bazaloader | 5718b9d98c2b5f09acf7c2d46f24f0da693fff624908199d999b778983c8ee6c

General

Target

7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
Size

5.2MB
MD5

2e025daacfe1def8ac1fa48820d2c8ce
SHA1

86da098c8b04844ca54c35429d77cdd3273754e3
SHA256

7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8
SHA512

43c42d5817c59478890b6ab6520bb179960010434b3d114976528f475c331f1e6f69d93e7d7639da75c0ac00b5462825e4e53a830278e58f72cb2b7138454e9d
SSDEEP

98304:2/q+71dO2ooGsM8ZHUTFhqB4smvdzeQbDKRRemADhDGDj0DTHUL+:2/qEamGUZ0TFnvdiQbDaf0DDUL

Score

10^/10

bazaloader evasion execution persistence privilege_escalation trojan

Malware Config

Signatures

Bazaloader family
bazaloader

Detects BazaLoader malware 4 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.

trojan

resource	yara_rule
behavioral1/memory/2248-2-0x0000000140000000-0x0000000140632400-memory.dmp	BazaLoader
behavioral1/memory/2248-16-0x0000000140000000-0x0000000140632400-memory.dmp	BazaLoader
behavioral1/memory/2868-20-0x0000000140000000-0x0000000140632400-memory.dmp	BazaLoader
behavioral1/memory/2868-41-0x0000000140000000-0x0000000140632400-memory.dmp	BazaLoader

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2092	powershell.exe
2204	powershell.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2176	netsh.exe
2672	netsh.exe
2188	netsh.exe
3032	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2868	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System\xxx1.bak	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
File created	C:\Windows\System\svchost.exe	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
File opened for modification	C:\Windows\System\svchost.exe	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2204	powershell.exe
2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
2092	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2204	2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	30
PID 2248 wrote to memory of 2204	2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	30
PID 2248 wrote to memory of 2204	2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	30
PID 2248 wrote to memory of 2176	2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	32
PID 2248 wrote to memory of 2176	2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	32
PID 2248 wrote to memory of 2176	2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	32
PID 2248 wrote to memory of 2672	2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	33
PID 2248 wrote to memory of 2672	2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	33
PID 2248 wrote to memory of 2672	2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	33
PID 2248 wrote to memory of 2792	2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	34
PID 2248 wrote to memory of 2792	2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	34
PID 2248 wrote to memory of 2792	2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	34
PID 2248 wrote to memory of 2868	2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	38
PID 2248 wrote to memory of 2868	2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	38
PID 2248 wrote to memory of 2868	2248	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	38
PID 2868 wrote to memory of 2092	2868	svchost.exe	39
PID 2868 wrote to memory of 2092	2868	svchost.exe	39
PID 2868 wrote to memory of 2092	2868	svchost.exe	39
PID 2868 wrote to memory of 2188	2868	svchost.exe	41
PID 2868 wrote to memory of 2188	2868	svchost.exe	41
PID 2868 wrote to memory of 2188	2868	svchost.exe	41
PID 2868 wrote to memory of 3032	2868	svchost.exe	43
PID 2868 wrote to memory of 3032	2868	svchost.exe	43
PID 2868 wrote to memory of 3032	2868	svchost.exe	43

C:\Users\Admin\AppData\Local\Temp\7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
"C:\Users\Admin\AppData\Local\Temp\7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2176
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2672
- C:\Windows\system32\schtasks.exe
  schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2792
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2188
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0875b8a3fef3ea7f571e8f16830ff5dd

SHA1
9c231e91c41265da35be99dabd80d536a87d382b

SHA256
d549ed26eb53d96b8a2f080be2c423cec84dcc1395c4fff46c7365a35e08d4ab

SHA512
acf7a94614b566fbd71c121cbed4d8085972e6a2cc89178a7584b88ac09de390eb24d5533de9c45cac50a62d136724cc58afbf6634125a8dc0a979d636e63306

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.8MB

MD5
a713248bfd1f5b37244accbdceafddbf

SHA1
cd80ea6f50c92c381e5adcc4872d88abbfa57221

SHA256
1b4df362df8b1be3445d6818b91fb119a8a2e2a742837f4743d47bfae0336a8a

SHA512
cf649112f1b85e3bb7644542e2c6e9b0da732b3cf2ac1ab0b57a99fa552f21880f2e4a06a9a9c0ca7344fa78397b518de7bb2dc1c7eff0d011985a0ad74c4bc7

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
20.1MB

MD5
3a2c38073bf58e18ce60e92986b5179b

SHA1
2dbfd55b44f2805bfcb28694733e37b2f6840a9d

SHA256
909863e89e249ccaa4434675ac23b1e032a870ccb0d5cff450085baf37deaed1

SHA512
c3a6b4eff082eea2954ab878fded0382c88be21217f305829fa2005d61c767eabc1747f1c903d66a3c47eb96426f4946bb16cf1c8311913ad593b71e0a8975ed

Download Submit
C:\Windows\system\svchost.exe

Filesize
5.2MB

MD5
2e025daacfe1def8ac1fa48820d2c8ce

SHA1
86da098c8b04844ca54c35429d77cdd3273754e3

SHA256
7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8

SHA512
43c42d5817c59478890b6ab6520bb179960010434b3d114976528f475c331f1e6f69d93e7d7639da75c0ac00b5462825e4e53a830278e58f72cb2b7138454e9d

Download Submit
memory/2092-27-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2092-26-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/2204-8-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2204-10-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/2204-9-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download
memory/2248-16-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download
memory/2248-0-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download
memory/2248-3-0x0000000140001000-0x000000014001C000-memory.dmp

Filesize
108KB

Download
memory/2248-2-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download
memory/2248-1-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download
memory/2868-18-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download
memory/2868-19-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download
memory/2868-20-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download
memory/2868-28-0x0000000010000000-0x00000000104FC000-memory.dmp

Filesize
5.0MB

Download
memory/2868-41-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads