cf6f134b4e7abc0b6a2d993101ac3a2e2f3d16709741b1fd982ea65b07327920 | Triage

Sharing

General

Target

7bbcd2699d703524fe62369e8c9ed013_JaffaCakes118
Size

115KB
Sample

240528-fccq3seh6x
MD5

7bbcd2699d703524fe62369e8c9ed013
SHA1

669876f8735f2610148a40715966ea91195dc6ea
SHA256

cf6f134b4e7abc0b6a2d993101ac3a2e2f3d16709741b1fd982ea65b07327920
SHA512

6cdec2fbf2e1fa4098a61d1d51f1ff06d246b0cc03c7f490c102f64768cc60cbeaf414ce6b1d8207df6e815b1b78cd81fa62f2259afd9a49d7567ad66e6e7c74
SSDEEP

1536:aBWYOEXJ/6Ph+agzsTUjvDVghDR9KgZDbf5J3L:TeXJ/6PwvDyj9KC9Jb

Score

10^/10

execution macro

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://lolligirl.com/VK9wU/

exe.dropper

https://versicherungsvermittlung.de/OZVlP/

exe.dropper

http://stein-planung.de/kzFwg/

exe.dropper

http://vagrantcafe.com/flash/VD9aQK7/

Targets

- Target
  
  7bbcd2699d703524fe62369e8c9ed013_JaffaCakes118
- Size
  
  115KB
- MD5
  
  7bbcd2699d703524fe62369e8c9ed013
- SHA1
  
  669876f8735f2610148a40715966ea91195dc6ea
- SHA256
  
  cf6f134b4e7abc0b6a2d993101ac3a2e2f3d16709741b1fd982ea65b07327920
- SHA512
  
  6cdec2fbf2e1fa4098a61d1d51f1ff06d246b0cc03c7f490c102f64768cc60cbeaf414ce6b1d8207df6e815b1b78cd81fa62f2259afd9a49d7567ad66e6e7c74
- SSDEEP
  
  1536:aBWYOEXJ/6Ph+agzsTUjvDVghDR9KgZDbf5J3L:TeXJ/6PwvDyj9KC9Jb
Score

10^/10

execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2