Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-08-2024 15:30
Static task
static1
Behavioral task
behavioral1
Sample
c7209a744435dcc259700a26adda4e47_JaffaCakes118.docm
Resource
win7-20240729-en
General
-
Target
c7209a744435dcc259700a26adda4e47_JaffaCakes118.docm
-
Size
680KB
-
MD5
c7209a744435dcc259700a26adda4e47
-
SHA1
31b9c510958b82e086e7ca7360d003c8c6e2193d
-
SHA256
f4cdde5d4e22b79d8d15fadcf74e7a9a9c805c54b910e08be7c6422b11ce729f
-
SHA512
ba5d27a3cd64fdff8690c5356311b4f2ea7d094922578d8c134ca209dd07d68a5d37bd4af3f458a3d0e309fa9bbd5099ec012df081dbc75b528653725a577bb3
-
SSDEEP
12288:gzUyhTUcvCBd//9x+BuO40ThFsi1HMKxdFnjWlKOv2cEfk+j1XFcDLthza:gzBT4/Vx+BuOVhFsi1JniN2LcDL+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3844 ms.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Windows\assembly\Desktop.ini ms.exe File created C:\Windows\assembly\Desktop.ini ms.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly ms.exe File created C:\Windows\assembly\Desktop.ini ms.exe File opened for modification C:\Windows\assembly\Desktop.ini ms.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ms.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4028 WINWORD.EXE 4028 WINWORD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3844 ms.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3844 ms.exe Token: 33 3844 ms.exe Token: SeIncBasePriorityPrivilege 3844 ms.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 3844 ms.exe 4028 WINWORD.EXE 4028 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4028 wrote to memory of 3844 4028 WINWORD.EXE 89 PID 4028 wrote to memory of 3844 4028 WINWORD.EXE 89 PID 4028 wrote to memory of 3844 4028 WINWORD.EXE 89
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c7209a744435dcc259700a26adda4e47_JaffaCakes118.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\ProgramData\Memsys\ms.exeC:\ProgramData\Memsys\ms.exe2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3844
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
321KB
MD5fed6eab172b18fcf0ac559146add24ab
SHA19c821e007072ff086301002e669ef9f23048b336
SHA2569d4506a63429f64c0ab01b77be2b178f9f2e45436decc6084c61b6faee0adfdb
SHA5122e22a04e49672dc25bcdf0e12d921fd83ba1fe0be183b0d6b62434f0a1de598c0f0c96ea518fdf1428b5d2c3c62f171a34676efb66c40c5799ca9462c39043ab
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5f550be2e4021c35fbb9b607b0a36355f
SHA19435a82a2bdce9646cb88ca760789dffb4f6c6c8
SHA256837db79e30c0bf2cc5a7c555e4d217a451ffbcf3bd0cf336196aaf99f912558e
SHA5125f58256ee060b6d7d7b320eb0e72aef48a03dca4801a0ec4855444bcec113b13a18f1d99415ac3d737901f318d801fb9b87bc304d30d915ad4334133713b08aa