4b48ad96581de0d0baf722dacaa8a1d60d06f83fd7ad8e2af121a2b4b1350f1c

Analysis

max time kernel
122s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe
Size

112KB
MD5

0a7007f5802841664a2c589d2a4e9bce
SHA1

b0a611f22be148ad804382b2063929b619172beb
SHA256

4b48ad96581de0d0baf722dacaa8a1d60d06f83fd7ad8e2af121a2b4b1350f1c
SHA512

c665dee4a5bc6e7633a32d70e8782d687817861a85d974668e891c4198a518a6edf034685b3fb77a10501fb034988cc2a0112d4afd5d733f2dea40857f506121
SSDEEP

1536:LPqKgbwDeVyAUHwGvVJrYJeyxWxVhkITI5ywWFfB8lBTxe5P1PJ:9gbwDKyLwGvTrYkg6BJR6ns5PFJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2388	BCSSync.exe
2408	BCSSync.exe
2384	BCSSync.exe

Loads dropped DLL 4 IoCs

pid	Process
2948	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe
2948	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe
2388	BCSSync.exe
2408	BCSSync.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1620 set thread context of 2120	1620	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	28
PID 2120 set thread context of 2948	2120	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	29
PID 2388 set thread context of 2408	2388	BCSSync.exe	31
PID 2408 set thread context of 2384	2408	BCSSync.exe	32

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\4qq6O.com	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2948	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe
2384	BCSSync.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1620	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe
2388	BCSSync.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2120	1620	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	28
PID 1620 wrote to memory of 2120	1620	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	28
PID 1620 wrote to memory of 2120	1620	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	28
PID 1620 wrote to memory of 2120	1620	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	28
PID 1620 wrote to memory of 2120	1620	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	28
PID 1620 wrote to memory of 2120	1620	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	28
PID 1620 wrote to memory of 2120	1620	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	28
PID 1620 wrote to memory of 2120	1620	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	28
PID 1620 wrote to memory of 2120	1620	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	28
PID 2120 wrote to memory of 2948	2120	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2948	2120	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2948	2120	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2948	2120	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2948	2120	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2948	2120	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2948	2120	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2948	2120	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2948	2120	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	29
PID 2948 wrote to memory of 2388	2948	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	30
PID 2948 wrote to memory of 2388	2948	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	30
PID 2948 wrote to memory of 2388	2948	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	30
PID 2948 wrote to memory of 2388	2948	0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2408	2388	BCSSync.exe	31
PID 2388 wrote to memory of 2408	2388	BCSSync.exe	31
PID 2388 wrote to memory of 2408	2388	BCSSync.exe	31
PID 2388 wrote to memory of 2408	2388	BCSSync.exe	31
PID 2388 wrote to memory of 2408	2388	BCSSync.exe	31
PID 2388 wrote to memory of 2408	2388	BCSSync.exe	31
PID 2388 wrote to memory of 2408	2388	BCSSync.exe	31
PID 2388 wrote to memory of 2408	2388	BCSSync.exe	31
PID 2388 wrote to memory of 2408	2388	BCSSync.exe	31
PID 2408 wrote to memory of 2384	2408	BCSSync.exe	32
PID 2408 wrote to memory of 2384	2408	BCSSync.exe	32
PID 2408 wrote to memory of 2384	2408	BCSSync.exe	32
PID 2408 wrote to memory of 2384	2408	BCSSync.exe	32
PID 2408 wrote to memory of 2384	2408	BCSSync.exe	32
PID 2408 wrote to memory of 2384	2408	BCSSync.exe	32
PID 2408 wrote to memory of 2384	2408	BCSSync.exe	32
PID 2408 wrote to memory of 2384	2408	BCSSync.exe	32
PID 2408 wrote to memory of 2384	2408	BCSSync.exe	32
PID 2384 wrote to memory of 2636	2384	BCSSync.exe	33
PID 2384 wrote to memory of 2636	2384	BCSSync.exe	33
PID 2384 wrote to memory of 2636	2384	BCSSync.exe	33
PID 2384 wrote to memory of 2636	2384	BCSSync.exe	33

C:\Users\Admin\AppData\Local\Temp\0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\0a7007f5802841664a2c589d2a4e9bce_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
        7⤵
        
        PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
112KB

MD5
d9def76f7ae87c39ce6629c47e42b2c8

SHA1
e23c5c03f2eb4adae7463cc6199e70bdf96dd41d

SHA256
4dcc72e21d71e7ef57c62202f90e797c1f065718db0badde09fa93239d91b684

SHA512
158e5b91331e7c029643f5b82dbd55b0d73c2f7dd04dd6b3644ffb1e4b1a77ab7bf447ea86ad3d391077209df459c31d297f80f5b6a2d437df16db4b60bd8caa

Download Submit
memory/2120-2-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2120-4-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2120-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2120-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2384-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2408-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2948-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2948-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2948-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2948-21-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2948-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2948-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2948-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2948-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2948-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download