bc039aab01423e8aabd061e2fdbb46d5e8392b11d7141b84b3b43f6100bbdaf3

General

Target

d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe
Size

91KB
MD5

d64a8db0d6c990f5ca5c5d951a9c05ff
SHA1

3450bf85c79b9162116b7b3b960346291239d30f
SHA256

bc039aab01423e8aabd061e2fdbb46d5e8392b11d7141b84b3b43f6100bbdaf3
SHA512

ca0d6f68e864f65a560e8c8577fc6aca22f648c62e696973ee38b064e745cde03904c745ae1a745dbb168ed4b9de1779caa4bb554ef9ac09edb48a17a2564b4f
SSDEEP

1536:ZiDLG7z8p+SZjBHdEhIxBtS5Q5grdU3+kNS9Y/bmF6uIo6nX7mNeomBZzJ1J+B0j:ZifEzyPHdEaaQ5g2Ow2Y/bmF65NCNeoS

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3036	BCSSync.exe
2768	BCSSync.exe

Loads dropped DLL 3 IoCs

pid	Process
1764	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe
1764	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe
3036	BCSSync.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 1764	2072	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe	31
PID 3036 set thread context of 2768	3036	BCSSync.exe	33

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync .exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1764	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 1764	2072	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe	31
PID 2072 wrote to memory of 1764	2072	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe	31
PID 2072 wrote to memory of 1764	2072	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe	31
PID 2072 wrote to memory of 1764	2072	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe	31
PID 2072 wrote to memory of 1764	2072	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe	31
PID 2072 wrote to memory of 1764	2072	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe	31
PID 2072 wrote to memory of 1764	2072	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe	31
PID 2072 wrote to memory of 1764	2072	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe	31
PID 2072 wrote to memory of 1764	2072	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe	31
PID 1764 wrote to memory of 3036	1764	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe	32
PID 1764 wrote to memory of 3036	1764	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe	32
PID 1764 wrote to memory of 3036	1764	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe	32
PID 1764 wrote to memory of 3036	1764	d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2768	3036	BCSSync.exe	33
PID 3036 wrote to memory of 2768	3036	BCSSync.exe	33
PID 3036 wrote to memory of 2768	3036	BCSSync.exe	33
PID 3036 wrote to memory of 2768	3036	BCSSync.exe	33
PID 3036 wrote to memory of 2768	3036	BCSSync.exe	33
PID 3036 wrote to memory of 2768	3036	BCSSync.exe	33
PID 3036 wrote to memory of 2768	3036	BCSSync.exe	33
PID 3036 wrote to memory of 2768	3036	BCSSync.exe	33
PID 3036 wrote to memory of 2768	3036	BCSSync.exe	33
PID 2768 wrote to memory of 2316	2768	BCSSync.exe	34
PID 2768 wrote to memory of 2316	2768	BCSSync.exe	34
PID 2768 wrote to memory of 2316	2768	BCSSync.exe	34
PID 2768 wrote to memory of 2316	2768	BCSSync.exe	34

C:\Users\Admin\AppData\Local\Temp\d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\d64a8db0d6c990f5ca5c5d951a9c05ff_JaffaCakes118.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
91KB

MD5
0483a4d2276ddb81716cfce5d2324ad0

SHA1
7c48b83c164a503d73c06771954b7fe1aeaaeaaf

SHA256
e43e1119d032190eb319ba11c4a170eacaaa2033e7ac215515dc6de546cae96f

SHA512
e5ee0dbb9af13c3f2bbe341dad5755d2e6d20977c2f974679667d50d2b7daa8d952e17f078fb39c34aa61f8e6ec4b8f0265b7f93d7354246d76b884ee5e5a736

Download Submit
memory/1764-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1764-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1764-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1764-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1764-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1764-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1764-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1764-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1764-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-42-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing