311d3c46aec4ea9c0b614c556486f9718bc9491c94e10691d78fb81e202726de

General

Target

f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe
Size

39KB
MD5

f52d4392de6e61460be7133582f54d3e
SHA1

9b9d42a4430ec10a63d3778fc39d40d76cee4573
SHA256

311d3c46aec4ea9c0b614c556486f9718bc9491c94e10691d78fb81e202726de
SHA512

4fde76dab9219dac807253c36a44fdc79a0d90c4f049166030bb50939baeac6cb8e176b85a276baea04caad4471431a7b273a503116da870c2738b3139b36534
SSDEEP

768:SzLoYj/s3MY2C162DG9pFz6uEpYJgiMgIf2aNBIFZCzccx5BXPo2:0MYQ3n2WTczxqYJgHf2aNBSZ5cx5Fj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2560	BCSSync.exe
2416	BCSSync.exe

Loads dropped DLL 3 IoCs

pid	Process
1616	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe
1616	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe
2560	BCSSync.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 1616	2264	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe	28
PID 2560 set thread context of 2416	2560	BCSSync.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\7FtGX.com	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1616	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1616	2264	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe	28
PID 2264 wrote to memory of 1616	2264	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe	28
PID 2264 wrote to memory of 1616	2264	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe	28
PID 2264 wrote to memory of 1616	2264	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe	28
PID 2264 wrote to memory of 1616	2264	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe	28
PID 2264 wrote to memory of 1616	2264	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe	28
PID 2264 wrote to memory of 1616	2264	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe	28
PID 2264 wrote to memory of 1616	2264	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe	28
PID 2264 wrote to memory of 1616	2264	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe	28
PID 1616 wrote to memory of 2560	1616	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe	29
PID 1616 wrote to memory of 2560	1616	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe	29
PID 1616 wrote to memory of 2560	1616	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe	29
PID 1616 wrote to memory of 2560	1616	f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe	29
PID 2560 wrote to memory of 2416	2560	BCSSync.exe	30
PID 2560 wrote to memory of 2416	2560	BCSSync.exe	30
PID 2560 wrote to memory of 2416	2560	BCSSync.exe	30
PID 2560 wrote to memory of 2416	2560	BCSSync.exe	30
PID 2560 wrote to memory of 2416	2560	BCSSync.exe	30
PID 2560 wrote to memory of 2416	2560	BCSSync.exe	30
PID 2560 wrote to memory of 2416	2560	BCSSync.exe	30
PID 2560 wrote to memory of 2416	2560	BCSSync.exe	30
PID 2560 wrote to memory of 2416	2560	BCSSync.exe	30
PID 2416 wrote to memory of 1552	2416	BCSSync.exe	31
PID 2416 wrote to memory of 1552	2416	BCSSync.exe	31
PID 2416 wrote to memory of 1552	2416	BCSSync.exe	31
PID 2416 wrote to memory of 1552	2416	BCSSync.exe	31

C:\Users\Admin\AppData\Local\Temp\f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\f52d4392de6e61460be7133582f54d3e_JaffaCakes118.exe
        5⤵
        
        PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
39KB

MD5
58cd6a436e074341bbbc61eeb26bce69

SHA1
a14eed80477f9ef7a1612ea533993ebb6ec5cacf

SHA256
145ee400e2ddefa55dd802454cb9df15a9229fb37895f793df75ff21f6007297

SHA512
7db2eb8b45484f342e371691ac7892d890959954b562a515896b155ef15c2c6b54cf6a3a77638dd48435ac06a0084dab86073171f34942a6abb5e0768955464f

Download Submit
memory/1616-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1616-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1616-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1616-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1616-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1616-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1616-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1616-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1616-14-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2416-48-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing