Overview

overview

10

Static

static

8

390bf5b77f...18.doc

windows7-x64

10

390bf5b77f...18.doc

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    390bf5b77fc9c164be934a2f12be7a36_JaffaCakes118

  • Size

    245KB

  • Sample

    240512-jqzdsaaf82

  • MD5

    390bf5b77fc9c164be934a2f12be7a36

  • SHA1

    fb8a2b7b10b82dee2509c68d1ce66f9674be0f32

  • SHA256

    c984833db58812ed08f1b0560576ec19bfec60b0a8103292c206042ef12007fc

  • SHA512

    dfcea8972d66e3bdee273af26ad1add17c0fd6fdd4d072672277df8eaac704d7dc67cd6f0d699fd232f009c08190e3e99ac6a076efd458125fcae0d6ccaaa406

  • SSDEEP

    6144:H0Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+Bzm8tigUE+w6:H0E3dxtR/iU9mvUPBS8tigUE+L

Score
10/10
executionmacro

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://amelano.net/wp-includes/css/dist/2ew/
exe.dropper

http://911concept.com/images/i6ngX5/
exe.dropper

http://ayonschools.com/UBkoqn/
exe.dropper

http://beech.org/wayne/lldo/
exe.dropper

http://firelabo.com/wp-includes/mf6f4/

Targets

    • Target

      390bf5b77fc9c164be934a2f12be7a36_JaffaCakes118

    • Size

      245KB

    • MD5

      390bf5b77fc9c164be934a2f12be7a36

    • SHA1

      fb8a2b7b10b82dee2509c68d1ce66f9674be0f32

    • SHA256

      c984833db58812ed08f1b0560576ec19bfec60b0a8103292c206042ef12007fc

    • SHA512

      dfcea8972d66e3bdee273af26ad1add17c0fd6fdd4d072672277df8eaac704d7dc67cd6f0d699fd232f009c08190e3e99ac6a076efd458125fcae0d6ccaaa406

    • SSDEEP

      6144:H0Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+Bzm8tigUE+w6:H0E3dxtR/iU9mvUPBS8tigUE+L

    Score
    10/10
    execution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks