Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2025, 22:38
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_f01f24f0435365800e22d94096306db9.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral2
Sample
JaffaCakes118_f01f24f0435365800e22d94096306db9.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
JaffaCakes118_f01f24f0435365800e22d94096306db9.dll
-
Size
825KB
-
MD5
f01f24f0435365800e22d94096306db9
-
SHA1
9abd95548e7fcf9ff7406a90bd6b0928a11acfd0
-
SHA256
12c45d6ea30f3ab6610e8c446534a9633b0ff28ad1ee4f8597e19928fbf7455b
-
SHA512
daa09aeaa4e528c695a6ab6a575b0848a6c52f85f4c4c262c2e5ada548f474b0eda1bd400f59f28532367a7a335e1ecf541a35358bcdd91f7da9cfa28b55dbd8
-
SSDEEP
12288:NafGVgqM7aafQIbyhxi5zhRSAofMvG9VWTY3DdWyS5EPGM:NafGVJwyAq+hfgAG9VWGdWyIM
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazarloader family
-
Bazar/Team9 Loader payload 3 IoCs
resource yara_rule behavioral2/memory/2748-0-0x0000000180000000-0x0000000180030000-memory.dmp BazarLoaderVar5 behavioral2/memory/2748-1-0x0000000180000000-0x0000000180030000-memory.dmp BazarLoaderVar5 behavioral2/memory/2748-2-0x0000000180000000-0x0000000180030000-memory.dmp BazarLoaderVar5 -
Tries to connect to .bazar domain 26 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
flow ioc 65 emfuuhvu.bazar 79 emfuuhvu.bazar 58 bluehail.bazar 59 bluehail.bazar 62 whitestorm9p.bazar 75 emfuuhvu.bazar 80 emfuuhvu.bazar 81 emfuuhvu.bazar 47 reddew28c.bazar 64 emfuuhvu.bazar 66 emfuuhvu.bazar 68 emfuuhvu.bazar 69 emfuuhvu.bazar 70 emfuuhvu.bazar 88 emfuuhvu.bazar 89 emfuuhvu.bazar 48 reddew28c.bazar 61 whitestorm9p.bazar 67 emfuuhvu.bazar 92 emfuuhvu.bazar 94 emfuuhvu.bazar 85 emfuuhvu.bazar 93 emfuuhvu.bazar 46 reddew28c.bazar 76 emfuuhvu.bazar 84 emfuuhvu.bazar -
Unexpected DNS network traffic destination 26 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 103.138.238.151 Destination IP 130.61.64.122 Destination IP 192.71.166.92 Destination IP 107.174.68.120 Destination IP 51.158.108.203 Destination IP 130.61.64.122 Destination IP 192.3.165.37 Destination IP 34.211.147.56 Destination IP 185.52.0.55 Destination IP 45.76.254.23 Destination IP 134.195.4.2 Destination IP 192.3.165.37 Destination IP 130.61.64.122 Destination IP 51.158.108.203 Destination IP 51.158.108.203 Destination IP 78.31.67.99 Destination IP 35.211.96.150 Destination IP 194.36.144.87 Destination IP 130.61.64.122 Destination IP 217.160.188.24 Destination IP 185.84.81.194 Destination IP 89.163.140.67 Destination IP 198.50.135.212 Destination IP 88.198.92.222 Destination IP 51.158.108.203 Destination IP 192.71.166.92