bazaloader | e787ad6ebf572eff0d6c87d8ce10105b57367179d71be8a598fa3a3c607f5ffd

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e80f7cd96415137a2700638d1cdbf74f_JaffaCakes118.exe
Size

1.0MB
MD5

e80f7cd96415137a2700638d1cdbf74f
SHA1

35ef41deaaa1c2fc66df2a4fa657d4ebaf6b5129
SHA256

e787ad6ebf572eff0d6c87d8ce10105b57367179d71be8a598fa3a3c607f5ffd
SHA512

bd7368faba9b0d38e4781d185a93e2be4eb535f5de02a69981cfe1ae44175c9cce6f3e42ef9f5febc7dd9fc60d1e66122805e3ab3f8ab3b924ec5a487cff383e
SSDEEP

24576:m9pRceBJ1t1qrxIBSD4zPpfx5uVwVWTq:qBBnmx+S0t5T

Score

10^/10

bazaloader discovery trojan

Malware Config

Signatures

Bazaloader family
bazaloader

Detects BazaLoader malware 1 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.

trojan

resource	yara_rule
behavioral1/memory/2976-7-0x0000000000400000-0x000000000050A000-memory.dmp	BazaLoader

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	\??\c:\windows\SETUP_NT.INF	e80f7cd96415137a2700638d1cdbf74f_JaffaCakes118.exe
File created	\??\c:\windows\TVicComm.sys	e80f7cd96415137a2700638d1cdbf74f_JaffaCakes118.exe
File created	\??\c:\windows\TVICCOMM.VXD	e80f7cd96415137a2700638d1cdbf74f_JaffaCakes118.exe
File created	\??\c:\windows\TVicCommSpy.ocx	e80f7cd96415137a2700638d1cdbf74f_JaffaCakes118.exe
File created	C:\WINDOWS\system\svchost.exe	e80f7cd96415137a2700638d1cdbf74f_JaffaCakes118.exe
File created	\??\c:\windows\SETUP_9X.INF	e80f7cd96415137a2700638d1cdbf74f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e80f7cd96415137a2700638d1cdbf74f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e80f7cd96415137a2700638d1cdbf74f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e80f7cd96415137a2700638d1cdbf74f_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2976-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2976-8-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2976-7-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download