Overview

overview

10

Static

static

8

c88dd06b1f...18.doc

windows7-x64

10

c88dd06b1f...18.doc

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c88dd06b1f25fd0fc256ed2d874c6513_JaffaCakes118

  • Size

    154KB

  • Sample

    240829-lcla4swfjr

  • MD5

    c88dd06b1f25fd0fc256ed2d874c6513

  • SHA1

    06df3a61cf1ba9f801f0c0e37ea3bc5e11f6a47d

  • SHA256

    496f28c45a056ece930233ef9c15f5e227d9939706d8ff9868f8928cfd600149

  • SHA512

    b0770e2fe4ecb7adb61cbec8c82a18e6301718294b266ff5a09ec75cfe8c9719da169617efd0f7ca8ae9a176fa1e709e9bfb26deeee6b006c8fac5b4d52aef2d

  • SSDEEP

    3072:WgIg4KfNmKdXKDAfCzDSrvFf9kIy1GOsc3Uv6K:WVqNVXKDACzDSrNU4OscEv

Score
10/10
discoveryexecutionmacro

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://h-g.at/ILM7q/
exe.dropper

http://ibchs.com/ah1B/
exe.dropper

http://hillmanmaritime.com/hcBm/
exe.dropper

http://body4art.de/v0tMR0a/

Targets

    • Target

      c88dd06b1f25fd0fc256ed2d874c6513_JaffaCakes118

    • Size

      154KB

    • MD5

      c88dd06b1f25fd0fc256ed2d874c6513

    • SHA1

      06df3a61cf1ba9f801f0c0e37ea3bc5e11f6a47d

    • SHA256

      496f28c45a056ece930233ef9c15f5e227d9939706d8ff9868f8928cfd600149

    • SHA512

      b0770e2fe4ecb7adb61cbec8c82a18e6301718294b266ff5a09ec75cfe8c9719da169617efd0f7ca8ae9a176fa1e709e9bfb26deeee6b006c8fac5b4d52aef2d

    • SSDEEP

      3072:WgIg4KfNmKdXKDAfCzDSrvFf9kIy1GOsc3Uv6K:WVqNVXKDACzDSrNU4OscEv

    Score
    10/10
    discoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks