Overview

overview

10

Static

static

1

6889974ddc...18.doc

windows7-x64

10

6889974ddc...18.doc

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6889974ddc269eae29f7a949b34d04bc_JaffaCakes118

  • Size

    94KB

  • Sample

    240522-zcwnqsfg29

  • MD5

    6889974ddc269eae29f7a949b34d04bc

  • SHA1

    bb88e3ac46fc503308959e7f964b4130a4b39357

  • SHA256

    4c58c854ad7652ac73829058b405f7b2dd40e803ef3be318090ee2ee43de1a07

  • SHA512

    08b7bf8a129a97ba4450a04c080e1e31fc8be1325037536b7da4ff2d3ba7e938e081a4adaa90713d7bd3f96ab808299503537dbf9cae8970b613e299ced18ad4

  • SSDEEP

    1536:xXDMeO8oY5C6OJsdBpZW2aMQs666yT+t3hieCnpYjSKxrtN:J4eroY5CTsdA2OI23hccT

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://samuelearba.com/wp-includes/g2fn1q5591/
exe.dropper

https://rudalov.com/clientes/hroimxt621/
exe.dropper

http://rhythmandbluescompany.com/pimages/4vq32/
exe.dropper

http://ruttv.com/cams/rb5b5/
exe.dropper

http://sampling-group.com/site_espanol/bo3/

Targets

    • Target

      6889974ddc269eae29f7a949b34d04bc_JaffaCakes118

    • Size

      94KB

    • MD5

      6889974ddc269eae29f7a949b34d04bc

    • SHA1

      bb88e3ac46fc503308959e7f964b4130a4b39357

    • SHA256

      4c58c854ad7652ac73829058b405f7b2dd40e803ef3be318090ee2ee43de1a07

    • SHA512

      08b7bf8a129a97ba4450a04c080e1e31fc8be1325037536b7da4ff2d3ba7e938e081a4adaa90713d7bd3f96ab808299503537dbf9cae8970b613e299ced18ad4

    • SSDEEP

      1536:xXDMeO8oY5C6OJsdBpZW2aMQs666yT+t3hieCnpYjSKxrtN:J4eroY5CTsdA2OI23hccT

    Score
    10/10
    execution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks