8d56a8ad6afa592ed46d6a295b2246ed8b80ee67007799c62b7280a0e953f2c3 | Triage

Submit
Reports

Overview

overview

Static

static

8

68fb79964f...18.doc

windows7-x64

68fb79964f...18.doc

windows10-2004-x64

Sharing

General

Target

68fb79964f8c30cb9f75738bb6ab96df_JaffaCakes118
Size

175KB
Sample

240522-3b77xsch89
MD5

68fb79964f8c30cb9f75738bb6ab96df
SHA1

ecb9e28f02cd7f5a7d026fcd14e312b9c7534303
SHA256

8d56a8ad6afa592ed46d6a295b2246ed8b80ee67007799c62b7280a0e953f2c3
SHA512

ad8dc182ade31b32e47584bd34a56ce17eb714b8a31370b6aa5caa3e0ca1d95d90e2506b3f89eaf6e917befc8336177c142e272da139642d834373b72962131f
SSDEEP

3072:Lu2y/GdybktGDWLS0HZWD5w8K7Nk98D7IBUB/F4aqA9O:Lu2k4btGiL3HJk98D7bBdZqA0

Score

10^/10

execution macro

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

68fb79964f8c30cb9f75738bb6ab96df_JaffaCakes118.doc

Resource

win7-20240221-en

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

68fb79964f8c30cb9f75738bb6ab96df_JaffaCakes118.doc

Resource

win10v2004-20240508-en

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://bashirahindonesia.com/wp-admin/LBPLS7/

exe.dropper

http://nn.5ctelematics.com/temp/qck7s/

exe.dropper

http://karnatakatoursandtravels.com/cli/wBeE3l1Fs/

exe.dropper

https://soaponline.org/cgi-bin/wyi/

exe.dropper

https://eldodesign.com/eldo/89t8u/

Targets

- Target
  
  68fb79964f8c30cb9f75738bb6ab96df_JaffaCakes118
- Size
  
  175KB
- MD5
  
  68fb79964f8c30cb9f75738bb6ab96df
- SHA1
  
  ecb9e28f02cd7f5a7d026fcd14e312b9c7534303
- SHA256
  
  8d56a8ad6afa592ed46d6a295b2246ed8b80ee67007799c62b7280a0e953f2c3
- SHA512
  
  ad8dc182ade31b32e47584bd34a56ce17eb714b8a31370b6aa5caa3e0ca1d95d90e2506b3f89eaf6e917befc8336177c142e272da139642d834373b72962131f
- SSDEEP
  
  3072:Lu2y/GdybktGDWLS0HZWD5w8K7Nk98D7IBUB/F4aqA9O:Lu2k4btGiL3HJk98D7bBdZqA0
Score

10^/10

execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

© 2018-2024

Terms | Privacy