145a9f820f2b9fbb5589ce32b0a3e69fe50c1de791f633323950b6225293c9a7

General

Target

cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe
Size

43KB
MD5

cdf37bdbb1fd8e9ff085285960649e50
SHA1

a82c5a889e3dd5d1bc19f453ed6bf143cf9c8bb7
SHA256

145a9f820f2b9fbb5589ce32b0a3e69fe50c1de791f633323950b6225293c9a7
SHA512

5c414d9e7092f2ab2520d29442f8d9bc5a37d96ac1a403447b709a59bc6e68fe15163535a433a441dd07268d9b0789170d92eaf966e093336ddbb46513acca4c
SSDEEP

768:sbTqavYjTvEBTfVDAyNX8PFOJ40feIaFzSUqSH3Uxd:sbTqBjT8fhAyF8NKeIaJExd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2984	BCSSync.exe
2940	BCSSync.exe

Loads dropped DLL 3 IoCs

pid	Process
2144	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe
2144	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe
2984	BCSSync.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2604 set thread context of 2144	2604	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe	29
PID 2984 set thread context of 2940	2984	BCSSync.exe	31

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\H4UpI5yc.com	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2144	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2144	2604	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2144	2604	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2144	2604	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2144	2604	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2144	2604	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2144	2604	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2144	2604	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2144	2604	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2144	2604	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe	29
PID 2144 wrote to memory of 2984	2144	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe	30
PID 2144 wrote to memory of 2984	2144	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe	30
PID 2144 wrote to memory of 2984	2144	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe	30
PID 2144 wrote to memory of 2984	2144	cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2940	2984	BCSSync.exe	31
PID 2984 wrote to memory of 2940	2984	BCSSync.exe	31
PID 2984 wrote to memory of 2940	2984	BCSSync.exe	31
PID 2984 wrote to memory of 2940	2984	BCSSync.exe	31
PID 2984 wrote to memory of 2940	2984	BCSSync.exe	31
PID 2984 wrote to memory of 2940	2984	BCSSync.exe	31
PID 2984 wrote to memory of 2940	2984	BCSSync.exe	31
PID 2984 wrote to memory of 2940	2984	BCSSync.exe	31
PID 2984 wrote to memory of 2940	2984	BCSSync.exe	31
PID 2940 wrote to memory of 2212	2940	BCSSync.exe	32
PID 2940 wrote to memory of 2212	2940	BCSSync.exe	32
PID 2940 wrote to memory of 2212	2940	BCSSync.exe	32
PID 2940 wrote to memory of 2212	2940	BCSSync.exe	32

C:\Users\Admin\AppData\Local\Temp\cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\cdf37bdbb1fd8e9ff085285960649e50_JaffaCakes118.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
43KB

MD5
43dbca3e05a7eeb3edfab8b72e964cbb

SHA1
74b5ca0c8ac0bfb6e90f408337793b370b5662b2

SHA256
fdfdfcfe177433f7f3e761e37f2f7bb394bee987745a8f0442a9d44cc1773f34

SHA512
72cadaf6c378fc13553e5d7c6e194fae35c27dab3ef9db832439825ce0a2875d17a426704a66e3aefc17b318dc71d69a6e3e431a1b05374051ac64222da73f8d

Download Submit
memory/2144-14-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2144-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2144-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2144-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2144-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2144-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2144-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2144-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2144-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2940-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing