General
-
Target
68cee0aa77911b98d7cdf22e177c05d8_JaffaCakes118
-
Size
1.2MB
-
Sample
240522-12qz8aaf61
-
MD5
68cee0aa77911b98d7cdf22e177c05d8
-
SHA1
d453439358ffdd5944ed65b8fd38381ea77a294f
-
SHA256
3778737d251d8faff9386d8cf18fcdc25ad392b6f9ea9ed3baaf66bb96d54988
-
SHA512
010cc6a87bab2186c78795c32105b0ec7d9aa108c247d54ec8cbfa9f1979c475bc4729478f2d9ac2557ee5e42f7184af1d8a8eed684d92e98e03cc7055424e4b
-
SSDEEP
12288:9amsmGGEPZTRAisny9Zuf3m5yVNtELh8Mz3LRqVlVJGjoGSjkaHdawbyHHfWZt5y:mj+YE8ff2zy
Behavioral task
behavioral1
Sample
68cee0aa77911b98d7cdf22e177c05d8_JaffaCakes118.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
68cee0aa77911b98d7cdf22e177c05d8_JaffaCakes118.doc
Resource
win10v2004-20240426-en
Malware Config
Extracted
cobaltstrike
1258440321
http://code.1static-images.com:5353/images/cliparts/c/3/0/7/Plain_Arrow_7.svg.hi.png
http://scripts.1static-images.com:5353/images/cliparts/c/3/0/7/Plain_Arrow_7.svg.hi.png
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
day
7424
-
dns_idle
1.39598111e+08
-
host
code.1static-images.com,/images/cliparts/c/3/0/7/Plain_Arrow_7.svg.hi.png,scripts.1static-images.com,/images/cliparts/c/3/0/7/Plain_Arrow_7.svg.hi.png
-
http_header1
AAAACgAAABlBY2NlcHQ6IGltYWdlL3BuZyxpbWFnZS8qAAAACgAAABlBY2NlcHQtTGFuZ3VhZ2U6IGVuLUdCLGVuAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAEFByYWdtYTogbm8tY2FjaGUAAAAKAAAAF0NhY2hlLUNvbnRyb2w6IG5vLWNhY2hlAAAACgAAABxIb3N0OiB3d3cuMXN0YXRpYy1pbWFnZXMuY29tAAAABwAAAAAAAAADAAAAAgAAAApQSFBTRVNTSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAcQ29udGVudC1UeXBlOiB0ZXh0L3BsYWludGV4dAAAAAoAAAAcSG9zdDogd3d3LjFzdGF0aWMtaW1hZ2VzLmNvbQAAAAcAAAAAAAAABQAAAAVpbWdpZAAAAAkAAAAKc3o9MTYweDYwMAAAAAcAAAABAAAAAwAAAAIAAAAvMFBORy4uSUhEUi4uc0JJVC58LmQucEhZcy6lVDz+Li4uLjruPC5JREFUJtls1NYAAAABAAAAKTH+RUQ9P6ruRMTXLi7QK+L062X9Jsb42Sv++XMu8S5xPy5JRU5ErkKjAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
1280
-
maxdns
253
-
month
1536
-
pipe_name
\\%s\pipe\avagent-%x
-
polling_time
30000
-
port_number
5353
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWoq3qrcZ9G+3vpZwpHmdhv59hL5KDed1yMgOOnRiJlOKrUJREsj1nOKvpTuGTlunKMvdKficLQfCT4NK58Wr2sGJdCE5x7KML9qoP39odmLlhl4Nvv8Ro4+GBQQT1JMGCD4JfGsxiNtBhLFhtVxNRmF0ZstTpGPht5lqiJCTCawIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.066055424e+09
-
unknown2
AAAABAAAAAEAAAFcAAAAAgAABT4AAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/images/cliparts/c/3/0/update.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)
-
watermark
1258440321
-
year
57863
Targets
-
-
Target
68cee0aa77911b98d7cdf22e177c05d8_JaffaCakes118
-
Size
1.2MB
-
MD5
68cee0aa77911b98d7cdf22e177c05d8
-
SHA1
d453439358ffdd5944ed65b8fd38381ea77a294f
-
SHA256
3778737d251d8faff9386d8cf18fcdc25ad392b6f9ea9ed3baaf66bb96d54988
-
SHA512
010cc6a87bab2186c78795c32105b0ec7d9aa108c247d54ec8cbfa9f1979c475bc4729478f2d9ac2557ee5e42f7184af1d8a8eed684d92e98e03cc7055424e4b
-
SSDEEP
12288:9amsmGGEPZTRAisny9Zuf3m5yVNtELh8Mz3LRqVlVJGjoGSjkaHdawbyHHfWZt5y:mj+YE8ff2zy
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Office macro that triggers on suspicious action
Office document macro which triggers in special circumstances - often malicious.
-
Deletes itself
-
Loads dropped DLL
-