Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    28-08-2024 15:30

General

  • Target

    c7209a744435dcc259700a26adda4e47_JaffaCakes118.docm

  • Size

    680KB

  • MD5

    c7209a744435dcc259700a26adda4e47

  • SHA1

    31b9c510958b82e086e7ca7360d003c8c6e2193d

  • SHA256

    f4cdde5d4e22b79d8d15fadcf74e7a9a9c805c54b910e08be7c6422b11ce729f

  • SHA512

    ba5d27a3cd64fdff8690c5356311b4f2ea7d094922578d8c134ca209dd07d68a5d37bd4af3f458a3d0e309fa9bbd5099ec012df081dbc75b528653725a577bb3

  • SSDEEP

    12288:gzUyhTUcvCBd//9x+BuO40ThFsi1HMKxdFnjWlKOv2cEfk+j1XFcDLthza:gzBT4/Vx+BuOVhFsi1JniN2LcDL+

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c7209a744435dcc259700a26adda4e47_JaffaCakes118.docm"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\ProgramData\Memsys\ms.exe
      C:\ProgramData\Memsys\ms.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:824
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3036
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:2856

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

        Filesize

        19KB

        MD5

        5f9a352377f0abb64fea040813428c30

        SHA1

        d5a2c3727275367f2e664c406617f10a9c9ddff0

        SHA256

        5a537d078decf72b1f53b9e6f196d56551de3f67422a84ba07c88c84608b3b53

        SHA512

        0c292a3dd14a297604b10a86377cf09ddcaf5a2825c2e136970fdabb42604c8d5e4090f3380d856d4ca757c0b3272c07dff065f68ece9107395dc0f16074d182

      • \ProgramData\Memsys\ms.exe

        Filesize

        321KB

        MD5

        fed6eab172b18fcf0ac559146add24ab

        SHA1

        9c821e007072ff086301002e669ef9f23048b336

        SHA256

        9d4506a63429f64c0ab01b77be2b178f9f2e45436decc6084c61b6faee0adfdb

        SHA512

        2e22a04e49672dc25bcdf0e12d921fd83ba1fe0be183b0d6b62434f0a1de598c0f0c96ea518fdf1428b5d2c3c62f171a34676efb66c40c5799ca9462c39043ab

      • memory/2108-100-0x0000000005630000-0x0000000005730000-memory.dmp

        Filesize

        1024KB

      • memory/2108-101-0x0000000005630000-0x0000000005730000-memory.dmp

        Filesize

        1024KB

      • memory/2108-97-0x0000000005630000-0x0000000005730000-memory.dmp

        Filesize

        1024KB

      • memory/2108-62-0x0000000005630000-0x0000000005730000-memory.dmp

        Filesize

        1024KB

      • memory/2108-98-0x0000000005630000-0x0000000005730000-memory.dmp

        Filesize

        1024KB

      • memory/2108-99-0x0000000005630000-0x0000000005730000-memory.dmp

        Filesize

        1024KB

      • memory/2108-0-0x000000002F021000-0x000000002F022000-memory.dmp

        Filesize

        4KB

      • memory/2108-96-0x0000000005630000-0x0000000005730000-memory.dmp

        Filesize

        1024KB

      • memory/2108-2-0x00000000717FD000-0x0000000071808000-memory.dmp

        Filesize

        44KB

      • memory/2108-137-0x00000000717FD000-0x0000000071808000-memory.dmp

        Filesize

        44KB

      • memory/2108-138-0x0000000005630000-0x0000000005730000-memory.dmp

        Filesize

        1024KB

      • memory/2108-142-0x0000000005630000-0x0000000005730000-memory.dmp

        Filesize

        1024KB

      • memory/2108-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2108-165-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB