Overview

overview

10

Static

static

8

3bd256704b...18.doc

windows7-x64

10

3bd256704b...18.doc

windows10-2004-x64

6

Sharing

Copy URL Twitter E-mail

General

  • Target

    3bd256704b8c3764143dbb14e77e6bde_JaffaCakes118

  • Size

    199KB

  • Sample

    240512-yny3kadg3w

  • MD5

    3bd256704b8c3764143dbb14e77e6bde

  • SHA1

    0d59f0e43c2e184eafa354fc3d930882b6223db7

  • SHA256

    120089ff2f68e783b44f00f3f9679d71cf5c93c16a88de58c11e392458ba0090

  • SHA512

    cf435f04cddeb5eb5acb21817c2e76949e488672feea6059d118f2d080719f3f9f59b9390472bc2a81e1829e16ba3db8969c55c3876477d4d8b414a1e0ce9734

  • SSDEEP

    1536:04tcTv8kvjEuJ0dH5L0c4vs3ti18NmIIP4ovlnoR+a9Xig7ix5EvGtaWWfjPYKwN:04tcTvjvTY140818tIP4ovpvLmGhoI

Score
10/10
macro

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://veccino56.com/gjpra/4ZR/
exe.dropper

http://girlgeekdinners.com/wp-content/Hpz/
exe.dropper

http://marblingmagpie.com/COPYRIGHT/Ak/
exe.dropper

http://aplicativoipok.net/wp-includes/ONW/
exe.dropper

http://ec2-52-56-233-157.eu-west-2.compute.amazonaws.com/wp-includes/35/
exe.dropper

https://shd7.life/mlktv/r6/
exe.dropper

https://www.hairlineunisexsalon.com/demo/UX/

Targets

    • Target

      3bd256704b8c3764143dbb14e77e6bde_JaffaCakes118

    • Size

      199KB

    • MD5

      3bd256704b8c3764143dbb14e77e6bde

    • SHA1

      0d59f0e43c2e184eafa354fc3d930882b6223db7

    • SHA256

      120089ff2f68e783b44f00f3f9679d71cf5c93c16a88de58c11e392458ba0090

    • SHA512

      cf435f04cddeb5eb5acb21817c2e76949e488672feea6059d118f2d080719f3f9f59b9390472bc2a81e1829e16ba3db8969c55c3876477d4d8b414a1e0ce9734

    • SSDEEP

      1536:04tcTv8kvjEuJ0dH5L0c4vs3ti18NmIIP4ovlnoR+a9Xig7ix5EvGtaWWfjPYKwN:04tcTvjvTY140818tIP4ovpvLmGhoI

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks