b260a324f1d3b6135a4c52889fb0a4e436ddd6adb6ce61c380b25b33e3a05b80 | Triage

Submit
Reports

Overview

overview

Static

static

8

657c45ade4...18.doc

windows7-x64

657c45ade4...18.doc

windows10-2004-x64

6

Sharing

General

Target

657c45ade4303bb41097337af74f446f_JaffaCakes118
Size

247KB
Sample

240522-bmma2sfh2z
MD5

657c45ade4303bb41097337af74f446f
SHA1

f4bc5c8995e3e799fa130fba23314f2f95050c6b
SHA256

b260a324f1d3b6135a4c52889fb0a4e436ddd6adb6ce61c380b25b33e3a05b80
SHA512

0167228d2527fc9a1454311ef429bf1eefb10d1e5b17abf0d261fcfed48b9b81a43209b078b02bf45186552479c269f178d11f1a235f6b4650521fc56e249b05
SSDEEP

6144:Q0Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+p4z+cGAihG:Q0E3dxtR/iU9mvUPxbdhG

Score

10^/10

execution macro

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

657c45ade4303bb41097337af74f446f_JaffaCakes118.doc

Resource

win7-20240508-en

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

657c45ade4303bb41097337af74f446f_JaffaCakes118.doc

Resource

win10v2004-20240426-en

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://abeafrique.org/-/wv4y-6w5-3697/

exe.dropper

https://wlskdjfsa.000webhostapp.com/wp-admin/VbuFbbG/

exe.dropper

http://blog.eliminavarici.com/wp-includes/fQbmzw/

exe.dropper

http://87zn.com/wp-admin/be19e6-le6fjr-256/

exe.dropper

http://bbv.borgmeier.media/wp-includes/runyp-zsv8cv-3508006/

Targets

- Target
  
  657c45ade4303bb41097337af74f446f_JaffaCakes118
- Size
  
  247KB
- MD5
  
  657c45ade4303bb41097337af74f446f
- SHA1
  
  f4bc5c8995e3e799fa130fba23314f2f95050c6b
- SHA256
  
  b260a324f1d3b6135a4c52889fb0a4e436ddd6adb6ce61c380b25b33e3a05b80
- SHA512
  
  0167228d2527fc9a1454311ef429bf1eefb10d1e5b17abf0d261fcfed48b9b81a43209b078b02bf45186552479c269f178d11f1a235f6b4650521fc56e249b05
- SSDEEP
  
  6144:Q0Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+p4z+cGAihG:Q0E3dxtR/iU9mvUPxbdhG
Score

10^/10

execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Process spawned suspicious child process
  This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

© 2018-2024

Terms | Privacy