Malware Analysis Report

2024-11-30 23:43

Sample ID 240426-mst4maef92
Target 009652ad8cba8a42caa9db1c8d0931b7_JaffaCakes118
SHA256 a143e1fd552ef8f869e937f0e0362b1b0a6af16ab1668e588c780c101dcb4650
Tags
lokibot collection spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a143e1fd552ef8f869e937f0e0362b1b0a6af16ab1668e588c780c101dcb4650

Threat Level: Known bad

The file 009652ad8cba8a42caa9db1c8d0931b7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

lokibot collection spyware stealer trojan

Process spawned unexpected child process

Lokibot

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SendNotifyMessage

Checks processor information in registry

Kills process with taskkill

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

NTFS ADS

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Launches Equation Editor

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-26 10:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 10:44

Reported

2024-04-26 10:46

Platform

win7-20240221-en

Max time kernel

144s

Max time network

120s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\009652ad8cba8a42caa9db1c8d0931b7_JaffaCakes118.rtf"

Signatures

Lokibot

trojan spyware stealer lokibot

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\exe.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\exe.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\exe.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2900 set thread context of 752 N/A C:\Users\Admin\AppData\Local\Temp\exe.exe C:\Users\Admin\AppData\Local\Temp\exe.exe

Office loads VBA resources, possible macro or embedded object present

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\exe.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exe.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2636 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2636 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2636 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2636 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2592 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2592 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2592 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2584 wrote to memory of 2496 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\CmD.exe
PID 2584 wrote to memory of 2496 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\CmD.exe
PID 2584 wrote to memory of 2496 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\CmD.exe
PID 2584 wrote to memory of 2496 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\CmD.exe
PID 2592 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\exe.exe
PID 2592 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\exe.exe
PID 2592 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\exe.exe
PID 2592 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\exe.exe
PID 2592 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2592 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2592 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2592 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2592 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\exe.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\exe.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\009652ad8cba8a42caa9db1c8d0931b7_JaffaCakes118.rtf"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\TaSk.BaT

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\TaSk.BaT

C:\Windows\SysWOW64\timeout.exe

TIMEOUT 1

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\SysWOW64\CmD.exe

CmD /C %tmp%\task.bat & UUUUUUUU c

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Local\Temp\exe.exe

C:\Users\Admin\AppData\Local\Temp\exe.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im winword.exe

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"

C:\Users\Admin\AppData\Local\Temp\exe.exe

C:\Users\Admin\AppData\Local\Temp\exe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 142.250.200.46:80 google.com tcp
IE 185.24.233.117:80 tcp
IE 185.24.233.117:80 tcp
IE 185.24.233.117:80 tcp
IE 185.24.233.117:80 tcp
IE 185.24.233.117:80 tcp
IE 185.24.233.117:80 tcp

Files

memory/1996-0-0x000000002FBC1000-0x000000002FBC2000-memory.dmp

memory/1996-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1996-2-0x000000007117D000-0x0000000071188000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sct

MD5 36ad6d953da9665f7ff59e4145d5278a
SHA1 d6b7685ec25b5a40b3d40c945df56b3dee4a580e
SHA256 002394c515bc0df787f99f565b6c032bef239a5e40a33ac710395bf264520df7
SHA512 afdbf8ffb330d2f4b3893adecd7153be7ce2b53c1635ca0f506d7a71354e576d70cfd5ff0787e2d61915525ed26a0dd729696be32c202e4acc2b4854dec4229f

C:\Users\Admin\AppData\Local\Temp\task.bat

MD5 418334ad7eb95ff82969646a7bf5a164
SHA1 4cefdfad3fee1412e1aa5b1ae0057ad0b4126db7
SHA256 731abba49e150da730d1b94879ce42b7f89f2a16c2b3d6f1e8d4c7d31546d35d
SHA512 38eeec94e6495c06161dac7f3bf832ac91a200a8dd958d8849e3191b3dcdc36cdbb3d186ad8fe5ad175dc56d355973741ee027987615a244f587911e09dc0640

C:\Users\Admin\AppData\Local\Temp\2nd.bat

MD5 07fbf92580a91f32c5c96c156ccb3fa9
SHA1 f70cdd08113e9cd4c2bc3d91dee526e634089c23
SHA256 d1d7d1dfc3980b56620e8fe6af0358e676a4dbd6288a3e3bf0712191d5bf0b69
SHA512 4acb7b4bbe0ca72c6233605bc356c90a501039c32c03d4e4783a840bfd3a97aab06e0dc8b15546e6840cce412ed89b943744e4e9281afafd2de9be03e1ac1abd

C:\Users\Admin\AppData\Local\Temp\exe.exe

MD5 ba5543365e855a43187e22a6969f18f3
SHA1 6091640dafa0b9dbfadea4a8d9e1070b0c33b33d
SHA256 9a4358e3daf8566a44e55b05f5dfa03723c34594e48db65e8d0a832fbc507a80
SHA512 4fbc65ee9b93cb5e351631354dd16d09aaf4ba2042d711432b44b969d9e19d87dcee02fbcc0bed6b1ae31fdf06fe8a291aa5c309e3fe4ff6038b383ef76d9bb4

memory/1996-42-0x000000007117D000-0x0000000071188000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\decoy.doc

MD5 c463af2be5752a2e345ffe110cd93d31
SHA1 bb5cf6cd2801c58afe29002baa9ace348fcbd14b
SHA256 ab89cb877fdeeebbf3d75559cc3d9bbbf0c4dfcd3295bfcf7269d7d14e716445
SHA512 bc60f4deb50289547c872570eb4ed85aa75c8bc513e7be6153bcaee1c29c84e5d3445925561f2caab48c338b71bb83c7a51c666f55f15e8a15b65eb73131565e

memory/2900-46-0x0000000077590000-0x0000000077666000-memory.dmp

memory/752-47-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/752-50-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/752-51-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/752-55-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2900-57-0x0000000077590000-0x0000000077666000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1298544033-3225604241-2703760938-1000\0f5007522459c86e95ffcc62f32308f1_e3fd1d67-4513-4809-a7f1-bf54bd53bdbc

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1298544033-3225604241-2703760938-1000\0f5007522459c86e95ffcc62f32308f1_e3fd1d67-4513-4809-a7f1-bf54bd53bdbc

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/752-74-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/752-96-0x0000000000400000-0x00000000004A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-26 10:44

Reported

2024-04-26 10:46

Platform

win10v2004-20240419-en

Max time kernel

118s

Max time network

115s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\009652ad8cba8a42caa9db1c8d0931b7_JaffaCakes118.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{928A9C97-4E94-473E-800E-FB50AE012D7F}\decoy.doc:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\{928A9C97-4E94-473E-800E-FB50AE012D7F}\task.bat:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\{928A9C97-4E94-473E-800E-FB50AE012D7F}\exe.exe:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\{928A9C97-4E94-473E-800E-FB50AE012D7F}\2nd.bat:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\{928A9C97-4E94-473E-800E-FB50AE012D7F}\inteldriverupd1.sct:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\009652ad8cba8a42caa9db1c8d0931b7_JaffaCakes118.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 roaming.officeapps.live.com udp

Files

memory/4648-0-0x00007FFFAFF50000-0x00007FFFAFF60000-memory.dmp

memory/4648-1-0x00007FFFAFF50000-0x00007FFFAFF60000-memory.dmp

memory/4648-2-0x00007FFFAFF50000-0x00007FFFAFF60000-memory.dmp

memory/4648-5-0x00007FFFEFED0000-0x00007FFFF00C5000-memory.dmp

memory/4648-4-0x00007FFFEFED0000-0x00007FFFF00C5000-memory.dmp

memory/4648-3-0x00007FFFAFF50000-0x00007FFFAFF60000-memory.dmp

memory/4648-6-0x00007FFFAFF50000-0x00007FFFAFF60000-memory.dmp

memory/4648-9-0x00007FFFEFED0000-0x00007FFFF00C5000-memory.dmp

memory/4648-13-0x00007FFFEFED0000-0x00007FFFF00C5000-memory.dmp

memory/4648-12-0x00007FFFEFED0000-0x00007FFFF00C5000-memory.dmp

memory/4648-11-0x00007FFFEFED0000-0x00007FFFF00C5000-memory.dmp

memory/4648-14-0x00007FFFAD760000-0x00007FFFAD770000-memory.dmp

memory/4648-10-0x00007FFFEFED0000-0x00007FFFF00C5000-memory.dmp

memory/4648-8-0x00007FFFEFED0000-0x00007FFFF00C5000-memory.dmp

memory/4648-7-0x00007FFFEFED0000-0x00007FFFF00C5000-memory.dmp

memory/4648-16-0x00007FFFEFED0000-0x00007FFFF00C5000-memory.dmp

memory/4648-17-0x00007FFFAD760000-0x00007FFFAD770000-memory.dmp

memory/4648-15-0x00007FFFEFED0000-0x00007FFFF00C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{928A9C97-4E94-473E-800E-FB50AE012D7F}\inteldriverupd1.sct:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

memory/4648-37-0x00007FFFEFED0000-0x00007FFFF00C5000-memory.dmp

memory/4648-38-0x00007FFFEFED0000-0x00007FFFF00C5000-memory.dmp

memory/4648-66-0x00007FFFAFF50000-0x00007FFFAFF60000-memory.dmp

memory/4648-67-0x00007FFFAFF50000-0x00007FFFAFF60000-memory.dmp

memory/4648-65-0x00007FFFAFF50000-0x00007FFFAFF60000-memory.dmp

memory/4648-68-0x00007FFFAFF50000-0x00007FFFAFF60000-memory.dmp

memory/4648-69-0x00007FFFEFED0000-0x00007FFFF00C5000-memory.dmp