c187d93d35918db508b65dc1160d177693c83ca710a9abe0fcf2bbce285deb93

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe
Size

68KB
MD5

eaa0419e101fe726fb0aed8ff3d72bfb
SHA1

44a1b64c9406468db09577e546eb05d180c769b5
SHA256

c187d93d35918db508b65dc1160d177693c83ca710a9abe0fcf2bbce285deb93
SHA512

fc8f20ea094926d7092e8553fc6bccb2f73e880f2c9a0559ac3c679d618ab720768b8fdcdbc4eb28b1f6b414a57c0678b275cdd643d1ec5e67bdd472c3ff0c61
SSDEEP

1536:r1BvK2hM46fGBCzSfNNI6yx8Hoh3eypmrYbwWo5:r1BvK7pmCzSlNILr7mrl5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2256	BCSSync.exe
2972	BCSSync.exe

Loads dropped DLL 3 IoCs

pid	Process
2544	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe
2544	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe
2256	BCSSync.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 2544	2364	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe	31
PID 2256 set thread context of 2972	2256	BCSSync.exe	33

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync .exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2544	2364	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2544	2364	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2544	2364	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2544	2364	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2544	2364	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2544	2364	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2544	2364	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2544	2364	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2544	2364	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2544	2364	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe	31
PID 2544 wrote to memory of 2256	2544	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe	32
PID 2544 wrote to memory of 2256	2544	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe	32
PID 2544 wrote to memory of 2256	2544	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe	32
PID 2544 wrote to memory of 2256	2544	eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe	32
PID 2256 wrote to memory of 2972	2256	BCSSync.exe	33
PID 2256 wrote to memory of 2972	2256	BCSSync.exe	33
PID 2256 wrote to memory of 2972	2256	BCSSync.exe	33
PID 2256 wrote to memory of 2972	2256	BCSSync.exe	33
PID 2256 wrote to memory of 2972	2256	BCSSync.exe	33
PID 2256 wrote to memory of 2972	2256	BCSSync.exe	33
PID 2256 wrote to memory of 2972	2256	BCSSync.exe	33
PID 2256 wrote to memory of 2972	2256	BCSSync.exe	33
PID 2256 wrote to memory of 2972	2256	BCSSync.exe	33
PID 2256 wrote to memory of 2972	2256	BCSSync.exe	33
PID 2972 wrote to memory of 2788	2972	BCSSync.exe	34
PID 2972 wrote to memory of 2788	2972	BCSSync.exe	34
PID 2972 wrote to memory of 2788	2972	BCSSync.exe	34
PID 2972 wrote to memory of 2788	2972	BCSSync.exe	34

C:\Users\Admin\AppData\Local\Temp\eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\eaa0419e101fe726fb0aed8ff3d72bfb_JaffaCakes118.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
68KB

MD5
3b1cb01ef22bdc58921c2d3271431784

SHA1
4d299b99b0fc6316ffc5153069a2c12e6c864093

SHA256
0fc994148b11b9d722494a979bb1a37e8d69ca20be1fdc45941edd0f24db369b

SHA512
edc12cb34c4165a12a4204729fc6f46efbafd27356fca79cc794d1cb32fa11c60190d67ab358d4f32dd3e6cbf0f43aa60eb33290ae57ad533bd71b0f1063f2bc

Download Submit
memory/2544-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2544-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2544-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2544-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2544-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2544-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2544-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2544-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2544-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2972-45-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download