8983f6c89f99d99042d339ed0622d120418276ec1f1d0e5444d9d3e8e12ba2af

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 10:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe
Size

112KB
MD5

5708a50b72ed61ea57d21a11d0ff9260
SHA1

d41e2931d5f7a595253e65eeca27a12940b948b2
SHA256

8983f6c89f99d99042d339ed0622d120418276ec1f1d0e5444d9d3e8e12ba2af
SHA512

722da46b53e4d5f9ac030c7086c1ac63ab3f390383fe9a7365bcddba98b506f826d8b4412faf53089a63540423bb6beb2d7148399ddf794f50a1c409995f52e9
SSDEEP

1536:LPqKgbwDeVyAUHwGvVJrYJeyxWxVhkITI5ywWFfB8lBTxe5P1PU:9gbwDKyLwGvTrYkg6BJR6ns5PFU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2120	BCSSync.exe
2876	BCSSync.exe
2520	BCSSync.exe

Loads dropped DLL 4 IoCs

pid	Process
2932	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe
2932	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe
2120	BCSSync.exe
2876	BCSSync.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 2432	1684	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	28
PID 2432 set thread context of 2932	2432	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	29
PID 2120 set thread context of 2876	2120	BCSSync.exe	31
PID 2876 set thread context of 2520	2876	BCSSync.exe	32

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\TWxJ735D.com	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync .exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2932	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe
2520	BCSSync.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1684	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe
2120	BCSSync.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2432	1684	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2432	1684	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2432	1684	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2432	1684	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2432	1684	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2432	1684	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2432	1684	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2432	1684	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2432	1684	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	28
PID 2432 wrote to memory of 2932	2432	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	29
PID 2432 wrote to memory of 2932	2432	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	29
PID 2432 wrote to memory of 2932	2432	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	29
PID 2432 wrote to memory of 2932	2432	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	29
PID 2432 wrote to memory of 2932	2432	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	29
PID 2432 wrote to memory of 2932	2432	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	29
PID 2432 wrote to memory of 2932	2432	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	29
PID 2432 wrote to memory of 2932	2432	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	29
PID 2432 wrote to memory of 2932	2432	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2120	2932	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2120	2932	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2120	2932	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2120	2932	5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe	30
PID 2120 wrote to memory of 2876	2120	BCSSync.exe	31
PID 2120 wrote to memory of 2876	2120	BCSSync.exe	31
PID 2120 wrote to memory of 2876	2120	BCSSync.exe	31
PID 2120 wrote to memory of 2876	2120	BCSSync.exe	31
PID 2120 wrote to memory of 2876	2120	BCSSync.exe	31
PID 2120 wrote to memory of 2876	2120	BCSSync.exe	31
PID 2120 wrote to memory of 2876	2120	BCSSync.exe	31
PID 2120 wrote to memory of 2876	2120	BCSSync.exe	31
PID 2120 wrote to memory of 2876	2120	BCSSync.exe	31
PID 2876 wrote to memory of 2520	2876	BCSSync.exe	32
PID 2876 wrote to memory of 2520	2876	BCSSync.exe	32
PID 2876 wrote to memory of 2520	2876	BCSSync.exe	32
PID 2876 wrote to memory of 2520	2876	BCSSync.exe	32
PID 2876 wrote to memory of 2520	2876	BCSSync.exe	32
PID 2876 wrote to memory of 2520	2876	BCSSync.exe	32
PID 2876 wrote to memory of 2520	2876	BCSSync.exe	32
PID 2876 wrote to memory of 2520	2876	BCSSync.exe	32
PID 2876 wrote to memory of 2520	2876	BCSSync.exe	32
PID 2520 wrote to memory of 2240	2520	BCSSync.exe	33
PID 2520 wrote to memory of 2240	2520	BCSSync.exe	33
PID 2520 wrote to memory of 2240	2520	BCSSync.exe	33
PID 2520 wrote to memory of 2240	2520	BCSSync.exe	33

C:\Users\Admin\AppData\Local\Temp\5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\5708a50b72ed61ea57d21a11d0ff9260_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
112KB

MD5
1aa069d0102caed023e3478b821eb3ce

SHA1
7df3c1c0e949a45727bf8afe2d83e89355f96e77

SHA256
a926ec8a6f655eee03c612b3301b6ac51d3359b56170185b3647fa742763c01e

SHA512
be8f7354b10e5bd893af11a3388d4e528057ad0ea1f8780cdab3b9490c1fc83f21abcb53c07ed84f66f9bc7c05f254f21b9596450acad05fbf7ceb8cd8a6d280

Download Submit
memory/2432-4-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2432-2-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2432-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2432-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2520-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2876-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2932-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2932-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2932-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2932-21-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2932-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2932-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2932-35-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2932-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2932-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2932-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download