Overview

overview

10

Static

static

8

65dc4acf65...18.doc

windows7-x64

10

65dc4acf65...18.doc

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    65dc4acf6535446540416dbe5e1949b5_JaffaCakes118

  • Size

    199KB

  • Sample

    240522-d3hc5sah5v

  • MD5

    65dc4acf6535446540416dbe5e1949b5

  • SHA1

    69a391f2c5c2ab0393d3624a405f5b8ca92bddb3

  • SHA256

    e9d36b9583acfc91bf20d7a91163677669d0aeeb4ee2faf41209c52a8036c03e

  • SHA512

    d826dd5b2e11c4008fa5083bf18400ea1a1c43582ede8ec7211d70fd708a2d13bd9aacb5f68b6f489b6da6d06493beb7bfdfe5f6daf92d505ae1ebb1508b8c55

  • SSDEEP

    3072:9WKWj22TWTogk079THcpOu5UZS5EcbWD+uzp:y/TX07hHcJQoEcKDNzp

Score
10/10
macro

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://haymetetrading.com/wp-includes/yGELKj4/
exe.dropper

http://simofferbd24.com/wp-includes/fsiQc/
exe.dropper

http://401kplansinfo.com/cgi-bin/KtFRk/
exe.dropper

http://fidelityguide.com/cgi-bin/VA/
exe.dropper

https://sirnakmidyeci.com/wp-includes/qk9wW2/
exe.dropper

https://subitocarne.com/wp-content/ByeOAt9/
exe.dropper

https://eliesalibaarchitect.com/wordpress/T/

Targets

    • Target

      65dc4acf6535446540416dbe5e1949b5_JaffaCakes118

    • Size

      199KB

    • MD5

      65dc4acf6535446540416dbe5e1949b5

    • SHA1

      69a391f2c5c2ab0393d3624a405f5b8ca92bddb3

    • SHA256

      e9d36b9583acfc91bf20d7a91163677669d0aeeb4ee2faf41209c52a8036c03e

    • SHA512

      d826dd5b2e11c4008fa5083bf18400ea1a1c43582ede8ec7211d70fd708a2d13bd9aacb5f68b6f489b6da6d06493beb7bfdfe5f6daf92d505ae1ebb1508b8c55

    • SSDEEP

      3072:9WKWj22TWTogk079THcpOu5UZS5EcbWD+uzp:y/TX07hHcJQoEcKDNzp

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks