6a8b69b186425d99274e2f062cf6e4dba5d97626331708c2dc20c2e393b9db99

Analysis

max time kernel
118s
max time network
113s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe
Size

68KB
MD5

afbfb8ee1118aa89a519f72a9209d771
SHA1

d61b263ddc1d60006d6312a2badaa2abc3c73f27
SHA256

6a8b69b186425d99274e2f062cf6e4dba5d97626331708c2dc20c2e393b9db99
SHA512

869698d78a22a3337d9c2e3a7ec64013d0441a8822351c306e7d4d36fdc7b1c2a9ae21cf998a06c26e1ab0058b10ce90928e1c1462c132938ca27e0166d93d9d
SSDEEP

1536:r1BvK2hM46fGBCzSfNNI6yx8Hoh3eypmrYbwWoe:r1BvK7pmCzSlNILr7mrle

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2288	BCSSync.exe
2372	BCSSync.exe

Loads dropped DLL 3 IoCs

pid	Process
1972	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe
1972	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe
2288	BCSSync.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 1972	1984	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe	30
PID 2288 set thread context of 2372	2288	BCSSync.exe	32

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1972	1984	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1972	1984	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1972	1984	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1972	1984	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1972	1984	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1972	1984	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1972	1984	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1972	1984	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1972	1984	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1972	1984	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2288	1972	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2288	1972	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2288	1972	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2288	1972	afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe	31
PID 2288 wrote to memory of 2372	2288	BCSSync.exe	32
PID 2288 wrote to memory of 2372	2288	BCSSync.exe	32
PID 2288 wrote to memory of 2372	2288	BCSSync.exe	32
PID 2288 wrote to memory of 2372	2288	BCSSync.exe	32
PID 2288 wrote to memory of 2372	2288	BCSSync.exe	32
PID 2288 wrote to memory of 2372	2288	BCSSync.exe	32
PID 2288 wrote to memory of 2372	2288	BCSSync.exe	32
PID 2288 wrote to memory of 2372	2288	BCSSync.exe	32
PID 2288 wrote to memory of 2372	2288	BCSSync.exe	32
PID 2288 wrote to memory of 2372	2288	BCSSync.exe	32
PID 2372 wrote to memory of 2716	2372	BCSSync.exe	33
PID 2372 wrote to memory of 2716	2372	BCSSync.exe	33
PID 2372 wrote to memory of 2716	2372	BCSSync.exe	33
PID 2372 wrote to memory of 2716	2372	BCSSync.exe	33

C:\Users\Admin\AppData\Local\Temp\afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\afbfb8ee1118aa89a519f72a9209d771_JaffaCakes118.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
68KB

MD5
f580c29ddf5acfb6caaf84e441bbd800

SHA1
49e03f76d184e43dbc34754c143ad1cafdb0b040

SHA256
b12383caf4aeb8d1e4c5dc9d68c72de451d9829f8893197deedba5bbab279617

SHA512
84c8ea98d859ea893ba642873050488873371211a38203da2f7973bb94e9b7e4785eafdb8bb6d2691954212b845a12ffec9dfb8179a9897228202aa5291497eb

Download Submit
memory/1972-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1972-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1972-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1972-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1972-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1972-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1972-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1972-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1972-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2372-45-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download