Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2025 05:44
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_dc667ed66aae40d48560988fa222000d.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
JaffaCakes118_dc667ed66aae40d48560988fa222000d.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
JaffaCakes118_dc667ed66aae40d48560988fa222000d.dll
-
Size
840KB
-
MD5
dc667ed66aae40d48560988fa222000d
-
SHA1
4e0d78a949fb7f5865ea981c64163d7870684b8d
-
SHA256
485a3c191731de674005bf28bb644672cfcc1bad58abb9b7d0f36d71d2973067
-
SHA512
2972fa7ea51e255a9885a56b59bb18c5068251e161cc04599472ffba9c73ee082b65c3ca4d9631f2d7c772edbd5cf9da2c78a4d1ee4042cebe6d908808911723
-
SSDEEP
12288:U0DgYq89aJyKXwAmliposlBT0sVxVTJU7RnVhGqYtZsUSdEPGR:U0DgRiUAzFsD35TJU7RnzS3sUcR
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazarloader family
-
Bazar/Team9 Loader payload 3 IoCs
resource yara_rule behavioral2/memory/4912-1-0x0000000180000000-0x0000000180034000-memory.dmp BazarLoaderVar5 behavioral2/memory/4912-0-0x0000000180000000-0x0000000180034000-memory.dmp BazarLoaderVar5 behavioral2/memory/4912-2-0x0000000180000000-0x0000000180034000-memory.dmp BazarLoaderVar5 -
Tries to connect to .bazar domain 35 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
flow ioc 72 emfuuhvu.bazar 83 emfuuhvu.bazar 102 ontuekuf.bazar 103 ontuekuf.bazar 50 bluehail.bazar 71 emfuuhvu.bazar 66 emfuuhvu.bazar 88 emfuuhvu.bazar 100 ontuekuf.bazar 101 ontuekuf.bazar 57 emfuuhvu.bazar 58 emfuuhvu.bazar 78 emfuuhvu.bazar 54 whitestorm9p.bazar 65 emfuuhvu.bazar 98 ontuekuf.bazar 73 emfuuhvu.bazar 89 emfuuhvu.bazar 96 ontuekuf.bazar 97 ontuekuf.bazar 79 emfuuhvu.bazar 95 ontuekuf.bazar 68 emfuuhvu.bazar 60 emfuuhvu.bazar 61 emfuuhvu.bazar 86 emfuuhvu.bazar 94 emfuuhvu.bazar 55 whitestorm9p.bazar 59 emfuuhvu.bazar 69 emfuuhvu.bazar 82 emfuuhvu.bazar 87 emfuuhvu.bazar 104 ontuekuf.bazar 43 reddew28c.bazar 51 bluehail.bazar -
Unexpected DNS network traffic destination 35 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 107.174.68.120 Destination IP 78.31.67.99 Destination IP 185.84.81.194 Destination IP 130.61.64.122 Destination IP 217.160.188.24 Destination IP 130.61.64.122 Destination IP 130.61.64.122 Destination IP 88.198.92.222 Destination IP 134.195.4.2 Destination IP 51.158.108.203 Destination IP 35.211.96.150 Destination IP 95.217.190.236 Destination IP 130.61.64.122 Destination IP 51.158.108.203 Destination IP 192.3.165.37 Destination IP 35.211.96.150 Destination IP 51.158.108.203 Destination IP 192.71.166.92 Destination IP 192.71.166.92 Destination IP 89.163.140.67 Destination IP 34.211.147.56 Destination IP 34.211.147.56 Destination IP 103.138.238.151 Destination IP 194.36.144.87 Destination IP 192.3.165.37 Destination IP 51.158.108.203 Destination IP 130.61.64.122 Destination IP 88.198.92.222 Destination IP 103.138.238.151 Destination IP 185.52.0.55 Destination IP 198.50.135.212 Destination IP 134.195.4.2 Destination IP 45.76.254.23 Destination IP 192.3.165.37 Destination IP 51.89.88.77