68a01eef484d134f3696ccb616620c60f4ae1d706432344a4ccd9c1c6d3f99b4

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 21:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe
Size

71KB
MD5

690d2180b8963c8b02c0ff72140c9868
SHA1

4ec10913cbb0a1f4ba68672272d5e83dff79902f
SHA256

68a01eef484d134f3696ccb616620c60f4ae1d706432344a4ccd9c1c6d3f99b4
SHA512

966ce05c6c79e5fa6f920ca168fb2722f915fa2819a5a97538297ba5c5ecc3f0139a8c4d13a228e195929cd43700a7d8471c4fc6f259e6979b389579df585096
SSDEEP

1536:6MTKdJYU4zxN3j7Cy672stRJ971Zr+vzC1kQ:fT8JYU4dZj7Cy02stF11+vzxQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2512	BCSSync.exe
2728	BCSSync.exe

Loads dropped DLL 3 IoCs

pid	Process
2352	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe
2352	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe
2512	BCSSync.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 2352	2140	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe	30
PID 2512 set thread context of 2728	2512	BCSSync.exe	33

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync .exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2352	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe
2728	BCSSync.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2352	2140	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2352	2140	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2352	2140	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2352	2140	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2352	2140	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2352	2140	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2352	2140	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2352	2140	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2352	2140	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2352	2140	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2512	2352	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2512	2352	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2512	2352	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2512	2352	690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe	32
PID 2512 wrote to memory of 2728	2512	BCSSync.exe	33
PID 2512 wrote to memory of 2728	2512	BCSSync.exe	33
PID 2512 wrote to memory of 2728	2512	BCSSync.exe	33
PID 2512 wrote to memory of 2728	2512	BCSSync.exe	33
PID 2512 wrote to memory of 2728	2512	BCSSync.exe	33
PID 2512 wrote to memory of 2728	2512	BCSSync.exe	33
PID 2512 wrote to memory of 2728	2512	BCSSync.exe	33
PID 2512 wrote to memory of 2728	2512	BCSSync.exe	33
PID 2512 wrote to memory of 2728	2512	BCSSync.exe	33
PID 2512 wrote to memory of 2728	2512	BCSSync.exe	33
PID 2728 wrote to memory of 2924	2728	BCSSync.exe	34
PID 2728 wrote to memory of 2924	2728	BCSSync.exe	34
PID 2728 wrote to memory of 2924	2728	BCSSync.exe	34
PID 2728 wrote to memory of 2924	2728	BCSSync.exe	34

C:\Users\Admin\AppData\Local\Temp\690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\690d2180b8963c8b02c0ff72140c9868_JaffaCakes118.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
71KB

MD5
95a2ec3317330de4a06f28fec3404206

SHA1
ba8212baf400025cb6a8d31765662f78851b8483

SHA256
13604a64f168ee8b484b20c3dc0c2c4dc237846a07c553fe728e102811bb21c1

SHA512
a6bb2675babcac112577dbc5044228a74192b554b456bf9792a47d83c55b6874d58d84a5e483f776b508898f19b3da16938170b1c9dec630ad45897fb97d2242

Download Submit
memory/2352-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2352-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2352-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2352-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2352-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2352-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2352-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2352-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2352-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2728-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download