fe1fbe65ae3b9491efdde3ac6017c7ece40ac332bb70242bdd1148a1ea4b1c56

General

Target

0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe
Size

36KB
MD5

0e661713f95b09b2b4a03f6b0244ea37
SHA1

66e15e4a393a758b514cb63292457abf13189b5c
SHA256

fe1fbe65ae3b9491efdde3ac6017c7ece40ac332bb70242bdd1148a1ea4b1c56
SHA512

a5f61037c9cddf77859516bea13dd6b18207addaed895352e457debec65a44c931c9d898dd981c530111df54cfffeb7b553d3433a1d74d8268c8aa3759174e80
SSDEEP

768:DlcTwpQJkYYTgOnHBqQTZqDsQw6AL7oh2q7vm6PrP2578Nkb8:h8wyJnYEOH9ZqDw8h3bzPD2me8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2828	BCSSync.exe
3032	BCSSync.exe

Loads dropped DLL 3 IoCs

pid	Process
2292	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe
2292	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe
2828	BCSSync.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2936 set thread context of 2292	2936	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe	30
PID 2828 set thread context of 3032	2828	BCSSync.exe	32

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2292	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2292	2936	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2292	2936	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2292	2936	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2292	2936	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2292	2936	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2292	2936	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2292	2936	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2292	2936	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2292	2936	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2828	2292	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2828	2292	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2828	2292	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2828	2292	0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe	31
PID 2828 wrote to memory of 3032	2828	BCSSync.exe	32
PID 2828 wrote to memory of 3032	2828	BCSSync.exe	32
PID 2828 wrote to memory of 3032	2828	BCSSync.exe	32
PID 2828 wrote to memory of 3032	2828	BCSSync.exe	32
PID 2828 wrote to memory of 3032	2828	BCSSync.exe	32
PID 2828 wrote to memory of 3032	2828	BCSSync.exe	32
PID 2828 wrote to memory of 3032	2828	BCSSync.exe	32
PID 2828 wrote to memory of 3032	2828	BCSSync.exe	32
PID 2828 wrote to memory of 3032	2828	BCSSync.exe	32
PID 3032 wrote to memory of 2284	3032	BCSSync.exe	33
PID 3032 wrote to memory of 2284	3032	BCSSync.exe	33
PID 3032 wrote to memory of 2284	3032	BCSSync.exe	33
PID 3032 wrote to memory of 2284	3032	BCSSync.exe	33

C:\Users\Admin\AppData\Local\Temp\0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\0e661713f95b09b2b4a03f6b0244ea37_JaffaCakes118.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
36KB

MD5
06b08b24a780b3317a8ca2615b04acdb

SHA1
670c3ebae0e17a3d0bb18cdbc7cd4be36dd084a1

SHA256
02ece6ee029919fa7b7943622c8df349c4a0b17c2c0ca5576357f3198a066619

SHA512
95bb1c7ec7124e972c3ce84aac5e4ea2a4b98edbd391caa5842df38adc6121a299aba520d0ea41823107fe765507644e0d73071f9abe2d97090a83ee1f88b814

Download Submit
memory/2292-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2292-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2292-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2292-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2292-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2292-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2292-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2292-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2292-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3032-42-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3032-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing