

Target

d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe
Size

5.1MB
MD5

d02f651baa63b69474cac03c4a2edfa6
SHA1

0501c07e93d1abc3d31d1f1200f8ff7d79198172
SHA256

9d93b56e51a529ff6fab37769c2c69007b59cd22df05dcc6926e5722003a64d8
SHA512

8309c6435001f8356a17e7e91863db3ba731558cb2ded400878ff16c087b36a84624b20b6017e7c97b1e41b07033e7eedadf9e8a3a51727f489820ef63981226
SSDEEP

49152:D6mrLDAiPcTlyoMbH7l/EaRkXfnNhdDAB4swOqZIeQlMO9nfWXhREvFFP1Pc1rRI:TmniBdfjsTveQCmiIRvf/2tq56aA

Score

10^/10

bazaloader evasion execution persistence privilege_escalation trojan

Malware Config

Signatures

Bazaloader family
bazaloader

Detects BazaLoader malware 5 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.

trojan

resource	yara_rule
behavioral1/memory/2744-2-0x0000000140000000-0x000000014061F200-memory.dmp	BazaLoader
behavioral1/memory/2744-4-0x0000000140000000-0x000000014061F200-memory.dmp	BazaLoader
behavioral1/memory/2744-25-0x0000000140000000-0x000000014061F200-memory.dmp	BazaLoader
behavioral1/memory/348-24-0x0000000140000000-0x000000014061F200-memory.dmp	BazaLoader
behavioral1/memory/348-46-0x0000000140000000-0x000000014061F200-memory.dmp	BazaLoader

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2696	powershell.exe
2920	powershell.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
700	netsh.exe
3000	netsh.exe
2680	netsh.exe
2656	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
348	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe
2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System\xxx1.bak	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe
File created	C:\Windows\System\svchost.exe	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe
File opened for modification	C:\Windows\System\svchost.exe	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2696	powershell.exe
2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe
2920	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2696	2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe	31
PID 2744 wrote to memory of 2696	2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe	31
PID 2744 wrote to memory of 2696	2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe	31
PID 2744 wrote to memory of 2680	2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe	33
PID 2744 wrote to memory of 2680	2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe	33
PID 2744 wrote to memory of 2680	2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe	33
PID 2744 wrote to memory of 2656	2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe	34
PID 2744 wrote to memory of 2656	2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe	34
PID 2744 wrote to memory of 2656	2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe	34
PID 2744 wrote to memory of 1856	2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe	35
PID 2744 wrote to memory of 1856	2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe	35
PID 2744 wrote to memory of 1856	2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe	35
PID 2744 wrote to memory of 348	2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe	39
PID 2744 wrote to memory of 348	2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe	39
PID 2744 wrote to memory of 348	2744	d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe	39
PID 348 wrote to memory of 2920	348	svchost.exe	40
PID 348 wrote to memory of 2920	348	svchost.exe	40
PID 348 wrote to memory of 2920	348	svchost.exe	40
PID 348 wrote to memory of 700	348	svchost.exe	42
PID 348 wrote to memory of 700	348	svchost.exe	42
PID 348 wrote to memory of 700	348	svchost.exe	42
PID 348 wrote to memory of 3000	348	svchost.exe	44
PID 348 wrote to memory of 3000	348	svchost.exe	44
PID 348 wrote to memory of 3000	348	svchost.exe	44

C:\Users\Admin\AppData\Local\Temp\d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d02f651baa63b69474cac03c4a2edfa6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath %windir%
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2680
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2656
- C:\Windows\system32\schtasks.exe
  schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1856
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath %windir%
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:700
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b8b91152881a8d8b6be603cfd5a211dc

SHA1
37592d941ba4588a719c10eac262089f54ad91ff

SHA256
adaf29281f6f748617ef6e16e5349c2df8cefb78068eb98299ea652e739799e2

SHA512
fbb904b8afee0677878405f2ae4ba167151127776f448b83218f4e3ca9d3111242a72b0fb5953725b1bc3af71e8b29313441df0ec417f83ae7a5da7ad76b0161

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.8MB

MD5
3c681cef1f570d3b1a046dfc93b4022e

SHA1
b0ca6fd4bafabeacfb7cd08aa4b8151276068cb3

SHA256
911b63dece7ed9a1e511ab6d06ebee2a4497c1cb5ae3a92bf4a7de9ac1e118fc

SHA512
873c138bcd7b09a8d8dc633fac7119ac9b817d81349e40a5b7738f9594d4693d0ac434ac5ffc8cf5ed478cecfa5bd5eab44c136a828f43718fb09ce67089f2e3

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
15.9MB

MD5
ae49c90c068c427efee45988c0e2efaf

SHA1
f772fe46ba16d71804c19b192d9b2d53aa557246

SHA256
36e6bae5e8a95c3b60bf7547245ad555028fff5dce3e50f74eff171e192a9b37

SHA512
40d6ceb41a48fa6b92a77c945c2a49f3a1907f3e46bfa284d61ec4f34281c7a854a6f4553f95538998753a179ca7eb449d8c792c715153b611c328b91a45d695

Download Submit
C:\Windows\system\svchost.exe

Filesize
5.1MB

MD5
d02f651baa63b69474cac03c4a2edfa6

SHA1
0501c07e93d1abc3d31d1f1200f8ff7d79198172

SHA256
9d93b56e51a529ff6fab37769c2c69007b59cd22df05dcc6926e5722003a64d8

SHA512
8309c6435001f8356a17e7e91863db3ba731558cb2ded400878ff16c087b36a84624b20b6017e7c97b1e41b07033e7eedadf9e8a3a51727f489820ef63981226

Download Submit
memory/348-24-0x0000000140000000-0x000000014061F200-memory.dmp

Filesize
6.1MB

Download
memory/348-46-0x0000000140000000-0x000000014061F200-memory.dmp

Filesize
6.1MB

Download
memory/348-23-0x0000000140000000-0x000000014061F200-memory.dmp

Filesize
6.1MB

Download
memory/348-33-0x0000000010000000-0x00000000104E2000-memory.dmp

Filesize
4.9MB

Download
memory/2696-9-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2696-11-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2696-10-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2744-25-0x0000000140000000-0x000000014061F200-memory.dmp

Filesize
6.1MB

Download
memory/2744-3-0x0000000140001000-0x0000000140011000-memory.dmp

Filesize
64KB

Download
memory/2744-4-0x0000000140000000-0x000000014061F200-memory.dmp

Filesize
6.1MB

Download
memory/2744-1-0x0000000140000000-0x000000014061F200-memory.dmp

Filesize
6.1MB

Download
memory/2744-2-0x0000000140000000-0x000000014061F200-memory.dmp

Filesize
6.1MB

Download
memory/2744-0-0x0000000140000000-0x000000014061F200-memory.dmp

Filesize
6.1MB

Download
memory/2920-32-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2920-31-0x000000001B850000-0x000000001BB32000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads