Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 23:27
Behavioral task
behavioral1
Sample
JaffaCakes118_b84b5ffa65552140676968d0bafc52a00cd0fd9a5f7b70809d11a2b321ac834b.doc
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_b84b5ffa65552140676968d0bafc52a00cd0fd9a5f7b70809d11a2b321ac834b.doc
-
Size
2.1MB
-
MD5
3bc400ab428b5c6f229b6158a4c084e9
-
SHA1
76b70d96c464f68b531f3c040aabc4b5d8a8ffde
-
SHA256
b84b5ffa65552140676968d0bafc52a00cd0fd9a5f7b70809d11a2b321ac834b
-
SHA512
8be8e08b756e6d3c3ce0702ea5028fd8d4357e21472374276184f3e4e876fdff1929f34a07322f49154f04a488c2cf43f4addc56e4faea391e304c2abf4149c1
-
SSDEEP
24576:mOIFcmtE7voEOJ4wDEeKKeD0qxDRQ85THxfOl1zEEVQW/b06UKQwZ7IPN/ewItlZ:mHIQBJKKULx+9EEhg6tZsUf+Mz
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 624 4940 cmd.exe 81 -
Trickbot family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 3664 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2852 PING.EXE 2504 PING.EXE 1700 PING.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2852 PING.EXE 2504 PING.EXE 1700 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4940 WINWORD.EXE 4940 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3984 wermgr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4940 WINWORD.EXE 4940 WINWORD.EXE 4940 WINWORD.EXE 4940 WINWORD.EXE 4940 WINWORD.EXE 4940 WINWORD.EXE 4940 WINWORD.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4940 wrote to memory of 624 4940 WINWORD.EXE 85 PID 4940 wrote to memory of 624 4940 WINWORD.EXE 85 PID 624 wrote to memory of 2032 624 cmd.exe 92 PID 624 wrote to memory of 2032 624 cmd.exe 92 PID 624 wrote to memory of 2852 624 cmd.exe 93 PID 624 wrote to memory of 2852 624 cmd.exe 93 PID 624 wrote to memory of 2504 624 cmd.exe 94 PID 624 wrote to memory of 2504 624 cmd.exe 94 PID 624 wrote to memory of 3212 624 cmd.exe 97 PID 624 wrote to memory of 3212 624 cmd.exe 97 PID 3212 wrote to memory of 3664 3212 rundll32.exe 98 PID 3212 wrote to memory of 3664 3212 rundll32.exe 98 PID 3212 wrote to memory of 3664 3212 rundll32.exe 98 PID 3664 wrote to memory of 4560 3664 rundll32.exe 99 PID 3664 wrote to memory of 4560 3664 rundll32.exe 99 PID 3664 wrote to memory of 4560 3664 rundll32.exe 99 PID 3664 wrote to memory of 3984 3664 rundll32.exe 100 PID 3664 wrote to memory of 3984 3664 rundll32.exe 100 PID 3664 wrote to memory of 3984 3664 rundll32.exe 100 PID 3664 wrote to memory of 3984 3664 rundll32.exe 100 PID 624 wrote to memory of 1700 624 cmd.exe 103 PID 624 wrote to memory of 1700 624 cmd.exe 103
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b84b5ffa65552140676968d0bafc52a00cd0fd9a5f7b70809d11a2b321ac834b.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SYSTEM32\cmd.execmd /c c:\programdata\HighScores.bat2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\trone\altogether4127453.vbs"3⤵PID:2032
-
-
C:\Windows\system32\PING.EXEping w 5000 ya.fr3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2852
-
-
C:\Windows\system32\PING.EXEping w 5000 htr-oi.io3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2504
-
-
C:\Windows\system32\rundll32.exerundll32 c:\trone\1\ExistingExcel.dll,DllRegisterServer13⤵
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\rundll32.exerundll32 c:\trone\1\ExistingExcel.dll,DllRegisterServer14⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe5⤵PID:4560
-
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
-
-
C:\Windows\system32\PING.EXEping w 5000 htr-oi.io3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1700
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD523df7d7d11c7a6e831ea7b1a44762f8a
SHA16037b6be47099e4324cfb6f9053caa7b8555476e
SHA256dab14bcd11bcfbb8b9655972d493c34c793a56af5f95a38a181e32637ca51c85
SHA5124435ef60bbafd6bede1873631537cfbbe037afb9ea564818cdb42b8346742ba5b4ee6c64eba59a5f76a56e1047b716c56ac8abdf2aae9fd6f6a13e8d9629a559
-
Filesize
815KB
MD512b35355d1b3d54916aeec7f3c25aa9c
SHA16304b01173e6fc6af5d15f70b2da7ef00af01b20
SHA256ab877698827bb56c10819d32a74c7b9e632b759c2b5a85c5921e17b892cfb716
SHA51259812d65b76b56fc0adc1237a8e68058acc9ad65c3a3a993e09cd44f29218c8d83bcfc2c6f2de3e04835e2ce23acf9a4db31d59c6e74144f6aa1eb0193e8eef1
-
Filesize
883KB
MD53826c75e009858f82f7ad8342116a34b
SHA1bc60b40dbbd4360b203ba5f1cf7229264214c957
SHA25640337427a39cb76487f4c450a4f36f2a94489995199f3df0de906bfeaa570dad
SHA512cc42356930b9147717a00d55315b2c02e36c85a0317da7684a4b2eda37218f26c1accae0914ada6173b5f3366323ff65a62cb50b0c84d1a16f81be898320a803
-
Filesize
483KB
MD51da055b46fb0698f80a4404b3a3a63b3
SHA197609b1d447453fa5e431f90668678ac8c090730
SHA25671b4913ef363073f0ecc4b4c5af3ad4b4889ac7f22a3e34d54c9b6572b83c483
SHA512ddebd8487dc0dfd936f65377b7cc072dfc28ecb90943c4fea0e6f0c1ad7563964998d1ba56edce60f64fe076558d43618fb789c2278631f289e6a6cf5a936e23