13cbc6196cfe79f109e75cdec73bfc75b0439081b0df50ca70a449dc77fcc7f8 | Triage

Submit
Reports

Overview

overview

Static

static

8

ea779117ee...18.doc

windows7-x64

ea779117ee...18.doc

windows10-2004-x64

Sharing

General

Target

ea779117ee025bc63f722fba0da9fe56_JaffaCakes118
Size

71KB
Sample

240919-dkl9daxhkj
MD5

ea779117ee025bc63f722fba0da9fe56
SHA1

8314c4b4a911cf9a680c45fbaf8f98bd042a5c88
SHA256

13cbc6196cfe79f109e75cdec73bfc75b0439081b0df50ca70a449dc77fcc7f8
SHA512

547fbdf94522d52e19ed8340d6a2c0dbb845824c8976067c63f20793edacef9cc9a6aa7be9c166e79737c25a6acc892dad74e40ceeb0cf2209d49d1125e50d69
SSDEEP

768:8pJcaUitGAlmrJpmxlzC+w99NBD+1ona4iXY4j8NrcBYbhn8N:8ptJlmrJpmxlRw99NBD+an2c8

Score

10^/10

discovery execution macro macro_on_action

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

ea779117ee025bc63f722fba0da9fe56_JaffaCakes118.doc

Resource

win7-20240903-en

discovery execution

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

ea779117ee025bc63f722fba0da9fe56_JaffaCakes118.doc

Resource

win10v2004-20240802-en

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://alignsales.com/5iTjBVHgiZ

exe.dropper

http://aquatroarquitetura.com.br/xqk3qb5a

exe.dropper

https://adamant.kz/CVjsyDag

exe.dropper

http://02feb02.com/d8rOmLBT

exe.dropper

http://pornbeam.com/B6v8OJvL

Targets

- Target
  
  ea779117ee025bc63f722fba0da9fe56_JaffaCakes118
- Size
  
  71KB
- MD5
  
  ea779117ee025bc63f722fba0da9fe56
- SHA1
  
  8314c4b4a911cf9a680c45fbaf8f98bd042a5c88
- SHA256
  
  13cbc6196cfe79f109e75cdec73bfc75b0439081b0df50ca70a449dc77fcc7f8
- SHA512
  
  547fbdf94522d52e19ed8340d6a2c0dbb845824c8976067c63f20793edacef9cc9a6aa7be9c166e79737c25a6acc892dad74e40ceeb0cf2209d49d1125e50d69
- SSDEEP
  
  768:8pJcaUitGAlmrJpmxlzC+w99NBD+1ona4iXY4j8NrcBYbhn8N:8ptJlmrJpmxlRw99NBD+an2c8
Score

10^/10

discovery execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- An obfuscated cmd.exe command-line is typically used to evade detection.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

discoveryexecution

behavioral2

© 2018-2025

Terms | Privacy