9d241adc5202fb94ef9e5f4a305a75a8341dd0e491a4162502dd7884abd3c447

Analysis

max time kernel
118s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe
Size

68KB
MD5

5be423c25fa3e6a6022de20f282ff7cb
SHA1

b9d80693cb562ae2d14506d1c873505a2314eac7
SHA256

9d241adc5202fb94ef9e5f4a305a75a8341dd0e491a4162502dd7884abd3c447
SHA512

8bc15e70cb21d2721e26efd5dc66f1981f3651140e22a0900e85b1e63244ed91ec2c8c09cde2a1ef491a205ade15f84335c0aa641b45d07a61e0f66bc61d4adc
SSDEEP

1536:r1BvK2hM46fGBCzSfNNI6yx8Hoh3eypmrYbwWoE:r1BvK7pmCzSlNILr7mrlE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2172	BCSSync.exe
2832	BCSSync.exe

Loads dropped DLL 3 IoCs

pid	Process
2564	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe
2564	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe
2172	BCSSync.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3012 set thread context of 2564	3012	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe	30
PID 2172 set thread context of 2832	2172	BCSSync.exe	33

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2564	3012	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2564	3012	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2564	3012	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2564	3012	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2564	3012	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2564	3012	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2564	3012	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2564	3012	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2564	3012	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2564	3012	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe	30
PID 2564 wrote to memory of 2172	2564	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe	32
PID 2564 wrote to memory of 2172	2564	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe	32
PID 2564 wrote to memory of 2172	2564	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe	32
PID 2564 wrote to memory of 2172	2564	5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe	32
PID 2172 wrote to memory of 2832	2172	BCSSync.exe	33
PID 2172 wrote to memory of 2832	2172	BCSSync.exe	33
PID 2172 wrote to memory of 2832	2172	BCSSync.exe	33
PID 2172 wrote to memory of 2832	2172	BCSSync.exe	33
PID 2172 wrote to memory of 2832	2172	BCSSync.exe	33
PID 2172 wrote to memory of 2832	2172	BCSSync.exe	33
PID 2172 wrote to memory of 2832	2172	BCSSync.exe	33
PID 2172 wrote to memory of 2832	2172	BCSSync.exe	33
PID 2172 wrote to memory of 2832	2172	BCSSync.exe	33
PID 2172 wrote to memory of 2832	2172	BCSSync.exe	33
PID 2832 wrote to memory of 2944	2832	BCSSync.exe	34
PID 2832 wrote to memory of 2944	2832	BCSSync.exe	34
PID 2832 wrote to memory of 2944	2832	BCSSync.exe	34
PID 2832 wrote to memory of 2944	2832	BCSSync.exe	34

C:\Users\Admin\AppData\Local\Temp\5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\5be423c25fa3e6a6022de20f282ff7cb_JaffaCakes118.exe
        5⤵
        
        PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
68KB

MD5
396357fc4a6b467a1d8add8c64ebdf3e

SHA1
ba8fa8cd3eab26208c2bb529605f77f6c23e514a

SHA256
b2677d8abc8c5bc5a5a0f5af1c86004de7ba74b841acb734b8238a0b49e200a2

SHA512
a1b0cec215bd06a5a87f34ceae8ee99e483946eaa47b3af8ae9a2b79075f54bb7886a0ed18983ecb902cc616142a79f2589bd76783305b5d2f822ab73930576e

Download Submit
memory/2564-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2564-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2564-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2564-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2564-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2564-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2564-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2564-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2564-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2832-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download