Overview

overview

10

Static

static

8

63a5df4ae9...18.doc

windows7-x64

10

63a5df4ae9...18.doc

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    63a5df4ae97bb27edf5bd67659935560_JaffaCakes118

  • Size

    176KB

  • Sample

    240521-rz96mshe5v

  • MD5

    63a5df4ae97bb27edf5bd67659935560

  • SHA1

    782ac721cedd47fd6c2a0ef1c6d5d637a70fed20

  • SHA256

    f32bb24d114407e601968a2908030e4e12277051ed2d439efb99bf63204ad4b8

  • SHA512

    d329521898b9e1d70cfd32f7546bb875685430ed1b00b3a2cbdd9c2f545754edc1082d4466d84ba77914eba7081f4449536191fb05162137e86577d57f73a053

  • SSDEEP

    3072:BxjnB29gb8onegCZ4B9s5l7sOB/izw2RW0ntt:Bxy3HM9Q5ERW

Score
10/10
executionmacro

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://coopspage.com/fLCt
exe.dropper

http://butterbean.se/KKHaZ8Oh
exe.dropper

http://boutique-amour.jp/958Jf
exe.dropper

http://bike-nomad.com/wp-content/jBN92RTl
exe.dropper

http://websitedesigngarden.com/fmkE

Targets

    • Target

      63a5df4ae97bb27edf5bd67659935560_JaffaCakes118

    • Size

      176KB

    • MD5

      63a5df4ae97bb27edf5bd67659935560

    • SHA1

      782ac721cedd47fd6c2a0ef1c6d5d637a70fed20

    • SHA256

      f32bb24d114407e601968a2908030e4e12277051ed2d439efb99bf63204ad4b8

    • SHA512

      d329521898b9e1d70cfd32f7546bb875685430ed1b00b3a2cbdd9c2f545754edc1082d4466d84ba77914eba7081f4449536191fb05162137e86577d57f73a053

    • SSDEEP

      3072:BxjnB29gb8onegCZ4B9s5l7sOB/izw2RW0ntt:Bxy3HM9Q5ERW

    Score
    10/10
    execution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks