17122aefaf6c07261ce14dc73369d458444c723b8cd96c9e4fed44fadd64452f

General

Target

2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe
Size

37KB
MD5

2d542b5652e925caaf0499abfdf12b95
SHA1

48348dabaeaf5290dddd179eda698f9462769e4f
SHA256

17122aefaf6c07261ce14dc73369d458444c723b8cd96c9e4fed44fadd64452f
SHA512

ea13c71b510e1089aa408c84ccbb4efeb4137be67221b95a342d25277ee68f385abb2fb656dc9b380f0163be0c5dd11c8e35677a69fff592999c493333501667
SSDEEP

768:edIZ/alwuAknNWuCMQpb0ruFm1YqTrmHwbLyMy0:edILlknNU4rOobbLyn0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1928	BCSSync.exe
2244	BCSSync.exe

Loads dropped DLL 3 IoCs

pid	Process
496	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe
496	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe
1928	BCSSync.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 496	2304	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe	30
PID 1928 set thread context of 2244	1928	BCSSync.exe	33

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
496	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 496	2304	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe	30
PID 2304 wrote to memory of 496	2304	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe	30
PID 2304 wrote to memory of 496	2304	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe	30
PID 2304 wrote to memory of 496	2304	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe	30
PID 2304 wrote to memory of 496	2304	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe	30
PID 2304 wrote to memory of 496	2304	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe	30
PID 2304 wrote to memory of 496	2304	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe	30
PID 2304 wrote to memory of 496	2304	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe	30
PID 2304 wrote to memory of 496	2304	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe	30
PID 496 wrote to memory of 1928	496	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe	32
PID 496 wrote to memory of 1928	496	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe	32
PID 496 wrote to memory of 1928	496	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe	32
PID 496 wrote to memory of 1928	496	2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe	32
PID 1928 wrote to memory of 2244	1928	BCSSync.exe	33
PID 1928 wrote to memory of 2244	1928	BCSSync.exe	33
PID 1928 wrote to memory of 2244	1928	BCSSync.exe	33
PID 1928 wrote to memory of 2244	1928	BCSSync.exe	33
PID 1928 wrote to memory of 2244	1928	BCSSync.exe	33
PID 1928 wrote to memory of 2244	1928	BCSSync.exe	33
PID 1928 wrote to memory of 2244	1928	BCSSync.exe	33
PID 1928 wrote to memory of 2244	1928	BCSSync.exe	33
PID 1928 wrote to memory of 2244	1928	BCSSync.exe	33
PID 2244 wrote to memory of 2892	2244	BCSSync.exe	34
PID 2244 wrote to memory of 2892	2244	BCSSync.exe	34
PID 2244 wrote to memory of 2892	2244	BCSSync.exe	34
PID 2244 wrote to memory of 2892	2244	BCSSync.exe	34

C:\Users\Admin\AppData\Local\Temp\2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:496
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\2d542b5652e925caaf0499abfdf12b95_JaffaCakes118.exe
        5⤵
        
        PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
fdccc8e9df9a16ee8545f79dfc3aeb9a

SHA1
a66ec1a01f8f5bc538efb7a4eed9bc46ed7d43e0

SHA256
90fafa50497665a50da98c81072e216d1acc16db99e0c24526ea94a1b84e48de

SHA512
aa50146cf880693cc69b0d228c1bd836d2d78e209dd75ec4953ff500871066283e1fc0affee95479f49c3fd890f8a2985a9dcdf0ff323e74b3e85f88355e95b9

Download Submit
memory/496-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/496-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/496-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/496-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/496-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/496-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/496-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/496-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2244-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing