edbc8c0273fe91bd2217bed8087f2718d5b429623c802ce96dbf68f9a4998010

Analysis

max time kernel
126s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe
Size

144KB
MD5

0797ae480b07fb4e00b16482cf5435cb
SHA1

51b2a74528a90c5c8a0d7eaa12818c29607655b0
SHA256

edbc8c0273fe91bd2217bed8087f2718d5b429623c802ce96dbf68f9a4998010
SHA512

cf568aa872625fa5eafb9abfcd824899118adaa01b8dcb263888b9367b7b9dddf8041e0d2e65e6a5fd3701c8281b3b59c5da13d598836a258bd1cf06c9094651
SSDEEP

1536:qiUQf1OdalnaYJy8PNigFfaGZp78lbcuZ/+J07:qiUmOEdvTNVfaGZp78lwuUW7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1804	BCSSync.exe
2844	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe
2732	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	46.28.107.10
Destination IP	46.28.107.10
Destination IP	46.28.107.10
Destination IP	46.28.107.10
Destination IP	46.28.107.10

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\L1fym4b.com	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\L1fym4b.com.b	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 2732	1972	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe	28
PID 1804 set thread context of 2844	1804	BCSSync.exe	30

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe.b	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2732	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1972	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe
1804	BCSSync.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2732	1972	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2732	1972	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2732	1972	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2732	1972	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2732	1972	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2732	1972	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2732	1972	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2732	1972	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2732	1972	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2732	1972	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe	28
PID 2732 wrote to memory of 1804	2732	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe	29
PID 2732 wrote to memory of 1804	2732	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe	29
PID 2732 wrote to memory of 1804	2732	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe	29
PID 2732 wrote to memory of 1804	2732	0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe	29
PID 1804 wrote to memory of 2844	1804	BCSSync.exe	30
PID 1804 wrote to memory of 2844	1804	BCSSync.exe	30
PID 1804 wrote to memory of 2844	1804	BCSSync.exe	30
PID 1804 wrote to memory of 2844	1804	BCSSync.exe	30
PID 1804 wrote to memory of 2844	1804	BCSSync.exe	30
PID 1804 wrote to memory of 2844	1804	BCSSync.exe	30
PID 1804 wrote to memory of 2844	1804	BCSSync.exe	30
PID 1804 wrote to memory of 2844	1804	BCSSync.exe	30
PID 1804 wrote to memory of 2844	1804	BCSSync.exe	30
PID 1804 wrote to memory of 2844	1804	BCSSync.exe	30
PID 2844 wrote to memory of 2800	2844	BCSSync.exe	31
PID 2844 wrote to memory of 2800	2844	BCSSync.exe	31
PID 2844 wrote to memory of 2800	2844	BCSSync.exe	31
PID 2844 wrote to memory of 2800	2844	BCSSync.exe	31

C:\Users\Admin\AppData\Local\Temp\0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
        5⤵
        
        PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
144KB

MD5
f9d86f29bfb385371a19b84cdfc10786

SHA1
be5038edb0d661f0675fc6798dbb1202d22bdd9e

SHA256
09ddadec9b25287fedaef5537c66a5499a10ab92ad5b7e90473732b29c48c784

SHA512
beee1f2ec4fc316dfe079358e0187e034a590000f2524fe0fde856e6716952373d54efa8d1b7cc18f2ceec93458b4f57154e9f59861bfa5ef38e4b90eec1cbba

Download Submit
memory/2732-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2732-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2732-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2844-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download