Analysis
-
max time kernel
141s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 14:10
Static task
static1
Behavioral task
behavioral1
Sample
f829e1a9cf136d94f832c275f6d1f008_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f829e1a9cf136d94f832c275f6d1f008_JaffaCakes118.dll
Resource
win10v2004-20240412-en
General
-
Target
f829e1a9cf136d94f832c275f6d1f008_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
f829e1a9cf136d94f832c275f6d1f008
-
SHA1
6f695e3924dbb1d6d216250ea8da39987a70cf4b
-
SHA256
2c59b6a90799fe245b4bcd608bab37b0a3750bacaa886eda9c1e32c9e8b6f84f
-
SHA512
d8f3f5cc1a8e616515f9cf5bb6934fa6c6627a16713bbefdcf7d81ecaf4f41b657490759ae089fdeaac5f960d19acd92dd25bf9385189c0b37a13ff7048bacd8
-
SSDEEP
12288:6yWeahQ/LWnzkXz5HYrniajhuSlHJzJBlPXXo/6aNdCaBSPZC1XZV72B4:HWeaZzqY7dhBjz/lfo/FIyXv72B4
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3736-0-0x0000018654D50000-0x0000018654D8C000-memory.dmp BazarLoaderVar5 behavioral2/memory/3736-1-0x00007FF956C90000-0x00007FF956E11000-memory.dmp BazarLoaderVar5 behavioral2/memory/3736-3-0x0000018654D50000-0x0000018654D8C000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 13 IoCs
Processes:
rundll32.exeflow pid process 3 3736 rundll32.exe 26 3736 rundll32.exe 43 3736 rundll32.exe 50 3736 rundll32.exe 54 3736 rundll32.exe 56 3736 rundll32.exe 58 3736 rundll32.exe 63 3736 rundll32.exe 64 3736 rundll32.exe 67 3736 rundll32.exe 68 3736 rundll32.exe 69 3736 rundll32.exe 70 3736 rundll32.exe -
Tries to connect to .bazar domain 3 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 63 greencloud46a.bazar 67 whitestorm9p.bazar 69 yellowdownpour81.bazar -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 195.10.195.195 Destination IP 195.10.195.195 Destination IP 195.10.195.195 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 54 https://api.opennicproject.org/geoip/?bare&ipv=4