Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 09:17
Behavioral task
behavioral1
Sample
JaffaCakes118_f3a41d33fdf5ec9dbf81b5c511f5b56339ea4719c2e568d586ade0cde72222cd.doc
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_f3a41d33fdf5ec9dbf81b5c511f5b56339ea4719c2e568d586ade0cde72222cd.doc
-
Size
2.1MB
-
MD5
578f26bd156782e1c93153e71e31af38
-
SHA1
6081302fcfb7033b6f5d795fcb623849c8be220f
-
SHA256
f3a41d33fdf5ec9dbf81b5c511f5b56339ea4719c2e568d586ade0cde72222cd
-
SHA512
4a301c25841d1a97e7255e104dac4f0d2f930945e9892b1d904483c3564e889730624b8c2006c810e6b7cdf9f7325addba2668a54ad72f27e7500b609af08be5
-
SSDEEP
24576:mOIFcmtE7voEOJ4wDEeKKeD0qxDRQ85THxfOl1zEEVQW/b06UKQzZ7IPN/ewItlZ:mHIQBJKKULx+9EEhg6uZsUf+Mz
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2104 3188 cmd.exe 81 -
Trickbot family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2984 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1720 PING.EXE 920 PING.EXE 412 PING.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 412 PING.EXE 1720 PING.EXE 920 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3188 WINWORD.EXE 3188 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1988 wermgr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3188 WINWORD.EXE 3188 WINWORD.EXE 3188 WINWORD.EXE 3188 WINWORD.EXE 3188 WINWORD.EXE 3188 WINWORD.EXE 3188 WINWORD.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3188 wrote to memory of 2104 3188 WINWORD.EXE 86 PID 3188 wrote to memory of 2104 3188 WINWORD.EXE 86 PID 2104 wrote to memory of 4164 2104 cmd.exe 92 PID 2104 wrote to memory of 4164 2104 cmd.exe 92 PID 2104 wrote to memory of 1720 2104 cmd.exe 93 PID 2104 wrote to memory of 1720 2104 cmd.exe 93 PID 2104 wrote to memory of 920 2104 cmd.exe 96 PID 2104 wrote to memory of 920 2104 cmd.exe 96 PID 2104 wrote to memory of 3244 2104 cmd.exe 97 PID 2104 wrote to memory of 3244 2104 cmd.exe 97 PID 3244 wrote to memory of 2984 3244 rundll32.exe 98 PID 3244 wrote to memory of 2984 3244 rundll32.exe 98 PID 3244 wrote to memory of 2984 3244 rundll32.exe 98 PID 2984 wrote to memory of 1740 2984 rundll32.exe 99 PID 2984 wrote to memory of 1740 2984 rundll32.exe 99 PID 2984 wrote to memory of 1740 2984 rundll32.exe 99 PID 2984 wrote to memory of 1988 2984 rundll32.exe 100 PID 2984 wrote to memory of 1988 2984 rundll32.exe 100 PID 2984 wrote to memory of 1988 2984 rundll32.exe 100 PID 2984 wrote to memory of 1988 2984 rundll32.exe 100 PID 2104 wrote to memory of 412 2104 cmd.exe 103 PID 2104 wrote to memory of 412 2104 cmd.exe 103
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f3a41d33fdf5ec9dbf81b5c511f5b56339ea4719c2e568d586ade0cde72222cd.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SYSTEM32\cmd.execmd /c c:\programdata\HighScores.bat2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\trone\altogether4127453.vbs"3⤵PID:4164
-
-
C:\Windows\system32\PING.EXEping w 5000 ya.fr3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1720
-
-
C:\Windows\system32\PING.EXEping w 5000 htr-oi.io3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:920
-
-
C:\Windows\system32\rundll32.exerundll32 c:\trone\1\ExistingExcel.dll,DllRegisterServer13⤵
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\rundll32.exerundll32 c:\trone\1\ExistingExcel.dll,DllRegisterServer14⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe5⤵PID:1740
-
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
-
-
C:\Windows\system32\PING.EXEping w 5000 htr-oi.io3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:412
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
815KB
MD5861c3b42993d2b3959d9eacd9f3fa00f
SHA1e834e7429175c7547135a9116102d4b5acfea70c
SHA256267c67704425cfe66e7e48a4c055e241a608795d121d4f5c2b3c56adac18b1ab
SHA5122ceb6d9cc94c874107af90fdcf644140dac042da7adb4a4191929ccaa4200d33731a3c27f3243584e81c4235aca0973103531ad500317424115ecc69c9e8ed98
-
Filesize
883KB
MD51c9b591f02f01abbc553a49b629c5dcb
SHA1d5db0b98de208401eef20abc8022c06c005fe2cb
SHA2568b2f86ef51d4f23dd78cd606b9e4950e02bdc2385d536c3632e61cf8152fa77f
SHA51237b9c430a0bb2dc5affb46c38dc9738e4df3031d1e3e2ac0a5d37dfeb96d65019fc304b40457914a12c45d2b23bf33f65b393368d33432f29604b982e095e070
-
Filesize
483KB
MD51da055b46fb0698f80a4404b3a3a63b3
SHA197609b1d447453fa5e431f90668678ac8c090730
SHA25671b4913ef363073f0ecc4b4c5af3ad4b4889ac7f22a3e34d54c9b6572b83c483
SHA512ddebd8487dc0dfd936f65377b7cc072dfc28ecb90943c4fea0e6f0c1ad7563964998d1ba56edce60f64fe076558d43618fb789c2278631f289e6a6cf5a936e23