ac4f5cd653b7d559fd04c0b683c69096ea44adff4dec6e2a152c1c4d9d48c153

General

Target

55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe
Size

34KB
MD5

55a3caa4238cfe96208b162e0f5d35ba
SHA1

1942eccb4f11a4932666d8d4196e8286b3d2ab12
SHA256

ac4f5cd653b7d559fd04c0b683c69096ea44adff4dec6e2a152c1c4d9d48c153
SHA512

2f24cfbccd5b25640f99e98070349d960ae77517bd520cc4c14431a7cfba9efda72935770db43c8b0a2933f6f9fdcef81294dc6ba607e8ea2902bb71528aa291
SSDEEP

768:GwkBWuF+Wk5uMXYxiGmsox40ebUKAUdI2gQa5WND1QH4:GBBWuFfw7YxitsoL/+mVYuY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3068	BCSSync.exe
2660	BCSSync.exe

Loads dropped DLL 3 IoCs

pid	Process
2112	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe
2112	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe
3068	BCSSync.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 2112	2224	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe	31
PID 3068 set thread context of 2660	3068	BCSSync.exe	33

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\gLB6b6w1.com	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2112	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2112	2224	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2112	2224	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2112	2224	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2112	2224	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2112	2224	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2112	2224	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2112	2224	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2112	2224	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2112	2224	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe	31
PID 2112 wrote to memory of 3068	2112	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe	32
PID 2112 wrote to memory of 3068	2112	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe	32
PID 2112 wrote to memory of 3068	2112	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe	32
PID 2112 wrote to memory of 3068	2112	55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe	32
PID 3068 wrote to memory of 2660	3068	BCSSync.exe	33
PID 3068 wrote to memory of 2660	3068	BCSSync.exe	33
PID 3068 wrote to memory of 2660	3068	BCSSync.exe	33
PID 3068 wrote to memory of 2660	3068	BCSSync.exe	33
PID 3068 wrote to memory of 2660	3068	BCSSync.exe	33
PID 3068 wrote to memory of 2660	3068	BCSSync.exe	33
PID 3068 wrote to memory of 2660	3068	BCSSync.exe	33
PID 3068 wrote to memory of 2660	3068	BCSSync.exe	33
PID 3068 wrote to memory of 2660	3068	BCSSync.exe	33
PID 2660 wrote to memory of 2272	2660	BCSSync.exe	34
PID 2660 wrote to memory of 2272	2660	BCSSync.exe	34
PID 2660 wrote to memory of 2272	2660	BCSSync.exe	34
PID 2660 wrote to memory of 2272	2660	BCSSync.exe	34

C:\Users\Admin\AppData\Local\Temp\55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\55a3caa4238cfe96208b162e0f5d35ba_JaffaCakes118.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
34KB

MD5
4d38680cf84a3798331d2633f85a610e

SHA1
99be6f77d46821553b925715fdce1a648737fc1c

SHA256
4487b819fc41b31a312998675fb919d144f1e0a8e0945cbc24c0645ffce6717f

SHA512
d41f22cfc2aa5fc62938a8aa360cd46b482dd2755991b903b8e69aac44357b86808a4cb9af6efff3c4d77c7e2972a888dec4c1aba45c5ea730d92e00f1ea581d

Download Submit
memory/2112-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2112-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2112-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2112-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2112-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2112-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2112-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2112-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2112-14-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2660-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing