0f38f3e076a9431243ec072ab5f360620bf1a817e490222b49d39d46a6737f15

General

Target

605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe
Size

91KB
MD5

605377a80ef3b5ec88ab4687e1878735
SHA1

16301f2d564e4225f83d6ab458a0c47df8718e67
SHA256

0f38f3e076a9431243ec072ab5f360620bf1a817e490222b49d39d46a6737f15
SHA512

76a9e4b5f4ad2062bdda5c54ed66792cd9d9e7015ec1b174d10b44f79c80e17c914fc4a4caf184105ed8b1788126324a44fdac009f9930157f50bfac9f141bc5
SSDEEP

1536:ZiDLG7z8p+SZjBHdEhIxBtS5Q5grdU3+kNS9Y/bmF6uIo6nX7mNeomBZzJ1J+B0b:ZifEzyPHdEaaQ5g2Ow2Y/bmF65NCNeoS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1484	BCSSync.exe
1252	BCSSync.exe

Loads dropped DLL 3 IoCs

pid	Process
2120	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe
2120	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe
1484	BCSSync.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1820 set thread context of 2120	1820	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe	30
PID 1484 set thread context of 1252	1484	BCSSync.exe	33

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2120	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2120	1820	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe	30
PID 1820 wrote to memory of 2120	1820	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe	30
PID 1820 wrote to memory of 2120	1820	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe	30
PID 1820 wrote to memory of 2120	1820	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe	30
PID 1820 wrote to memory of 2120	1820	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe	30
PID 1820 wrote to memory of 2120	1820	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe	30
PID 1820 wrote to memory of 2120	1820	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe	30
PID 1820 wrote to memory of 2120	1820	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe	30
PID 1820 wrote to memory of 2120	1820	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe	30
PID 2120 wrote to memory of 1484	2120	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe	32
PID 2120 wrote to memory of 1484	2120	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe	32
PID 2120 wrote to memory of 1484	2120	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe	32
PID 2120 wrote to memory of 1484	2120	605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe	32
PID 1484 wrote to memory of 1252	1484	BCSSync.exe	33
PID 1484 wrote to memory of 1252	1484	BCSSync.exe	33
PID 1484 wrote to memory of 1252	1484	BCSSync.exe	33
PID 1484 wrote to memory of 1252	1484	BCSSync.exe	33
PID 1484 wrote to memory of 1252	1484	BCSSync.exe	33
PID 1484 wrote to memory of 1252	1484	BCSSync.exe	33
PID 1484 wrote to memory of 1252	1484	BCSSync.exe	33
PID 1484 wrote to memory of 1252	1484	BCSSync.exe	33
PID 1484 wrote to memory of 1252	1484	BCSSync.exe	33
PID 1252 wrote to memory of 2304	1252	BCSSync.exe	34
PID 1252 wrote to memory of 2304	1252	BCSSync.exe	34
PID 1252 wrote to memory of 2304	1252	BCSSync.exe	34
PID 1252 wrote to memory of 2304	1252	BCSSync.exe	34

C:\Users\Admin\AppData\Local\Temp\605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1252
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\605377a80ef3b5ec88ab4687e1878735_JaffaCakes118.exe
        5⤵
        
        PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
91KB

MD5
16b2b3496896521ab9029231946e8882

SHA1
72cadd15963013c10d25838bc207e418adacfa00

SHA256
e087f55c3e23f9823664bedcd57ee30df33566ba0b10ab8f3472ac33e7229849

SHA512
9317c1379ea8dcf1885460bee4ae4393e0a6f638b931e1f3f14fa7612fee8f317d657705a36cbf4c2ccee92e50f4d28a630439602bb4bcf1cd6ca20af04c3b15

Download Submit
memory/1252-42-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2120-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2120-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2120-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2120-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2120-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2120-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2120-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2120-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing